A testing methodology for rootkit removal effectiveness

Josh Harriman Symantec

Testing the effectiveness of an anti-rootkit product can prove difficult because of one simple fact. The threats you will be using to test these products will probably be hidden from most system monitoring tools. These tools are needed when evaluating anti-virus, anti-spyware or stand-alone anti-rootkit products, but could have little use against certain threats.

We need to consider taking a different approach when confronted with threats that hide their presence and modifications to the system under test. Using an offline discovery technique, we can find system changes that are made by these threats so we can successfully record their actions. This information is crucial when you are conducting an evaluation of one or more types of anti-rootkit products.

We will walk through this methodology and explain how to use the tools and gather the proper results. This technique should be used by independent testers when performing security product reviews against current rootkit threats.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The presentations were fresh very professional and all equally interesting. Too bad I can't split myself up to listen to both streams at once.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

VB100 certification

This month VB's test team put 26 products to the test on Windows Server 2008. John Hawes has the full results.
See full results.

Virus Bulletin currently has 190,989 registered users.

Fighting malware and spam