infosponge Posted May 22, 2007 How effective is SAS in detection/removal of Rootkits? Does this process take place during First Chance Prevention? More importantly, if nothing is found during scan or FCP should I feel reasonably secure that I have none on my system? I know there are stand alone products on the market but in your opinion, am I covered with SAS only? Thanks Share this post Link to post Share on other sites
Seth Posted May 24, 2007 I'm a computer technician that disinfects systems on a daily basis. Most of these computers are running AVG Free Edition, Norton, or Mcafee. When disinfecting a system, the first tool I reach for is SAS. If the infection is severe, I'll follow up with either Ewido's or BitDefender's online scan. There are a few other techniques I use, but the above will suffice in almost all cases. I've been installing SAS Pro on my customer's computers for many months now. Along with some education from me in regards to safe surfing and downloading habits, SAS is all they're running. I keep in contact with these customers, and so far they have had no further malware issues. Share this post Link to post Share on other sites
infosponge Posted May 24, 2007 Seth, Thank you for that. I appreciate it. Share this post Link to post Share on other sites
Seth Posted May 24, 2007 You're welcome. As far as rootkits go, SAS has removed many for me. Here is one from a SAS scan that I did yesterday on a highly infected computer running AVG free (I saved and printed out the log for my customer): Trojan.Rootkit-TnCore/Installer E:\WINDOWS\SAMMY3.EXE Trojan.Rootkit-TnCore E:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS The rest of the log was malware hell. Share this post Link to post Share on other sites
infosponge Posted May 24, 2007 This is where I totaly miss the boat. When a rootkit is found in a file such as the one you illustrated which was E\windows\system32\drivers\core.sys Could an essential file also be deleted as well? This is where I don't know what I'm doing. Thanks Share this post Link to post Share on other sites
Seth Posted May 25, 2007 This is where I totaly miss the boat.When a rootkit is found in a file such as the one you illustrated which was E\windows\system32\drivers\core.sys Could an essential file also be deleted as well? This is where I don't know what I'm doing. Thanks It's pretty unlikely based on the accuracy of the definition files. Although for a definitive answer in specific regards to SAS, Nick would be the guy to ask. Share this post Link to post Share on other sites
infosponge Posted May 25, 2007 Seth, Not quite sure when you say it's unlikely because of the accuracy of the definition files. This is also a little above my head! Based on your recommendation, I'll pose the same question to Nick. If you delete any kind of spyware that lays within a file, would you delete the file as well as the rootkit or any other kind of malware? What if it is attached to a registry key as I think rootkits can sometimes do. Seth it does sound to me that if you deleted one of your customer's important files, you would have gotten a distress call. Still, the final word here woud be interesting. Thanks Nick Share this post Link to post Share on other sites