A testing methodology for rootkit removal effectiveness

Josh Harriman Symantec

  download slides (PDF)

Testing the effectiveness of an anti-rootkit product can prove difficult because of one simple fact. The threats you will be using to test these products will probably be hidden from most system monitoring tools. These tools are needed when evaluating anti-virus, anti-spyware or stand-alone anti-rootkit products, but could have little use against certain threats.

We need to consider taking a different approach when confronted with threats that hide their presence and modifications to the system under test. Using an offline discovery technique, we can find system changes that are made by these threats so we can successfully record their actions. This information is crucial when you are conducting an evaluation of one or more types of anti-rootkit products.

We will walk through this methodology and explain how to use the tools and gather the proper results. This technique should be used by independent testers when performing security product reviews against current rootkit threats.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.