Does Windows Defender detect rootkits?
--
Paul

MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501

On Wed, 5 Nov 2008 11:55:01 -0800, Paul wrote:

> Does Windows Defender detect rootkits?

No!
Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotli...px?videoid=359

There's room for some debate about this. Windows Defender did detect the
Sony software which Mark Russinovich discovered originally, and which was
essentially a rootkit.

The Malicious Software Removal tool, which I hope everyone here is running
once a month as part of the monthly security patch download, specializes in
some rootkit families.

However, in general, specialized software aimed specifically at rootkits are
best at this job.
--

"Kayman" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> On Wed, 5 Nov 2008 11:55:01 -0800, Paul wrote:
>
>> Does Windows Defender detect rootkits?
>
> No!
> Educational viewing!
> Mark Russinovich - Advanced Malware Cleaning
> http://www.microsoft.com/emea/spotli...px?videoid=359

On Wed, 5 Nov 2008 20:02:59 -0500, Bill Sanderson wrote:

> There's room for some debate about this. Windows Defender did detect the
> Sony software which Mark Russinovich discovered originally, and which was
> essentially a rootkit.

Yes, I know. But this was quite some time ago. Rootkits have evolved and
differentiated. WinDef has evolved in a different direction.

> The Malicious Software Removal tool, which I hope everyone here is running
> once a month as part of the monthly security patch download, specializes in
> some rootkit families.

True. The key is "some rootkit families". Mark Russinovich is recommending
scanning with as many 'specialized' tools as practicable. (WinDef is not
included.)

> However, in general, specialized software aimed specifically at rootkits are
> best at this job.

Yes, I would've thought that tools like Rootkit Revealer, GMER, ComboFix
etc. are (nowadays) much more suitable for rootkit detection.

On Wed, 5 Nov 2008 11:55:01 -0800, Paul wrote:

> Does Windows Defender detect rootkits?

Avoiding Rootkit Infection.
The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

Reason why I'm asking is that I've been having a lot of slowdowns with two av
programs that claim to detect rootkits--F-Secure and Avast. I'm thinking of
going to freeware av that doesn't claim to detect rootkits (such as AntiVir),
and then doubling up with a more traditional spyware app that would, such as
WinDef. But I see that this wouldn't work.

OK--it sounds like you guys are saying you really have to run a separate
scan with these other rootkit detectors.

Is the real-time protection that such av programs claim to provide against
rootkits actual? or is it hype?
--
Paul

MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501

Or do they simply mean that when you do a scan, they can pick it up, without
any real-time protection?
--
Paul

MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501

For what it's worth, AntiVir will run a rootkit scan separately from its
regular scan. You click on Local Protection, then Rootkit Search ("this
profile checks your system for active rootkits"), then the Start Search icon
above "Local Drives." The initial search is a quick one and includes the
registry. It is then suggested that you scan the system partition, and you
click yes or no.

I have no idea, of course, how good the rootkit scan is.

Jo-Anne

"Paul" <(E-Mail Removed)> wrote in message
news:4D27DDE3-7882-496C-B031-(E-Mail Removed)...
> Reason why I'm asking is that I've been having a lot of slowdowns with two
> av
> programs that claim to detect rootkits--F-Secure and Avast. I'm thinking
> of
> going to freeware av that doesn't claim to detect rootkits (such as
> AntiVir),
> and then doubling up with a more traditional spyware app that would, such
> as
> WinDef. But I see that this wouldn't work.
>
> OK--it sounds like you guys are saying you really have to run a separate
> scan with these other rootkit detectors.
>
> Is the real-time protection that such av programs claim to provide against
> rootkits actual? or is it hype?
> --
> Paul
>
> MS Office Pro 2003
> XP Home SP3
> Dell Inspiron 1501
>

from different newsgroups I frequent it is suppose to be very good
robin

"Jo-Anne" <Jo-AnneATnowhere.com> wrote in message
news:#(E-Mail Removed)...
> For what it's worth, AntiVir will run a rootkit scan separately from its
> regular scan. You click on Local Protection, then Rootkit Search ("this
> profile checks your system for active rootkits"), then the Start Search
> icon above "Local Drives." The initial search is a quick one and includes
> the registry. It is then suggested that you scan the system partition, and
> you click yes or no.
>
> I have no idea, of course, how good the rootkit scan is.
>
> Jo-Anne
>
> "Paul" <(E-Mail Removed)> wrote in message
> news:4D27DDE3-7882-496C-B031-(E-Mail Removed)...
>> Reason why I'm asking is that I've been having a lot of slowdowns with
>> two av
>> programs that claim to detect rootkits--F-Secure and Avast. I'm thinking
>> of
>> going to freeware av that doesn't claim to detect rootkits (such as
>> AntiVir),
>> and then doubling up with a more traditional spyware app that would, such
>> as
>> WinDef. But I see that this wouldn't work.
>>
>> OK--it sounds like you guys are saying you really have to run a separate
>> scan with these other rootkit detectors.
>>
>> Is the real-time protection that such av programs claim to provide
>> against
>> rootkits actual? or is it hype?
>> --
>> Paul
>>
>> MS Office Pro 2003
>> XP Home SP3
>> Dell Inspiron 1501
>>
>
>

On Thu, 6 Nov 2008 09:22:00 -0800, Paul wrote:

> Reason why I'm asking is that I've been having a lot of slowdowns with two av
> programs that claim to detect rootkits--F-Secure and Avast. I'm thinking of
> going to freeware av that doesn't claim to detect rootkits (such as AntiVir),
> and then doubling up with a more traditional spyware app that would, such as
> WinDef. But I see that this wouldn't work.

http://www.free-av.com/en/tools/4/av...tkit_tool.html

> OK--it sounds like you guys are saying you really have to run a separate
> scan with these other rootkit detectors.

*Educational viewing!!!!*
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotli...px?videoid=359

> Is the real-time protection that such av programs claim to provide against
> rootkits actual? or is it hype?

Avoiding Rootkit Infection.
The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

Running MRT provided monthly by MSFT can be beneficial detecting some
rootkits.

Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of
detection/removal tools; You are encouraged to try all of them (join
relevant fora for additional support i.e. interpretation of scan results):

ComboFix
http://www.bleepingcomputer.com/comb...o-use-combofix
http://www.thespykiller.co.uk/index.php?board=3.0

DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18

F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index....81ffe4361c3a17

IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php

McAfee Rootkit Detective
http://download.nai.com/products/mca...tDetective.zip

Panda Anti Rootkit
http://research.pandasecurity.com/bl...ntiRootkit.zip

RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersi...IDE_BETA_1.zip
http://www.rootkit.com/boardm.php

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Rootkit Revealer
http://www.microsoft.com/technet/sys...tRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15

RootKit Hook Analyzer
http://www.softpedia.com/get/Securit...Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-...i-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/netw...i-rootkit.html

System Virginity Verifier
http://www.softpedia.com/get/System/...Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25

System Virginity Verifier
http://www.antirootkit.com/software/...y-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25

VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php