traveler wrote:

>> If *I* were ever to locate a rootkit on one of my PCs, then the first
>> stop would be my AV provider.. after all, removing nasties is what I pay
>> them for. And what they do for a living.
>>
>> Oh, and most vendors put out free worm removal tools, even to
>> non-subscribers. I daresay a bit of a rummage through the appropriate
>> web site would do the same for known rootkits.
>>
>> Not that I'm dissing a tool that I haven't even looked at, of course...
>
> The reason ant-virus products don't catch it is because it's not a virus,
> or a trojan. It's software of sorts

There's no "of sorts" about it, they're software. Period. The reason
mainstream AV software doesn't detect them (some are) is probably more a
matter of money and politics than anything else. They're just recently
becoming "popular" in the world of Window$, and until recently the ROI
just wasn't there. No financial benefit for investing the time and effort
into designing ways to ferret out something that only had a one in a
billion chance of being a problem.

Root kits aren't some mysterious magical incantation uttered by long
bearded mages who live under ancient trees. Viruses have been using
similar or identical "stealth" techniques for many years to hide their
presence from AV software and things like the task manager. Detecting
them isn't rocket surgery if you know what you're doing. The problem with
root kits is that they generally *replace* critical system files with
total rewrites. You can't typically "disinfect" a system that falls victim
to many/most root kits, and anyone or any software that claims to be able
to do so reliably is lying or severely misinformed. Thus the "political"
problem of detecting something and then telling the customer "nothing I
can do... sorry about you luck". ;)

> designed to hide something like a
> trojan. Windows removal tool and even the best virus/trojan scanner
> wouldn't find it, you need a specialized product like the F- Secure to

Think about what you're saying... "one piece of software can't find it but
another can". This is obviously nothing more than a matter of adding the
code and methods from one software to another, not some magical quality
that software assumes if it's given the "Anti Virus" moniker. Root kit
detection has been thus far left to specialized software because there was
no pressing reason to detect them. Although I know I've read through lists
of "trojans" that mainstream AV softwares detect and seen rot kit names.
So AV software peddlers obviously do add detection for such things if and
when they become a problem in the mind of the peddler.

> detect it, and just as important to SAFELY remove it without any
> hassles,

How do you remove something that replaces critical files with completely
different versions?

Short answer... you can't. You're left restoring from backups or
reinstalling. No anti-rootkit software in the universe is going to be able
to do this alone.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208