<p align=left><font face=Arial size=2></font> </p> <p>Hello guys and girls, </p> <p align=left>A quick question, we are working with a customer and quite close to displacing one of our competitors for their client AV solution however at a meeting yesterday the client raised and interesting question that I did´nt have an answer too.</p> <p align=left>Do you have an application capable of detecting Kernel Mode rootkits? or are you working on something to that effect?</p> <p align=left>As I understand it, the only way of doing this would be from outside the OS, either a bootable CD or pre installed app capable of booting up in a linux / winPE etc. environment. Other AV vendors have this kind of solution for example McAfee previousley had Cleanboot and now prescan and the command line scanner package that is included in Hirens boot cd etc... the good thing about prescan is that it allowed a simultaneous reboot and then scan of entire groups or even the whole network from the management console, <img alt=Smile src="http://forums.microsoft.com/MSDN/emoticons/emotion-1.gif"> usefull for an outbreak if you want to make sure all machines are clean before you bring your network back up.</p> <p align=left>It could also be usefull to have this for peace of mind, as I asume this would give it greater accuracy and less problems as no services / processes could be loaded.. </p> <p align=left>thanks for your time <img height=19 alt=Smile src="http://forums.microsoft.com/MSDN/emoticons/emotion-1.gif" width=19></p> <p align=left>Ed</p> <p align=left> </p>© 2009 Microsoft Corporation. All rights reserved.Tue, 02 Jun 2009 21:41:13 Z41ac6959-eb6e-44ab-ad1b-a0316db2a3e8http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/41ac6959-eb6e-44ab-ad1b-a0316db2a3e8#41ac6959-eb6e-44ab-ad1b-a0316db2a3e8http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/41ac6959-eb6e-44ab-ad1b-a0316db2a3e8#41ac6959-eb6e-44ab-ad1b-a0316db2a3e8Edsaodjhoiahttp://social.technet.microsoft.com/Profile/en-US/?user=Edsaodjhoia<p align=left><font face=Arial size=2></font> </p> <p>Hello guys and girls, </p> <p align=left>A quick question, we are working with a customer and quite close to displacing one of our competitors for their client AV solution however at a meeting yesterday the client raised and interesting question that I did´nt have an answer too.</p> <p align=left>Do you have an application capable of detecting Kernel Mode rootkits? or are you working on something to that effect?</p> <p align=left>As I understand it, the only way of doing this would be from outside the OS, either a bootable CD or pre installed app capable of booting up in a linux / winPE etc. environment. Other AV vendors have this kind of solution for example McAfee previousley had Cleanboot and now prescan and the command line scanner package that is included in Hirens boot cd etc... the good thing about prescan is that it allowed a simultaneous reboot and then scan of entire groups or even the whole network from the management console, <img alt=Smile src="http://forums.microsoft.com/MSDN/emoticons/emotion-1.gif"> usefull for an outbreak if you want to make sure all machines are clean before you bring your network back up.</p> <p align=left>It could also be usefull to have this for peace of mind, as I asume this would give it greater accuracy and less problems as no services / processes could be loaded.. </p> <p align=left>thanks for your time <img height=19 alt=Smile src="http://forums.microsoft.com/MSDN/emoticons/emotion-1.gif" width=19></p> <p align=left>Ed</p> <p align=left> </p>Wed, 07 May 2008 14:33:49 Z2008-05-07T14:33:49Zhttp://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/41ac6959-eb6e-44ab-ad1b-a0316db2a3e8#993c34fc-a8d9-47cf-9902-3a40a3029ac1http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/41ac6959-eb6e-44ab-ad1b-a0316db2a3e8#993c34fc-a8d9-47cf-9902-3a40a3029ac1securityguy14http://social.technet.microsoft.com/Profile/en-US/?user=securityguy14 actually there are a couple of good ones that can detect rootkits without running a bootscan, the only thing about them though, is that they show you the hooks and patches, but they dont make a determination for you on which ones belong there, as you probaly know, a lot of av, and other types of applications, apply hooks and patches to you files themselves, so you would have to make sure to see the results, and determine on your own what belongs there and what doesnt. one of the best ones I've found, is radix. It scans and shows you EVERY hook and patch on you system, and highlights the ones that could possibly be a problem, but its still up to you to explore if they belong or not, and it also has the option of unhooking them for you, just be careful of using that option, if you unhook something that belongs, the application wont work correctly afterwards, you can find radix at  <a href="http://www.usec.at">http://www.usec.at</a>  theres also another good one that works in a very similar way, but its very hard to find now, since its no longer in development, but there are still some coppies of it out there, you just have to look for them, that one is &quot;rootkit unhooker&quot;. it was originaly developed by a russian group, but they have not been in existance for a few years now, but there are still some places that you can find there application, if you need a copy of that one, Im not sure where to tell you to go, but if you get hold of me, ill provide one to you. both of these products are free, and they both show you EVERYTHING that has your system hooked and patched, if you would like a copy, or information about other rootkit products, you could email me at   <a href="mailto:dennisbell@live.com">dennisbell@live.com</a> I have several other ones that doesnt give you all the information that these do, but are decent at detecting the rootkit and removing itTue, 02 Jun 2009 21:41:13 Z2009-06-02T21:41:13Z