Review: Six Rootkit Detectors Protect Your System
(Page 4 of 8)
RKDetector is actually two applications one to scan for hidden files on a hard drive, and another to scan for hidden processes and kernel hooks. It's a little more difficult to do a comprehensive scan this way, though you have to do each scan action separately and there's no way to get a comprehensive report. The individual result reports aren't hard to make sense of and act on, but the program's usefulness is overshadowed by some of the other applications discussed here.
- Government Analytics: Set Goals, Drive Accountability and Improve Outcomes
- 2012 IBM Chief Information Security Officer Assessment
RKDetector scans for hidden files and processes separately; its interface isn't as transparent as it could be. (Click image to enlarge.)
Before you scan with any of these, though, you have to provide a root path to begin the scan from (i.e., C:\); you can't just click-and-go. The Rootkits scanner tab is the best place to start and usually turns up the most results. Any directories that have concealed files will be marked in red; if they're concealed and not believed to be concealed legitimately by the operating system, they'll be marked heavily in red. One drawback to this approach that if you have a rootkit buried several directories down, you have to drill down to it manually, which is a little irritating.
Once you find the offending file, you can do a number of things with it: perform a hex dump on the file itself or the file's MFT table entry, save it as something else, or securely erase it (and the MFT entry along with it). The program uses the U.S. DoD 5200.28-STD secure-erase algorithm to insure that an erased file is erased, so use it with care.
I wasn't as impressed with the hook-analyzer / hidden-process detector portion of RKDetector it didn't find any of the in-memory processes concealed by Fu, for instance.
Summary: Composed of two separate applications that scan the file system and running processes, respectively, RKDetector suffers from not having the flexibility and breadth of features of the other programs here.