Am I being silly, or is the best way to detect and clean rootkits not simply a case of booting from a CD, using BartPE for example, and then using a portable version of AV, like clamwin portable?

If the O/S which is infected by the rootkit isn't booted, then the rootkit can't hide itself.

Does clamav have definitions in its database to detect rootkits using this method?

rootkits are kernel drivers, .sys files so the sys can be in the virus db as like of other viruses (.exe)

Thanks serpya, it would work fine wouldn't it?

I think I'll post a howto on my blog describing how to make a bootable OS cd and AV scanner using clamwin as a good way of cleaning infected systems, including rootkit viruses.

When you get the information posted, Pan, be sure and let us know where we can read it. I'm sure many ClamWin users would be interested.

Regards,

Hi Bob, I'll be happy to, I'll post the link in the next day or two.

I'll update my clamwin bartpe plugin after the release,
for my pe plugins take a look at https://oss.netfarm.it/winpe/ https://oss.netfarm.it/winpe/

Sorry for the delay, I've posted a blog article https://www.fracked.org/2008/02/rootkit-and-virus-detection-using-bartpe-and-clamav/ here on using BartPE and ClamWin portable, if anyone is interested!

Thanks Panthe. Nice work!

How often do you update your blog?

Ownage

Thanks for the information. What should a user do about the frequent Clam signature updates, however--they won't be on the Barts PE CD. Clam also didn't do very well in Andraes Marx's recent test, but perhaps it might do better when run from outside the computer's resident OS. See https://www.darkreading.com/document.asp?doc_id=144046 for a summary of the test. I believe a detailed test description is also referenced in the summary.

As a backup scanner, you could probably put Dr. Web's Cureit on the Bart's CD, but it is also updated frequently, and you would have the same signature update problem with it as well.

Regards,

Actually, I realised I should have mentioned it after posting that blog entry. If you run ClamWin from the USB stick from a normal O/S boot, then it updates the patterns to the USB stick. If you're able to boot BartPE with network support it'll also update from there too. That's why it's better doing it this way than having the AV included with the boot CD I think.

Just had a quick look and there's no portable version for cureit as it's not licenced under GPL unfortunately, like you say you can probabaly include it as part of the boot cd but then you have the update problem again.

the test is misleading, most antivirus are not rootkit detectors, if one want to detect rootkits he needs to scan offline
like using bartpe or some live linux distro

What about a scan online from a place like https://www.fileresearchcenter.com/whatsrunning.html where you could print a copy of the report as to what is running on your computer and then compare it to what your Task Manager says is running? If there is something that is not shown in Task Manager, it may be a rootkit. It this will work, it might be a model for ClamWin to use, provided it could access the Task Manager output, ally with a source on the Web to examine the processes running on a computer, compare the two, and inform the user of any differences for action by the user.

Regards,

Direct disk access (DDA) might enable an AV scanner to bypass any Windows APIs that have been "captured" by a rootkit. Webroot antispyware claims to be using this in their new scanner.

Regards,