markusg Posted July 8, 2010 Report Share Posted July 8, 2010 has somebody tested if immunet can remove bootkits? if not, immunet must have a look on it. i removed in german forums today around 10... Link to comment Share on other sites More sharing options...
millard@immunet.com Posted July 12, 2010 Report Share Posted July 12, 2010 has somebody tested if immunet can remove bootkits? if not, immunet must have a look on it. i removed in german forums today around 10... I'm trying figure exactly what you mean. Do you have some specific threat names? Link to comment Share on other sites More sharing options...
Guest Mature Posted July 12, 2010 Report Share Posted July 12, 2010 I'm trying figure exactly what you mean. Do you have some specific threat names? I think maybe he's talking about THIS Link to comment Share on other sites More sharing options...
markusg Posted July 12, 2010 Author Report Share Posted July 12, 2010 sure, but i have no sample to upload at this moment. this new bootkits are variannt off the stoned rootkit created by peter kleistner. http://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-PAPER.pdf here is an other link, but not english, but i think you can understand it. http://antimalwarehelp.blogspot.com/2010/05/whistler-bootkit.html there is also an other variant out. its opening browser popups (advertisements) and its deactivating the sound. most avs can not find this infection. hope this are enough infos? Link to comment Share on other sites More sharing options...
markusg Posted July 12, 2010 Author Report Share Posted July 12, 2010 sorry Mature, have not seen your link Link to comment Share on other sites More sharing options...
alfred Posted July 12, 2010 Report Share Posted July 12, 2010 has somebody tested if immunet can remove bootkits? if not, immunet must have a look on it. i removed in german forums today around 10... The short answer is that if your already infected when you install IMP Free there is little to no chance we will detect it. IMP Free can also not clean this threat effectively, if you are already infected. I'm using Mebroot as my work example as I am (off the top of my head) unaware of other examples in the wild. We can however detect it on access and on copy. Our hope is to nab threats like this when you dl them. YMMV. IMP Plus can both detect and remove MBR style threats. Having said that, both removal and detection for this threat class in all AV products is in it's infancy. al Link to comment Share on other sites More sharing options...
markusg Posted July 12, 2010 Author Report Share Posted July 12, 2010 i think i can send you whistler sample perhaps if you need one... ok i know its hard at all to remove such stuff and so on but there must be an other possebelity i think in the future this bootkits are coming. i cleaned in the last week perhaps 50 pcs having this stuff and there are other helpers doing the same... i mean this peter kleistner paper is known since one year and most vendors can not detect or remove it. the esage lab tool can... i will not say its easy to handle it, i'm not writing programs but the esage tool shows there is an way to find this bootkit Link to comment Share on other sites More sharing options...
sweidre Posted July 18, 2010 Report Share Posted July 18, 2010 Hi Everobody, There should be an option to select which drive (c:\,d:\,e:\ etc) to scan for rootkits! For the moment, the whole computer will be scanned! Cheers, sweidre Link to comment Share on other sites More sharing options...
millard@immunet.com Posted July 20, 2010 Report Share Posted July 20, 2010 Hi Everobody, There should be an option to select which drive (c:\,d:\,e:\ etc) to scan for rootkits! For the moment, the whole computer will be scanned! Cheers, sweidre sweidre, That's a great idea. I've got in on our wish list. --Millard Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.