A testing methodology for rootkit removal effectiveness

Josh Harriman Symantec

Corporate stream: Thursday 20 September 2007, 12:00 - 12:40.

Testing the effectiveness of an anti-rootkit product can prove difficult because of one simple fact. The threats you will be using to test these products will probably be hidden from most system monitoring tools. These tools are needed when evaluating anti-virus, anti-spyware or stand-alone anti-rootkit products, but could have little use against certain threats.

We need to consider taking a different approach when confronted with threats that hide their presence and modifications to the system under test. Using an offline discovery technique, we can find system changes that are made by these threats so we can successfully record their actions. This information is crucial when you are conducting an evaluation of one or more types of anti-rootkit products.

We will walk through this methodology and explain how to use the tools and gather the proper results. This technique should be used by independent testers when performing security product reviews against current rootkit threats.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘This was my first attendance at a Virus Bulletin conference and I found it extremely worthwhile - excellent speakers, good discussions, valuable networking and generally a decent educational venue.’

Poll

Will the current banking crisis lead to an increase in phishing attacks?

Leave a comment
View 1 comment

VB2009

VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland. A call for papers will be issued in December.

Virus Bulletin currently has 138,649 registered users.

Fighting malware and spam