Software-update: Sophos Anti-Rootkit 1.0

Het beveiligingsbedrijf Sophos heeft een programma ontwikkeld waarmee zogenaamde rootkits kunnen worden opgespoord. In het kort is een rootkit een stukje meestal kwaadaardige software wat zich zo diep in het systeem nestelt dat het met conventionele middelen niet of nauwelijks gedetecteerd kan worden. Het programma van Sophos kan zijn werk doen onder Windows NT, 2000, XP en 2003 Server in zowel Windows als vanaf de command line. Meer informatie is te vinden in deze handleiding. Omdat het hier gaat om de eerste uitgave is er geen changelog, wel zijn er de volgende release notes:

Key features

• Scans running processes, windows registry and local hard drives for rootkits.
• Identifies known rootkits and selects, by default, files for removal which will remove the rootkit component of the malware without compromising OS integrity.
• Allows users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit.
• Once the user has run a scan, the screen prompts the user through the necessary steps until every rootkit has been removed.
• Users can switch between the GUI and command-line functionality.
• Both context sensitive and command-line help are available.

Known issues

• Sophos Anti-Rootkit will work on a Terminal Services or Remote Desktop environment but may produce this warning which can be ignored: 'Unable to flush drive C: (already open by another process)'.
• If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.
• The malware 'Troj/SysBDr-E' can cause the entire machine to slow down to such an extent that the scan may never complete.
• It may not be possible to clean up files on a removal drive or USB key. This is because the clean up component runs before the device drivers are loaded in the boot sequence.
• When specifying the location of the clean up log on the command line (sarcli -cleanlog=...), it must be on a local drive rather than a network share. This is because the clean up component runs before the network drivers are loaded in the boot sequence.
• The sarscan.log is cumulative and each entry is timestamped. The sarclean.log only contains the results of the last cleanup operation and there is no timestamp apart from the one on the file itself.
• If rootkit components are found on a drive which uses NTFS compression, it may not be possible for SAR to identify them. In this case they will be reported as "Unknown hidden file".
• Unidentified hidden files cannot be removed via the command line.

[break]