VIRUS PREVENTION TOOLS
AVG-ANTIVIRUS SCANNER
AVG Anti-Virus Free Edition is an anti-virus
scanner that offers Resident Protection, e-mail Scanner, On-Demand Scanner,
Virus Vault for safe handling of infected files and automatic updates. The free
version is limited in features, but includes all basic scanning functionality
and real-time protection. It uses the same scanning engine as the commercial
version, however updates are provided on a low priority basis.
AVAST HOME EDITION
avast! Home Edition is a complete anti-virus
package, that is is free for registered home non-commercial users. It contains
an on-demand scanner with two interfaces (simple for novices and advanced for
experienced users), an on-access scanner with Standard Shield (which protects
against execution and opening malware programs) and an embedded e-mail scanner
which scans incoming and outgoing email messages. avast! Home integrates with
the Windows Explorer right click menu and also includes a special screen saver
which is able to scan your system while your computer is not in use. Updates are
incremental and frequently made available for manual or scheduled download. You
will download a 60 days demo, if you would like to continue free usage beyond
that time, you`ll need to register from the home page to obtain a free
activation key by email.
AntiVir
PE (Personal Edition Classic) offers the effective
protection against computer viruses for the individual and private use on a
single PC-workstation. It detects and removes more than 50,000 viruses and an
Internet-Update Wizard for easy updating. The built in resident Virus Guard
serves to monitor file movements automatically, for example when downloading
files from the internet. Heuristic scanning protects Protection against
previously unknown macro viruses
BitDefender Free Edition offers ICSA
Labs certified virus scanning of your files. It includes an on-demand
Virus Scan, Scheduler, Online Update, Quarantine and reports.
PC Tools
AntiVirus Free Edition is an anti-virus scanner, that provides
real-time protection against viruses, worms and Trojans. It also offers
on-demand scans, as well as automatic updates and real-time scanning of incoming
and outgoing mail. Other features include heuristic scanning and scheduled
scans. The Free Edition offers limited support and non-priority
updates.
FREE ONLINE VIRUS SCANNER
Think you might have virus,
you can scan system now online.
PC PITSTOP A very good online
virus scanner
TrueCrypt is an open-source encryption software
that enables you to create a virtual encrypted disk within a file and mount it
as a virtual disk, that can be accessed via a drive letter. Any file that is
stored on this virtual drive is automatically encrypted on-the-fly, and can only
be accessed while the drive is mounted with the correct password or key.
TrueCrypt supports a variety of encryption algorithms, including AES-256,
Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish. Other features
include support for FAT32 or NTFS formatting, hidden volumes, hotkeys for
mounting/dismounting and more.
ROOTKITS
Rootkits are not themselves
malware programs. Rather rootkits are programs that hide the presence of malware
programs.
They do this using a variety of clever tricks to manipulate
Windows itself, the effect of which is that you cannot see the malware product
on your computer using normal Windows programs.
For example, you will not
be able to see any of the malware files in Windows Explorer or any other common
file viewer.
Nor will you be able to see any of the malware processes by
using Task Manager or most other process viewers.
Similarly there will
be no visible malware entries in the Windows Startup folder or other startup
locations. Even a HijackThis log will show nothing.
In other words, the
malware infection is totally stealthed from your view and the view of most of
your security software products.
Because of this stealthing your
security software may report that your PC is totally clean from infection when
in fact you are infected.
In the past rootkits have been
mostly used by hackers to hide trojans. Increasingly however there are being
used to hide spyware or mass circulation viruses and worms. That's bad news for
users as they are far more likely to encounter these infections than hacker
trojans .
Detecting the presence of
rootkits and the products they are stealthing is not easy Certainly most
anti-virus and anti-spyware scanners can't detect them though a few are just now
starting to add features to help with detection. What is needed is a specialist
rootkit detector.
Rootkit
Detection
If a uninfected copy of the test
system is available as a reference rootkits can detected by doing a file-by-file comparison while working from the
uninfected copy. Here the infected system is treated just as data so the
cloaking effect of the rootkit is not in play. In this situation, the rootkit
and its payload can be easily discovered.
However this is a situation
that would be rarely encountered in practice as almost no one has a reference
copy of their system. Quite separately, systems are not static anyway;
legitimate changes are constantly taking place within a system and such changes
make simple file comparisons difficult.
So in real-life rootkit detectors have to work from within the potentially
infected system. Detecting rootkits in this situation is
really tough but there are several different techniques that can potentially be
employed and new ones are being developed. None however, are
perfect.
To make matters worse, rootkit
developers are aware of these techniques and are constantly developing their
products to evade new detection methods. In effect it's become a cat-and-mouse
game between the bad guys and the goodies.
What that means is there is
currently no such thing as a perfect rootkit detector. The good news is that it
also means there is probably no such thing as a perfect rootkit
either.
This situation means that users
should not lock into the idea that one particular rootkit detector is "the
best." Indeed I suggest you adopt the practice of using several detectors. You
should also ensure that you regularly update your detectors as the current
cat-and-mouse game means that products are constantly
evolving.
Rootkit Detectors
(RKDs)
There are over a dozen RKDs
available but most are difficult to use or are targeted to detecting specific
rootkits. The following four programs seem to be the best for general use.
I suggest you use all three. Between them will detect the majority
of current rootkits. I have added a fifth program called IceSword but it's
really only suitable for experienced users.
These programs are all free and
require Windows 2000 systems and later. They all require Administrator user
rights to run.
I wish I could offer alternatives
for Window 9x users but there are simply no comparable products
available.
BlackLight from
F-Secure
This is a free beta that's F-Secure
will incorporate into its commercial security products at a future date though
they have pledged BlackLight will remain free until March 2006. The program
is currently being updated around once a month.
F-Secure does not give much
information how the program functions other than to say it "works by examining the system at a deep level.
This enables BlackLight to detect objects that are hidden from the user and
security software." BlackLight will detect hidden files, folders and
processes but not hidden registry keys.
BlackLight is currently the easiest
RKD to use. It requires no installation and it scans very quickly - less
than a minute on my test PC.
It also offers a removal option for
any rootkits detected by renaming the files involved. Before using this
option I suggest you read the section on rootkit removal below.
BlackLight requires Windows 2000 or
later (32 bit only) and the download is 611KB.
RootkitRevealer from Sysinternals.
This free utility compares users
mode information to kernel mode and reports differences that exist in the
Windows Registry and file system .
Like BlackLight it requires no
installation, just double click the .exe file. To start a scan select File/Scan.
It took about 20 minutes to scan my test PC.
The program has an option to scan
NTFS alternate data streams for hidden code. This option is normally off as it
can generate a lot of false positives particularly for those who use products
like Kaspersky AV V5 that legitimately store data in these data streams.
Experienced users however may want to play with this
setting.
RootkitRevealer will not remove
rootkits. The authors suggest users conduct a Google search on how to remove any
detected malware or re-format the drive and re-install
Windows.
Malicious Software Removal Tool from Microsoft
This program is not a dedicated RKD
but rather was designed to detect and remove several major virus and worm
families. It does however have the capacity to detect the Hacker Defender
rootkit and detection of other rootkits may be added at a future date. The
program is updated monthly and distributed via the Microsoft and Windows Update
services.
If you receive the program through
the update service it will run automatically once it is installed. You
will only know that it has run if a malware product is detected on your
PC
I can see the logic in this but
personally I like to run the program more often That's not a problem as
Microsoft provide an online scan using the latest Removal
Tool.
You can access the online scan here but note that you need Internet Explorer as the
web page uses ActiveX controls.
The latest version of the program
can also be downloaded from here.
Scanning took around one minute on
my test PC. The only indication you get the program is working is the hard disk
activity light but at the end of the scan you are presented with a list of
malware that is scanned for and a statement for each whether they are present or
not.
Rootkit Hook
Analyzer
The folks over at Resplendence are
currently offering Rootkit Hook Analyzer as a free beta of what will eventually
become a commercial product.
As the name implies it identifies
any active kernel hooks in your system. Now some kernel hooks may be established
by legitimate programs so you need to be very careful interpreting the results.
Also some rootkits don't employ kernel hooks so it won't catch these. These
reservations aside, it is a useful tool.
The program runs on Windows
XP, 2000 and 2003 Server with the exception of the 64 bit editions and the
download is 993KB.
IceSword
(Suitable for experienced users only)
This free Chinese utility is
arguably the biggest gun
in the rootkit detection war.
It's not really an automated rootkit
detector in the manner of BlackLight but rather is a suite of tools that allow a
skilled user to detect the presence of a rootkit.
These tools include a process
viewer, a startup analyzer, a port enumerator and more. These tools
will reveal the presence of rootkits and the products they are stealthing but
it's up to you to do the identification. In the hands of an skilled user, its an amazing tool.
The program was originally only documented in
Chinese but an English version has now appeared. The
Chinese download site is very slow but David Wasson has provided a local mirro r. (565KB)
Removing
Rootkits
Removing rootkits presents
two quite separate problems. The first is the removal of the rootkit itself. The
second is the removal of the malware that the rootkit was
stealthing.
Because rootkits work by changing
the Windows operating itself, it may not be possible to remove the rootkit
without causing Windows to become unstable or
non-functioning.
Removing the malware hidden by the
rootkit presents the normal problems of removing any malware. However you won't
be able to do this until the rootkit is removed at which point the whole
system may become unstable to the point that the malware can not be completely
removed.
Restoring your drive from a drive
image is another possibility providing you are sure the image was created before
the rootkit infection and that your imaging program restores the boot sector on
your disk |