Friday, September 01, 2006

Sophos anti rootkit software! It is free to download

I have been following the rootkit problem since the Sony DRM rootkit issue mentioned in an earlier post, Geemodo: Sony DRM ROOTKIT, Suncomm, EFF new removal tool, yet the consumer problems don't go away..
Lately I found that Sophos has released a anti-rootkit and downloaded it. I did not test against known root kits but I did check my computers. Alas did not find any valid root kits, that is because I have been vigilant. Not a fault of Sophos anti rootkit. I advise that anyone careful about their computer to download and scan the computers for rootkits as it is gaining popularity in the malware and virus scene.
The user manual is here if you want to read before downloading.

From the read me file that states some feature and other issues;
1. Key features

* Scans running processes, windows registry and local hard drives for

* Identifies known rootkits and selects, by default, files for removal
which will remove the rootkit component of the malware without
compromising OS integrity.

* Allows users to remove unidentified hidden files, but does not allow
removal of essential system files when hidden by an identified

* Once the user has run a scan, the screen prompts the user through
the necessary steps until every rootkit has been removed.

* Users can switch between the GUI and command-line functionality.

* Both context sensitive and command-line help are available.

2. Known issues

* Sophos Anti-Rootkit will work on a Terminal Services or Remote Desktop
environment but may produce this warning which can be ignored:
'Unable to flush drive C: (already open by another process)'.

* If the scan is performed while the computer is in use, false positives
may appear in the scan results. This is caused by files or registry
entries being deleted, including temporary files being deleted
automatically. We suggest you close non-essential applications and
re-run the scan.

* It may not be possible to clean up files on a removable drive or USB key.
This is because the clean up component runs before the device drivers
are loaded in the boot sequence. If this occurs, remove the removable
drive or USB key. Next, restart the computer, plug the key back in,
and scan with anti-virus software, such as Sophos Anti-Virus.

* When specifying the location of the clean up log on the command line
(sarcli -cleanlog=...), it must be on a local drive rather than a network
share. This is because the clean up component runs before the network
drivers are loaded in the boot sequence.

* The sarscan.log is cumulative and each entry is timestamped. The
sarclean.log only contains the results of the last cleanup operation
and there is no timestamp apart from the one on the file itself.

* If rootkit components are found on a drive which uses NTFS compression,
it may not be possible for SAR to identify them. In this case they will
be reported as "Unknown hidden file". This situation is not currently
supported by the product.

* Unidentified hidden files cannot be removed via the command line.
Please run the graphical user interface (sargui.exe) and refer to
section 3 of the Sophos Anti-Rootkit User Manual.

No comments: