Sign in to follow this  
Followers 0
KL RLZ

My Computer Scan and Rootkit Scan

14 posts in this topic

I know that this has been discussed many times before (I apologize for posting it again) but I'm still confused... :wacko:

Is the Rootkit scan detecting only hidden (stealth) malware (rootkits) or normal non-hidden malware (trojans, worms, spy/adware...) as well?

I've done a Rootkit scan now and see what happened... it detected a non-hidden malware...(see attach.)

 

rootkitscaniq7.jpg

 

 

If it is detecting non-hidden objects as well how is it different from a My Computer Scan with Extended Rootkit scan option enabled?

 

In my opinion the Rootkit scan should not use standard databases for non-hidden malware, and for example if a computer is infected with a worm and not with a Rootkit it should not display that worm in the detected tab for that scan.

 

So, the My Computer Scan with extended rootkit scan option enabled should scan for stealth and non-stealth malware, and the Rootkit scan (extended rootkit scan option enabled off course) should scan for stealth ONLY. (a popup from the File-AV should occur during a Rootkit scan when a computer is infected with non-stealth malware because the Rootkit scan has accessed that infected file).

Share this post


Link to post
Share on other sites

Yes, it includes everything...............if you set it up like that, but you could enable new & changed files only" and set it to the lowest setting scanwise and keep everything to the max under the rootkit/heuristical tab. I must admit i do not see a problem here, but each to their own. :)

Share this post


Link to post
Share on other sites

KL RLZ i am sorry but i can not agree with your logic. things should not be to complicated so it is good that every scan is able to detect everything. There are different scan tasks available for one reason only, to save time (so that you don't have to run, every time, the full computer scan that can sometimes on some computers take for hours). Things are just fine the way they are :)

Edited by saso

Share this post


Link to post
Share on other sites
KL RLZ i am sorry but i can not agree with your logic. things should not be to complicated so it is good that every scan is able to detect everything. There are different scan tasks available only for one reason, to save time (so that you don't have to run, every time, the full computer scan that can sometimes on some computers take for hours). Things are just fine the way they are :)

 

 

I agree with you about saving time to scan :) . If the Rootkit scan is going to scan for every malware type , in theory it would take more time to scan than just scanning for stealth malware... The thing that bothers me is the scan name > "Rootkit Scan". Rootkits are stealth, so I see no point to scanning for non-stealth malware... And the non-stealth malwars are going to be detected with File-AV when doing a Rootkit scan because the scanner will access them. If a user wants to perform a Rootkit Scan I see no point in detecting non-stealth malware, it would just take more time.

If you enable extended rootkit scan and max heuristics in My Computer scan it is identical to a Rootkit scan...

So, I think it would be better to exclude non-stealth malware from the Rootkit scan detection-list.

I think that Scan my computer (with enabled extended rootkit scan and max heur) should be equal to Rootkit scan + non-stealth malware signatures. :)

 

 

My point is that the My Computer Scan with extended rootkit scan and max heuristic option enabled should scan for stealth AND non-stealth malware and the Rootkit scan (with the same settings) should scan for stealth ONLY.

 

I see that you have a lot of experience and my knowledge is far less than yours but I think that the Rootkit scan detecting sealth malware only is more logical...I mean it's called "Rootkit Scan", why should it detect anything non-rootkit (stealth) like? :)

 

 

Sorry if this was a bit confusing :wacko::D

Share this post


Link to post
Share on other sites

first thing to say here is that critical areas, my computer, startup objects, rootkit scan and all other scan tasks created by the user are all subtasks of the main "scan" task and they are all totally the same (they are different just because they have different options turned on and off).

 

now why doing so much work for developers to create a totally different scan when things are working fine and are IMO even more simple and better for the user, because all this different powerful technologies are integrated in to one nice and simple scan.

 

about your argument that the rootkit scan task should report only hidden objects detected by the new anti-rootkit hidden file scan i again cannot agree. there are many different rootkit types some of them are more advance some of them less and some of them KAV was able to detect even in version 5 with no special raw disk scan for hidden files. so we see that kav is able to detect rootkits in several different ways and also with signatures, so why would you disable all this and use just the new hidden files scan for the rootkit scan?

 

we had discussions before if the special rootkit scan task is actually needed since all other scan tasks are able to do the same thing... but here we come back to my previous comment "there are different scan tasks available for one reason only, to save time".

 

if you enable extended rootkit scan and max heuristics in My Computer scan it is identical to a Rootkit scan...

 

no it is not, take a look at the scan objects in the main window (not in the settings) and you will see that they are different. why? to save time :)

 

for me things are ok the way they are. as for the rootkits i only hope to see some more anti-rootkit technologies added and nicely integrated as was this hidden files scan.

Edited by saso

Share this post


Link to post
Share on other sites

i agree that the items aren't the same, but the effect is the same, basically, wether my computer or scan for rootkits is startet, the detection for known (non rootkit malware) will be the same.

also even if it's not the same look at a scan for rootkits log (i think how entries are displayed in the add section is wrong):

- it starts up with system memory then procedes to the outlook mail database (which when looking at the add dialog aren't subentries of "my computer") and then starts with the normal drives (so it will end up scanning the startup items & system restore folders eventually)

Share this post


Link to post
Share on other sites

OK. Lets see if I got the point. You are saying that the Rootkit Scan (with max heuristics and extended rootkit scan enabled) is more thorough and detailed than the Scan my computer (with the same settings) because the Rootkit scan uses RAW disk scanning and the way the Rootkit scan scans the computer memory first and then the rest, or something like that... ?

About the Rootkit scan (not) using standard signatures... Its perfectly OK to use signatures for rootkits... ( for example Rootkit.Win32.Agent...)

 

Thank you for explaining this to a n00bish user who is still learning (and I've learned a lot from users in this forum :) )

:)

Share this post


Link to post
Share on other sites
About the Rootkit scan (not) using standard signatures... Its perfectly OK to use signatures for rootkits... ( for example Rootkit.Win32.Agent...)

 

in the end all of this is the same, it is malware that needs to be detected and removed. we don't have special worm, special trojan, special virus,... scans, the fact is simple that some of them need some more advance techniques to detect and remove then others.

 

most of today malware is also not black and white. most of the time we have a fusion of different malware types. worm, virus, trojan, rootkit, spam, backdoor,... all in one, so signature names are also not always that exact.

 

we had a lot of talk about this rootkit scan task because users have the feeling that it is something special, it is not. i personally will probably never used it, but that is not a problem, i have also never used the critical areas scan and also almost never have manually run the startup objects scan. are you (others) regularly using the critical area scan?

Edited by saso

Share this post


Link to post
Share on other sites
are you (others) regularly using the critical area scan?

 

Well, i use it from time to time by manually starting it... But i would feel protected even if I didn't. :)

 

 

I read the help file in KIS regarding the Rootkit scan...

"You can scan for rootkits with any virus scan task (provided that this feature is enabled in the settings for that task). However, Kaspersky Lab has created and optimized an independent scan task for this type of malicious program."

 

So it seems that the Rootkit Scan is specialized for detecting/removing rootkits and that is the difference from other tasks. :) (also the number of scanned files is bigger with the Rootkit Scan)

 

Thank you for replying. :):D

Share this post


Link to post
Share on other sites

Thanks for posting saso. I had always found your posts informative and well thought out. Keep up the good work :)

Share this post


Link to post
Share on other sites
Thanks for posting saso. I had always found your posts informative and well thought out. Keep up the good work :)

 

i know i don't post to often but this time i had the feeling i have to replay and sort of "defend" the way KAV works. why? when the first build with the new anti-rootkit technology came out i was so happy to see it nicely integrated in to the general on demand scan and i simple don't want this to change.

 

i guess one of the difference here is that KL makes everything by themselves so they are able to make this one great, simple and powerful package. while for example some of the other av vendors don't do this, they buy or license technologies from others, so they end up with an solution that has actually several different separate scans (anti-virus, anti-spyware, anti-rootkit,...) or even tools for the user to use, and they have to use all of them to make sure they are ok. KAV is simple smart and powerful enough that it does not need extras (in most cases ;) ). a good example of this is also the boot scan, KAV startup scan (that is again just a sub scan of the general on-demand scan) seems to be powerful enough to be able to do this job just fine.

 

i guess sometimes users simple get used on how other av solutions work and are then confused with the way KAV works. a good example of this is also the use of quarantine by others and quarantine+backup by KAV. i know it is different and i understand that someone can get confused, but i prefer the way KAV handles this and i think it is simple more smart and better.

Edited by saso

Share this post


Link to post
Share on other sites

saso, you have my thanks as well! :D You have cleared up my misunderstandings concerning on demand scans. I have spent untold hours reviewing the forum since I purchased KIS 6.0 in an attempt to determine which scans to run, how often and at what settings.

 

Perhaps your explanation would be a good "sticky" topic for one of the moderators to post in the "Protection for Home Users" forum when 7.0 is released. New users would definitely benefit from it.

 

This leaves me with only on question. Which of the scan settings get used when a 'right click' context menu scan is invoked on a file? Is it the "general" scan settings, or one of the other settings (i.e. "My Computer", etc.)?

 

Thanks again!

Dan

Share this post


Link to post
Share on other sites

yes, those from the "general" Scan

Share this post


Link to post
Share on other sites

Fantastic. I'll maximize the 'general' scan options since time is not an issue when scanning individual files. The ability to set different options for the various scan types is an excellent feature. I'm good to go... Much appreciated!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0