altermatt
Premium
join:2004-01-22
White Plains, NY
 ·Verizon Online DSL
1 edit | Cloaking Technology of KAV, SAV, etc. Discussed
Is the use of "rootkit" techniques to cloack security software to make it less vulnerable to hackers justified? If from a vendor you trust, are you comfortable with this? I have mixed feelings. In addition to KAV and NSW, mentioned in the interesting article below, BOClean also uses this technique, I believe, as well a number of others. I'm posting the link and a snip as I haven't seen this yet here.
»www.pcworld.com/resource/article···S,00.asp
Mark Russinovich, chief software architect with Winternals Software, "the Windows operating system expert who exposed Sony BMG Music Entertainment's use of "rootkit" cloaking techniques last year is now criticizing security vendors Symantec and Kaspersky Lab for shipping software that works in a similar manner.
"[He} says that the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC.
There is "no good justification" for the use of such techniques, Russinovich says. "If the vendor believes that the implementation of their software requires a rootkit, then I think they need to go back and re-architect it."" |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: Cloaking Technology of KAV, SAV, etc. Discusse
said by altermatt  : In addition to KAV and NSW, mentioned in the interesting article below, BOClean also uses this technique, I believe, as well a number of others. I'm posting the link and a snip as I haven't seen this yet here. No, Boclean is very much against the rootkits use in such way
»www.wilderssecurity.com/showthre···t=108929
Cudni
--
Some are born to failure, others achieve it, all deserve it Help yourself so God can help you |
|
mozilla user
@rr.com | reply to altermatt
Kav uses a rootkit, say ain't so. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to Cudni
Well, that's an interesting question, actually. I'm not a BOClean user, but I'm thinking BOClean probably does do some kind of hooking for its scanning, and if it doesn't use a driver, then it's doing user-mode hooking. And if it does that, then the same people who call AVs rootkits should start calling BOClean a user-mode rootkit.
Oh, and before anyone says it, sure kernel hooking causes more serious stability problems than user-mode hooking. But user-mode hooks can still crash your programs, just not your whole system. 
--
Want security? Run as limited user. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | I'm not boclean user either and I guess it of course must be using something
»www.wilderssecurity.com/showpost···count=34
Cudni |
|
bluezanetti
Premium
join:2003-10-04
| Try here. Quoting briefly from one of Kevin's posts.. Folks might notice a new "BOCDRIVE.SYS" kernel driver - that now handles from the kernel itself a new "smart monitor" and "system state tracker" which keeps track of what's running, what's been seen before, and speeds up BOClean while.... Blue |
|
Don Pelotas
join:2004-12-10
| reply to mozilla user
said by mozilla user :
Kav uses a rootkit, say ain't so.
It isn't so. Kaspersky uses ADS (Alternate Data Streams) in it's iStreams tehnology:»www.kaspersky.com/faq?qid=156636746 to store info.
Maybe Mark Russinovich is annoyed because using this windows feature renders his own RootkitRevealer "useless" because you have to sip through all the Kaspersky data to look for any possible malware.
Kaspersky scans ADS in both real-time and on-demand btw. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | I don't think it renders RR at all useless, all a user has to do would be to know what RR flagged entries to ignore and assume safe until proven otherwise. I don't have KAV does RR flagged its entries?
Cudni |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to Don Pelotas
No, that's not it. Some people are now redefining rootkits so that everything that uses kernel-hooking is a rootkit. This means that practically all anti-viruses, including KAV, are rootkits. I, of course, find this new definition patently ridiculous.
--
Want security? Run as limited user. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to Cudni
said by Cudni :I'm not boclean user either Cudni That is odd. Previously you have written "I recommend Boclean both to businesses and individuals based on its price, effectiveness and stellar support."
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| I don't think that's odd, really. BOClean is certainly effective, the price isn't bad and the support is obviously excellent. You don't have to be a BOClean user to notice these things.
--
Want security? Run as limited user. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to John2g
I still do. Why is it odd though and why do you have to be a boclean user to recommend it?
Cudni |
|
RobertLudlum
join:2005-01-20
656456
| reply to Don Pelotas
Calling the use of adstreams ,"rootkit technology" is like someone discovering windows explorer "show hidden file and folders" option and calling files in such folders rootkits.
Kernel hooking alone does not a rootkit make. But "hiding" stuff is? But what's hidden or not depends on who's searching for it.  |
|
Don Pelotas
join:2004-12-10 | reply to altermatt
Re: Cloaking Technology of KAV, SAV, etc. Discussed
The official response from Kaspersky:»www.kaspersky.com/news?id=177718126 |
|
ranschultz
Premium
join:2004-05-28
Canyon Country, CA
1 edit | reply to Don Pelotas
Re: Cloaking Technology of KAV, SAV, etc. Discusse
It's not the ADSes themselves that Mark is complaining about, it's that KAV hides the ADSes thereby allowing malicious applications to potentially hide data in those streams.
Edit: I still wouldn't consider this to be a rootkit though. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to altermatt
Who cares what Kaspersky WAS doing in 5.0? That version has been discredited over and over because of ADS and the ability for malware to hide there. That is OLD news. Kaspersky has jettisoned ADS in KIS and KAV 2006. It is the new version we should be concerned with. KIS 2006 cripples, literally, my computer. I had to uninstall the latest beta last night. I simply cannot use any of the recent betas. If one this bad gets released next month to Gold, I think Kaspersky is going to plummet in popularity. Hopefully, Kaspersky will fix some of the problems as earlier betas were not nearly so slow. (I can't wait two minutes for Fx to start or a minute to load a page at this site).
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
Dr Tweak
join:2004-09-23
Chesapeake, VA
| said by Mele20 :Kaspersky has jettisoned ADS in KIS and KAV 2006. It is the new version we should be concerned with. KIS 2006 cripples, literally, my computer. I had to uninstall the latest beta last night. I simply cannot use any of the recent betas. KAV 6 Beta (and the final release) does not use iStreams anymore, it uses iSwift which does not use ads. Also, it's called "BETA" software for a reason, I have seen you complain about KAV 6 Beta in many threads..... it's BETA! I know you are a smart guy from reading your threads so why would you think beta software will work as it's supposed to?
|
|
Don Pelotas
join:2004-12-10
1 edit | reply to ranschultz
said by Mele20 :Who cares what Kaspersky WAS doing in 5.0? That version has been discredited over and over because of ADS and the ability for malware to hide there. said by ranschultz :it's that KAV hides the ADSes thereby allowing malicious applications to potentially hide data in those streams. Edit: I still wouldn't consider this to be a rootkit though. I understand that, it still doesn't make it true, the hidden streams are not accessible while Kaspersky is active and even if malware would manage hide there, it would not be reconized by Kav and would be deleted.:) |
|
no__1__here
Premium
join:2003-10-13
Tomball, TX
| reply to altermatt
NTFS ADS = rootkit?! I love Mark, he does incredible work... but equating ADS to a rootkit is a stretch for me. ADS was put there for a reason (Mac interop) by Microsoft (not Kaspersky or Symantec). Sure, there are nefarious uses of ADS, but I fail to see how KAV using ADS for checksums is "bad". I've used ADS's to "hide" files. Does that mean I've installed a rootkit?? |
|
SpannerITWks
Premium
join:2005-04-22
| reply to altermatt
Re: Cloaking Technology of KAV, SAV, etc. Discussed
I used KAV 5 P Pro on a non NTFS ADS drive, and think it's great. I'm pleased to see they Are ditching ADS @ last ! It would be nice to know Exactly why they are doing so, and in what way/s the new iSwift is better ?
Yes nasties can hide away in those Streams, that's why i feel some people have a false sense of security when using NTFS.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
