Review

Review: Six Rootkit Detectors Protect Your System

RKDetector 2.0



(Page 4 of 8)

RKDetector 2.0
RKDetector is actually two applications — one to scan for hidden files on a hard drive, and another to scan for hidden processes and kernel hooks. It's a little more difficult to do a comprehensive scan this way, though — you have to do each scan action separately and there's no way to get a comprehensive report. The individual result reports aren't hard to make sense of and act on, but the program's usefulness is overshadowed by some of the other applications discussed here.


More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>



RKDetector scans for hidden files and processes separately; its interface isn't as transparent as it could be. (Click image to enlarge.)

The main program sports five tabs — Rootkits, Browser, Recovery, ADS (for scanning NTFS alternate data streams, where rootkits also can hide), and Registry.


Six Rootkit Detectors


•  Introduction

•  F-Secure BlackLight

•  IceSword

•  RKDetector

•  RootkitBuster

•  RootkitRevealer

•  Rootkit Unhooker

•  Conclusions

Before you scan with any of these, though, you have to provide a root path to begin the scan from (i.e., C:\); you can't just click-and-go. The Rootkits scanner tab is the best place to start and usually turns up the most results. Any directories that have concealed files will be marked in red; if they're concealed and not believed to be concealed legitimately by the operating system, they'll be marked heavily in red. One drawback to this approach that if you have a rootkit buried several directories down, you have to drill down to it manually, which is a little irritating.

Once you find the offending file, you can do a number of things with it: perform a hex dump on the file itself or the file's MFT table entry, save it as something else, or securely erase it (and the MFT entry along with it). The program uses the U.S. DoD 5200.28-STD secure-erase algorithm to insure that an erased file is erased, so use it with care.

I wasn't as impressed with the hook-analyzer / hidden-process detector portion of RKDetector — it didn't find any of the in-memory processes concealed by Fu, for instance.

RKDetector 2.0
www.rkdetector.com
Price: Free
Summary: Composed of two separate applications that scan the file system and running processes, respectively, RKDetector suffers from not having the flexibility and breadth of features of the other programs here.

Page 5: Trend Micro RootkitBuster 1.6
« Previous Page  | 1 | 2 | 3 |  4 | 5 | 6 | 7 | 8  | Next Page » 

Related Reading

News

Commentary

Most Popular

On the Web

More On the Web»

Video

Slideshow

Informationweek Discussions

Start the Discussion


InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS

Resource Links