Re: No Defense Against Windows Rootkits?

From: Imhotep (Imhotep_at_nospam.net)
Date: 09/29/05


Date: Wed, 28 Sep 2005 21:27:02 -0400

speeder wrote:

> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>
>>PPS The only complete protection (passing over hardware tampering such as
>>compromised BIOSs) is something like hash-checking essential files after
>>booting from a known-good CD.
>
> Something like Tripwire? What would be the equivalent for Windows?

The problem that exists is this. An application is generally requesting
(using) a kernel API in some way-shape-or-from. In other words the
application is not looking directly at the file directly on the disk. So,
if a rootkit is installed, and you are running a security app like Tripwire
on the same infected machine, then it really is useless (your asking the
rootkit if the system is infected). That is why the other posted said
"...booting from known-good cd".

Im



Relevant Pages

  • Re: Freeware Anti virus programs !
    ... I will get started with ClamAV and all check on other info everyone provided. ... For Linux systems antivirus is not as important as it is under windows. ... Tripwire takes a snapshot of the files on your system ...
    (Fedora)
  • Re: [Full-disclosure] Microsoft GhostBuster Opinions
    ... >failing system that reboots or blue screens every few weeks rather then ... >Of course, I'm not sure you understand what tripwire is or does, further ... you have a rootkit. ...
    (Full-Disclosure)
  • Re: noob question about the CVE-2010-3081 exploit
    ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... hide from tripwire if tripwire does not scan the directory where it resides. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)
  • Re: Tripwire for Windows machines ?
    ... Anyone successfully running Tripwire or other checker against rootkits on ... The thing is that Tripwire is not free for Windows, as it is for Linux, ... None of these tools do a lot to help with Windows root kits. ...
    (microsoft.public.security)
  • Re: Freeware Anti virus programs !
    ... For Linux systems antivirus is not as important as it is under windows. ... Tripwire takes a snapshot of the files on your system ... You can also use things like snort that will monitor network traffic ...
    (Fedora)