IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> My Computer Scan and Rootkit Scan, Question
3x0gR13N
post 9.06.2007 19:38
Post #1


Kaspersky Fan III
**********

Group: Moderators
Posts: 2315
Joined: 2.01.2007
From: Serbia




I know that this has been discussed many times before (I apologize for posting it again) but I'm still confused... wacko.gif
Is the Rootkit scan detecting only hidden (stealth) malware (rootkits) or normal non-hidden malware (trojans, worms, spy/adware...) as well?
I've done a Rootkit scan now and see what happened... it detected a non-hidden malware...(see attach.)




If it is detecting non-hidden objects as well how is it different from a My Computer Scan with Extended Rootkit scan option enabled?

In my opinion the Rootkit scan should not use standard databases for non-hidden malware, and for example if a computer is infected with a worm and not with a Rootkit it should not display that worm in the detected tab for that scan.

So, the My Computer Scan with extended rootkit scan option enabled should scan for stealth and non-stealth malware, and the Rootkit scan (extended rootkit scan option enabled off course) should scan for stealth ONLY. (a popup from the File-AV should occur during a Rootkit scan when a computer is infected with non-stealth malware because the Rootkit scan has accessed that infected file).
Go to the top of the page
 
+Quote Post
Don Pelotas
post 9.06.2007 20:18
Post #2


Global Moderator
****************

Group: Global moderators

Posts: 28886
Joined: 7.04.2005




Yes, it includes everything...............if you set it up like that, but you could enable new & changed files only" and set it to the lowest setting scanwise and keep everything to the max under the rootkit/heuristical tab. I must admit i do not see a problem here, but each to their own. smile.gif


--------------------
Go to the top of the page
 
+Quote Post
saso
post 9.06.2007 20:50
Post #3


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




KL RLZ i am sorry but i can not agree with your logic. things should not be to complicated so it is good that every scan is able to detect everything. There are different scan tasks available for one reason only, to save time (so that you don't have to run, every time, the full computer scan that can sometimes on some computers take for hours). Things are just fine the way they are smile.gif

This post has been edited by saso: 10.06.2007 13:42


--------------------
Go to the top of the page
 
+Quote Post
3x0gR13N
post 9.06.2007 21:53
Post #4


Kaspersky Fan III
**********

Group: Moderators
Posts: 2315
Joined: 2.01.2007
From: Serbia




QUOTE(saso @ 9.06.2007 17:50)
KL RLZ i am sorry but i can not agree with your logic. things should not be to complicated so it is good that every scan is able to detect everything. There are different scan tasks available only for one reason, to save time (so that you don't have to run, every time, the full computer scan that can sometimes on some computers take for hours). Things are just fine the way they are smile.gif
*



I agree with you about saving time to scan smile.gif . If the Rootkit scan is going to scan for every malware type , in theory it would take more time to scan than just scanning for stealth malware... The thing that bothers me is the scan name > "Rootkit Scan". Rootkits are stealth, so I see no point to scanning for non-stealth malware... And the non-stealth malwars are going to be detected with File-AV when doing a Rootkit scan because the scanner will access them. If a user wants to perform a Rootkit Scan I see no point in detecting non-stealth malware, it would just take more time.
If you enable extended rootkit scan and max heuristics in My Computer scan it is identical to a Rootkit scan...
So, I think it would be better to exclude non-stealth malware from the Rootkit scan detection-list.
I think that Scan my computer (with enabled extended rootkit scan and max heur) should be equal to Rootkit scan + non-stealth malware signatures. smile.gif


My point is that the My Computer Scan with extended rootkit scan and max heuristic option enabled should scan for stealth AND non-stealth malware and the Rootkit scan (with the same settings) should scan for stealth ONLY.

I see that you have a lot of experience and my knowledge is far less than yours but I think that the Rootkit scan detecting sealth malware only is more logical...I mean it's called "Rootkit Scan", why should it detect anything non-rootkit (stealth) like? smile.gif


Sorry if this was a bit confusing wacko.gif biggrin.gif
Go to the top of the page
 
+Quote Post
saso
post 9.06.2007 23:25
Post #5


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




first thing to say here is that critical areas, my computer, startup objects, rootkit scan and all other scan tasks created by the user are all subtasks of the main "scan" task and they are all totally the same (they are different just because they have different options turned on and off).

now why doing so much work for developers to create a totally different scan when things are working fine and are IMO even more simple and better for the user, because all this different powerful technologies are integrated in to one nice and simple scan.

about your argument that the rootkit scan task should report only hidden objects detected by the new anti-rootkit hidden file scan i again cannot agree. there are many different rootkit types some of them are more advance some of them less and some of them KAV was able to detect even in version 5 with no special raw disk scan for hidden files. so we see that kav is able to detect rootkits in several different ways and also with signatures, so why would you disable all this and use just the new hidden files scan for the rootkit scan?

we had discussions before if the special rootkit scan task is actually needed since all other scan tasks are able to do the same thing... but here we come back to my previous comment "there are different scan tasks available for one reason only, to save time".

QUOTE
if you enable extended rootkit scan and max heuristics in My Computer scan it is identical to a Rootkit scan...


no it is not, take a look at the scan objects in the main window (not in the settings) and you will see that they are different. why? to save time smile.gif

for me things are ok the way they are. as for the rootkits i only hope to see some more anti-rootkit technologies added and nicely integrated as was this hidden files scan.

This post has been edited by saso: 10.06.2007 13:48


--------------------
Go to the top of the page
 
+Quote Post
Lucian Bara
post 9.06.2007 23:33
Post #6


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




i agree that the items aren't the same, but the effect is the same, basically, wether my computer or scan for rootkits is startet, the detection for known (non rootkit malware) will be the same.
also even if it's not the same look at a scan for rootkits log (i think how entries are displayed in the add section is wrong):
- it starts up with system memory then procedes to the outlook mail database (which when looking at the add dialog aren't subentries of "my computer") and then starts with the normal drives (so it will end up scanning the startup items & system restore folders eventually)
Go to the top of the page
 
+Quote Post
3x0gR13N
post 10.06.2007 00:04
Post #7


Kaspersky Fan III
**********

Group: Moderators
Posts: 2315
Joined: 2.01.2007
From: Serbia




OK. Lets see if I got the point. You are saying that the Rootkit Scan (with max heuristics and extended rootkit scan enabled) is more thorough and detailed than the Scan my computer (with the same settings) because the Rootkit scan uses RAW disk scanning and the way the Rootkit scan scans the computer memory first and then the rest, or something like that... ?
About the Rootkit scan (not) using standard signatures... Its perfectly OK to use signatures for rootkits... ( for example Rootkit.Win32.Agent...)

Thank you for explaining this to a n00bish user who is still learning (and I've learned a lot from users in this forum smile.gif )
smile.gif
Go to the top of the page
 
+Quote Post
saso
post 10.06.2007 01:42
Post #8


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(KL RLZ @ 9.06.2007 21:04)
About the Rootkit scan (not) using standard signatures... Its perfectly OK to use signatures for rootkits... ( for example Rootkit.Win32.Agent...)
*


in the end all of this is the same, it is malware that needs to be detected and removed. we don't have special worm, special trojan, special virus,... scans, the fact is simple that some of them need some more advance techniques to detect and remove then others.

most of today malware is also not black and white. most of the time we have a fusion of different malware types. worm, virus, trojan, rootkit, spam, backdoor,... all in one, so signature names are also not always that exact.

we had a lot of talk about this rootkit scan task because users have the feeling that it is something special, it is not. i personally will probably never used it, but that is not a problem, i have also never used the critical areas scan and also almost never have manually run the startup objects scan. are you (others) regularly using the critical area scan?

This post has been edited by saso: 10.06.2007 13:50


--------------------
Go to the top of the page
 
+Quote Post
3x0gR13N
post 10.06.2007 02:04
Post #9


Kaspersky Fan III
**********

Group: Moderators
Posts: 2315
Joined: 2.01.2007
From: Serbia




QUOTE(saso @ 9.06.2007 22:42)
are you (others) regularly using the critical area scan?
*


Well, i use it from time to time by manually starting it... But i would feel protected even if I didn't. smile.gif


I read the help file in KIS regarding the Rootkit scan...
"You can scan for rootkits with any virus scan task (provided that this feature is enabled in the settings for that task). However, Kaspersky Lab has created and optimized an independent scan task for this type of malicious program."

So it seems that the Rootkit Scan is specialized for detecting/removing rootkits and that is the difference from other tasks. smile.gif (also the number of scanned files is bigger with the Rootkit Scan)

Thank you for replying. smile.gif biggrin.gif
Go to the top of the page
 
+Quote Post
Whizard
post 10.06.2007 04:55
Post #10


Professional
***************

Group: Moderators
Posts: 20714
Joined: 19.11.2005
From: Toronto/Canada




Thanks for posting saso. I had always found your posts informative and well thought out. Keep up the good work smile.gif


--------------------
Networking and Security Guru
~^Whizard^~
Go to the top of the page
 
+Quote Post
saso
post 10.06.2007 14:10
Post #11


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Whizard @ 10.06.2007 01:55)
Thanks for posting saso. I had always found your posts informative and well thought out. Keep up the good work smile.gif
*


i know i don't post to often but this time i had the feeling i have to replay and sort of "defend" the way KAV works. why? when the first build with the new anti-rootkit technology came out i was so happy to see it nicely integrated in to the general on demand scan and i simple don't want this to change.

i guess one of the difference here is that KL makes everything by themselves so they are able to make this one great, simple and powerful package. while for example some of the other av vendors don't do this, they buy or license technologies from others, so they end up with an solution that has actually several different separate scans (anti-virus, anti-spyware, anti-rootkit,...) or even tools for the user to use, and they have to use all of them to make sure they are ok. KAV is simple smart and powerful enough that it does not need extras (in most cases wink.gif ). a good example of this is also the boot scan, KAV startup scan (that is again just a sub scan of the general on-demand scan) seems to be powerful enough to be able to do this job just fine.

i guess sometimes users simple get used on how other av solutions work and are then confused with the way KAV works. a good example of this is also the use of quarantine by others and quarantine+backup by KAV. i know it is different and i understand that someone can get confused, but i prefer the way KAV handles this and i think it is simple more smart and better.

This post has been edited by saso: 10.06.2007 14:44


--------------------
Go to the top of the page
 
+Quote Post
dlguild
post 10.06.2007 21:33
Post #12


Member
**

Group: Members
Posts: 15
Joined: 30.03.2007
From: Pennsylvania, USA




saso, you have my thanks as well! biggrin.gif You have cleared up my misunderstandings concerning on demand scans. I have spent untold hours reviewing the forum since I purchased KIS 6.0 in an attempt to determine which scans to run, how often and at what settings.

Perhaps your explanation would be a good "sticky" topic for one of the moderators to post in the "Protection for Home Users" forum when 7.0 is released. New users would definitely benefit from it.

This leaves me with only on question. Which of the scan settings get used when a 'right click' context menu scan is invoked on a file? Is it the "general" scan settings, or one of the other settings (i.e. "My Computer", etc.)?

Thanks again!
Dan
Go to the top of the page
 
+Quote Post
saso
post 10.06.2007 21:49
Post #13


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




yes, those from the "general" Scan


--------------------
Go to the top of the page
 
+Quote Post
dlguild
post 10.06.2007 22:41
Post #14


Member
**

Group: Members
Posts: 15
Joined: 30.03.2007
From: Pennsylvania, USA




Fantastic. I'll maximize the 'general' scan options since time is not an issue when scanning individual files. The ability to set different options for the various scan types is an excellent feature. I'm good to go... Much appreciated!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 22.12.2014 00:50