Themes & Channels
Lab reviews anti-rootkits
By Jerome Saiz, Thu, April 3rd, 2008
French IT campus Epitech tested fifteen anti-rootkits against six well-known, widely used, malwares. It found most of the solutions to be lacking either in simplicity or effectiveness. Or both.
Epitech Lab students set out to review anti-rootkits on two criterias : effectiveness, of course, but also ease of use. Rootkits being quite a different beast from viruses, anti-rootkits can't just try to detect them with a regular signature scan. Hunting them involves reading system tables deep within the Operating System (processes, file system...) looking for elements that have been intentionally hidden from the system. Of course, there is no easy way to do this, and no simple way to warn the user her system is being owned by a rootkit. After all, an anti-rootkit will most likely find some hidden elements anyway. It'll then leave it to the user to judge if they're malicious or not.
The tests involved owning a test-machine with a specific rootkit and using each solution to its full potential trying to detect the infection. In the process, the students evaluated how simple the task was made by the anti-rootkit from a non-technical user perspective. Upon completion, their test report is not kind to the products : "We found those products to be generally not that good, and for some of them even flawed in their design. Most of these solutions are not to be trusted at that time", the report reads.
Command line-only products were, of course, lacking in the simplicity department but were also found to be the most effective of the bunch. The report also advises to use more than one anti-rootkit in order to get the best results. Both limitations make those software-only desktop anti-rootkits mostly not ready for prime-time, and especially for the Enterprise market.
In the meantime other anti-rootkit options become available for the Enterprise : virtual machine protection from the hypervisor ala VMsafe or system protection through a dedicated hardware card, ala Komoku (now part of Microsoft). Both approaches rely on an out-of-system view which is the only way to trust the readings at 100%. On-system software anti-rootkits just will never be able to offer such a guarantee, and that's exactly what Epitech's review shows.
The results
| Fu | Futo |
Phide |
RkU |
BadRK démo |
Unreal | |
| AVG AntiRootkit | Ok | Ok | Ok | Ok | Fail | Fail |
| Avira | Ok |
Ok | Ok | Ok | Ok | Fail |
| DarkSpy | Ok | Ok | Fail | Ok | Ok | Fail |
| Gmer | Ok | Ok | Ok | Ok | Ok |
Ok |
| Helios Lite | Ok | Ok | Ok | Ok | Fail | Fail |
| IceSword | Ok | Ok | Fail | Fail | Ok | Fail |
| McAfee Rootkit Detective | Fail | Echec | Fail | Fail | Fail | Fail |
| Panda Anti-Rootkit (Tucan) | Fail | Ok | Fail | Ok | Ok | Ok |
| Rootkit Buster | Ok | Ok | Fail | Fail | Ok | Fail |
| Rootkit Unhooker | Ok | Ok | Ok | Ok | Ok | Ok |
| Rootkit Uncover | Ok | Ok | Fail | Fail | Fail | Fail |
| Safety Check | Ok | Ok | Ok | Ok | Ok | Ok |
| Seem | Ok | Ok | Ok | Fail | Fail | Fail |
| Sophos Anti-Rootkit | Ok | Ok | Fail | Fail | Fail | Fail |
| SysProt AntiRootkit | Ok | Ok | Ok | Ok | Ok | Fail |
Vendors, users : contact us to tell us your experience with those products.
Print this news
Into IAM ?
The IAM 2008 Series
SecurityNewsletter interviews major Identity & Access Management players to give you the lead on what IAM will be in 2008.