locked
Question for the Product Team :-) RRS feed

  • Question

  •  

    Hello guys and girls,

    A quick question, we are working with a customer and quite close to displacing one of our competitors for their client AV solution however at a meeting yesterday the client raised and interesting question that I did´nt have an answer too.

    Do you have an application capable of detecting Kernel Mode rootkits? or are you working on something to that effect?

    As I understand it, the only way of doing this would be from outside the OS, either a bootable CD or pre installed app capable of booting up in a linux / winPE etc. environment. Other AV vendors have this kind of solution for example McAfee previousley had Cleanboot and now prescan and the command line scanner package that is included in Hirens boot cd etc... the good thing about prescan is that it allowed a simultaneous reboot and then scan of entire groups or even the whole network from the management console, Smile usefull for an outbreak if you want to make sure all machines are clean before you bring your network back up.

    It could also be usefull to have this for peace of mind, as I asume this would give it greater accuracy and less problems as no services / processes could be loaded..

    thanks for your time Smile

    Ed

     

    Wednesday, May 7, 2008 2:33 PM

All replies

  • The thing is that Forefront could detect most of the rootkits and it will remove them even they are kernel mode rootkit and it won't let them to get in first place. However, those rootkit must be discover or have behavior to other rootkits but if there is something totally new or complex , you always could get help from Forefront Support.

    Microsoft does have a tools that will boot and do scan and you should copy it in CD/DVD or removable media its called:

    standalone system sweeper

    And is part of DaRT.

    Friday, July 16, 2010 8:10 AM