Can MAS Detect a Root Kit?

[JeffP]

What does Microsoft AntiSpyware do to Prevent, Detect and
Remove a Root Kit.

Does MAS use the file system to choose which directories
to scan or does it use the win API layer?

My limited understanding is that root kits remove, cloak
their trojan or similar from the file system, therefore
they are not caught because "they don't exist".

These are replacement OS or lower level components whose
sole objective is to cloak to allow the virus or trojan to
do it's dirty work undetected.

Here's a link that I found useful.

http://www.windowsitpro.com/Article/ArticleID/45518/45518.h
tml?Ad=0

Any info would be appreciated.
FYI: Trendmicro free AS, found 69 suspects, (most were
adware) and MAS found none.

TIA

JeffP....

 

[Andre Da Costa]

I would assume, no it does not. why?

Microsoft plans to integrate rootkit detection technology from its Strider
Ghostbuster research project into future versions of the Windows AntiSpyware
application, Ziff Davis Internet News has learned.
Strider Ghostbuster, a prototype tool developed by Microsoft Corp.'s
Cybersecurity and Systems Management Research Group, provides a
straightforward way to detect Windows rootkits by comparing scan results
between a clean system and one that may potentially be compromised.

Read the rest here:
http://www.eweek.com/article2/0,1895,1838294,00.asp
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[AndyManchesta]

Rootkits are just a collection of hacktools that can be
installed once the attacker gains access to the system
usually including trojans, keyloggers, network sniffers
and trojan replacements of genuine system files like
netstat etc..

These are a serious threat but only if they can first
gain access to the system so having a strong Antivirus &
Firewall is more the issue than using MS Antispy to
detect them. The main use of these is so the attacker can
come back to the system at a later date and not be
detected and also to make removing infections more
difficult due to the user not being able to find all the
files.

The Only way you can avoid Rootkits is to block them
before they can enter your system, Rootkits are not used
to gain access they just make it easy for the attacker to
have control of the infected system without being
detected.

To install the Rootkit they still need to get access to
the pc so the main part of avoiding this is making sure
the security patches/service packs are up to date and
have a strong firewall and Antivirus running.

Kernal Rootkits can intercept queries and filter out
those connected to the rootkit which as you say results
in them not being detectable by checking running
processes or by using scanners, Even spyware can use
rootkit like features to prevent removal like CWS with
the hidden dll's and Elite Variants. Ive tested
HackerDefender and it was very time consuming to remove
it would of been easier for me to back up the essential
files and reinstall the OS but there is ways to stop them.


Microsoft have "Strider GhostBuster" which can detect
rootkits so this may be used in scanners at some stage.

http://research.microsoft.com/rootkit/


Sysinternals has RootKitRevealer which uses the same
method as Strider Ghostbuster to detect installed Rootkits

http://www.sysinternals.com/Utilities/RootkitRevealer.html


F-Secure Has Blacklight Beta (See site for info)

http://www.europe.f-secure.com/blacklight/cure.shtml


The best way is to avoid having to deal with them is by
having a fully patched system and strong Antivirus and
Firewall installed and being caution of what sites you
download and run files from so the Attacker doesnt get a
chance to install rootkits on the pc.


Also when people say other scanner's found alot more than
MSAS it really would help if you list all the files that
you say are being missed, most scanners will let you save
the results or at least let you copy & paste them so its
hard to know why no one ever does that especially if they
are sure they are not cookies,

Andy