How Does Bd Detect Rootkits?

How does BD (or any antivirus, for that matter) detect rootkits?


Rootkits load before the OS and hide themselves from the file system. So, how does BD detect them?


Will BD detect rootkits when run in the normal GUI mode in Windows (Quick scan or System scan)?


Thanks.


Aloke

Comments

  • Methods range among security software providers, but it is usually a combination of several things.


    Keep in mind that antivirus products have their own drivers that start with the system and it's much harder to limit a driver.

  • Correct signature is very important, otherwise, rootkit removal is not conducted properly, and the system can not boot. Rootkits installed hooks antivirus must correctly identify and remove them. Bitdefender can properly remove rootkits, but not all, modifications.

  • columbo
    columbo
    edited March 2014

    I hope some of this helps, just as far as general information wise. Rampant is an excellent resource concerning specifics with his greater understanding of malware and AV protection. Georgia or Catalin, if there are any errors in this post, please correct them/me :)


    When Bitdefender Windows 8 version as well as all of the 2013 version implemented ELAM technology for the Windows 8 OS, AV companies who utilize ELAM had to follow Microsoft whitepaper protocols to enable their ELAM to run upon on boot. The bedelam.sys file in the 2013 versions of BD was incorporated a bit later in their release, and can be found in the BD program files (image below) This does scan the drivers upon boot for their classification, and if a bad driver if found will not be allowed to be initialized, i.e also if it is determined the driver is loaded by a rootkit. It does not clean, disinfect etc or require user interaction after windows loads, and does not appear in the BD Log Files.


    For Windows 7 OS, you would need to run BD in Rescue mode or a manual scan in Safe Mode (BD Program Files/odscanui), to enable a non-running environment to accomplish a Boot/rootkit scan, compared to running a normal BD Windows System Scan (as well as Auto Scan) which will scan the boot sector and also for rootkits.


    BD2013ELAMforWindows8_zpsfe8f444f.jpg


    BDScans_zps52da35f2.jpg


    BDsafescanrootkits_zpsfe885f52.png

  • Look, it's a rootkit, and it was his driver, bitdefender not correctly identifies signature (Gen:Variant.Graftor.121738), hence the removal of this rootkit may not be correct. Maybe experts from the laboratory bitdefender, correct me.


    Rootkit.Small


    https://www.virustotal.com/ru/file/28a214be...sis/1393864890/


    Rootkit.Win32.Small.shu (BD - Trojan.GenericKD.1569638)


    https://www.virustotal.com/ru/file/1e7f6a8d...sis/1394537115/

  • --------------------------


    --------------------------


    This does scan the drivers upon boot for their classification, and if a bad driver if found will not be allowed to be initialized, i.e also if it is determined the driver is loaded by a rootkit. It does not clean, disinfect etc or require user interaction after windows loads, and does not appear in the BD Log Files.


    ------------------------------


    ------------------------------


    Just to clarify, that is meant while it is still in the ELAM phase.


    Rampant, was this during a regular BD System scan in normal running Windows mode?


    Look, it's a rootkit, and it was his driver, bitdefender not correctly identifies signature (Gen:Variant.Graftor.121738), hence the removal of this rootkit may not be correct. Maybe experts from the laboratory bitdefender, correct me.


    Rootkit.Small


    https://www.virustotal.com/ru/file/28a214be...sis/1393864890/


    Rootkit.Win32.Small.shu (BD - Trojan.GenericKD.1569638)


    https://www.virustotal.com/ru/file/1e7f6a8d...sis/1394537115/

  • I'm running Windows 7 (64 bit).


    Will I have to run in Rescue Mode to detect all (known to BD) rootkits?


    What exactly does Rescue mode do? Any web page that describes this mode of scanning?


    Aloke

  • columbo
    columbo
    edited March 2014
    How does BD (or any antivirus, for that matter) detect rootkits?


    Rootkits load before the OS and hide themselves from the file system. So, how does BD detect them?


    Will BD detect rootkits when run in the normal GUI mode in Windows (Quick scan or System scan)?


    Thanks.


    Aloke


    I'm running Windows 7 (64 bit).


    Will I have to run in Rescue Mode to detect all (known to BD) rootkits?


    What exactly does Rescue mode do? Any web page that describes this mode of scanning?


    Aloke


    Hello again :)


    In regards to your concern in your 1st post, I mentioned two ways to scan for Rootkit detection, one being totally outside of the OS (Rescue Mode) and the other in Safe Mode running a manual scan via the odsanui.exe file. They will both scan for rootkits, as shown in the images in post# 4 (minus the Rescue Mode image) Yet, Rescue mode should only be run in more of the crisis circumstances, and not routinely. Here is a link that describes the Rescue Mode with Christian's response: http://forum.bitdefender.com/index.php?s=&...st&p=168133


    See also: http://www.bdantivirus.com/bitdefender/ant...ion.rescue.html


    Bitdefender's normal System Scan and Autoscan will scan for Rootkits, again, the images in post# 4 show the targets and options for each scan. Will BD get them all, probably not, as Rampant pointed out, but then what AV totally does? Maybe MBAM AntiRootkit scanner is a valid second opinion..but may still be a beta version?


    You could also create a custom rootkit scan by Antivirus/Scan Now/Manage Scans/

  • @columbo: The active copy is actually in %SystemRoot%\System32\drivers, with a backup in %SystemRoot%\ELAMBKUP


    @Rampant: named detections are based on offline scans of samples. normally hooks and residue should be picked up or prevented in the first place by active components.


    disinfection tries to cleanup any identified hooks, even if there is no specific detection on the files. when this is not satisfactory, further action is taken.


    Mind you - I have not looked at the samples you identified. Please use our sample submission page if you believe the corrective action is not sufficient and have not done so already.


    I hope this adds something useful to the conversation.

  • In my case, yes, it did add something useful to the conversation, Catalin, thanks for that clarification (let alone your other follow up dialogue for Rampant) :)

  • colombo,


    Thanks for your detailed replies. Thanks to others as well.


    I have BD Total Security. I can't see the settings page the way you posted the screenshots. Is that level of customization available for BDTS?


    By safe mode scan do you mean starting Windows 7 in safe mode and running odscanui.exe?


    Also, whats your opinion on using the Rescue mode in BDTS (which changes the boot sector etc) vs. booting from a recent rescue CD? (see my other post on the safety of these 2 methods)


    Aloke

  • columbo
    columbo
    edited March 2014

    I'm sure I speak for all of us in saying, you're welcome, aloke p :)


    In answer to your 1st question; yes, the settings page you see in the screenshots are the default targets and locations that BD scans when doing the scan that are in named red. That is found by going into BD main UI /Events/Antivirus/ and clicking on a scan which will bring up View log. When viewing the log, expand the categories that have a + next to them and it will show you the info. posted in my screenshots.


    #2 yes, correct, starting Windows in Safe Mode and running the odscanui.exe will initiate a manual scan, scanning the targets and options shown in the last image.


    #3 you're other thread you started had a lot of good questions that are over my head, and would be better fielded by BD Tech support, or a more advanced member here. Just IMHO, the Rescue Mode scan as mentioned by Christian in my other post link, should only be done when necessary, or BD "asks for it". Yet, the nice feature about that version is it's onboard, very easy to click and tick and run, compared to the steps in creating the Rescue CD. Christian also mentions that it is a more advanced alternative to the CD version (more advanced in it's ease of use, or it's scanning abilities?) http://forum.bitdefender.com/index.php?s=&...st&p=133516


    I know you probably already know this, but I'll throw it in as a bonus.


    To create your own Custom Scan (the image below is just for examples sake), open the BD main UI, on the Antivirus panel click the drop down arrow on Scan Now -> Manage Scans -> New custom scan task -> create a scan name and scan target -> click ok. Now click that scan that's been added to the scan task box, then at the bottom click on Scan Options, set what you want in Advanced/Scan Options then click Custom, and select your way through those options.


    CreateaBDCustomScan_zps558e8471.png


    edit: sp

  • Maybe I'm wrong, but it seems to me that the rescue mode, has no anti-rootkit technology, MBR, VBR modification is not possible to recognize


    @Catalin: Thanks for the answer, I consider a situation where the antivirus is installed on the system is already infected by a rootkit, and bitdefender not always correctly cope with the removal of this virus family.

  • columbo
    columbo
    edited March 2014

    Good point, as I couldn't find a detailed log of what was (is) scanned in rescue mode. At least with the Safe Mode scan we have an idea of what is being scanned. In your opinion, does a Safe Mode scan have a better chance in finding rootkits, even in the MBR, is BD able to scan there in Safe Mode?

  • Thanks to all.


    If I may re-phrase columbo's question and broaden it a bit:


    What are the relative merits/capabilities/limitations of scanning in these 4 methods for malaware detection in general and rootkits in specific for Windows 7 and Windows 8 (are the answers different?):


    1. Invoking Rescue mode in BD


    2. Booting into Windows Safe mode and running odscanui.exe


    3. Normal Windows GUI


    4. Booting from BD Rescue CD


    Thanks.


    Aloke

  • columbo
    columbo
    edited March 2014

    You're really asking some excellent questions, Aloke. I would be curious about this one, too. Those questions of the effectiveness of the scans and their use, is in the league of more advanced members here, or Catalin, Georgia, Christian etc. to answer. Thanks for doing such a good job in tracking and posting on you're thread :)

  • I don't think any answers are forthcoming.


    Aloke

  • I don't think any answers are forthcoming.


    Aloke


    Hello ,


    Rescue mode of Bitdefender is in fact a separate operating system (Linux) which loads without loading windows and there bitdefender scans for the malware . Since most windows resident malware are start with windows, so remain inactive , are detected and removed easily .


    Regards


    Akhil

  • Hello ,


    Rescue mode of Bitdefender is in fact a separate operating system (Linux) which loads without loading windows and there bitdefender scans for the malware . Since most windows resident malware are start with windows, so remain inactive , are detected and removed easily .


    Regards


    Akhil


    hello ,


    Researchers at Bitdefender seem doing some great job http://labs.bitdefender.com/wp-content/upl...tremoverFAQ.txt


    regards


    Akhil

  • This is about Rootkit Remover http://labs.bitdefender.com/projects/rootk...ootkit-remover/


    How much of that functionality is built into the Bitdefender Total Security and other mainstream products?


    This thread is generating more and more questions ....

  • This is about Rootkit Remover http://labs.bitdefender.com/projects/rootk...ootkit-remover/


    How much of that functionality is built into the Bitdefender Total Security and other mainstream products?


    This thread is generating more and more questions ....


    hello ,


    The above software deals with "bootkits " , probably they are dealing with something even sinister


    regards


    Akhil

  • How much of that functionality is built into the Bitdefender Total Security and other mainstream products?


    Should I need to run it when I am already using BDTS?