Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

No Rootkit in Kaspersky Anti-Virus

Started by Chachazz , Jan 13 2006 08:00 PM

  • Please log in to reply

#1
Chachazz
Posted 13 January 2006 - 08:00 PM

Chachazz

    Member 3k

  • Member
  • PipPipPipPipPipPip
  • 3,046 posts
No rootkit in Kaspersky Anti-Virus
January 13, 2006 | 15:47 GMT

Mark Russinovich, who is well known as an IT security expert, and who was a major player in the Sony rootkit scandal, is now suggesting that we use 'rootkit' technology in our products. His comments have been picked up in a PCWorld article (http://www.pcworld.c...d,124365,00.asp). He said that "the techniques used by ... Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC".

Our products do use a technology called iStreams™, which is what Russinovich seems to be worried about. But this isn't a rootkit.

We started using iStreams™ technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the user's system. If a checksum remains unchanged from one scan to another, KAV products know the file has not been tampered with and do not, therefore, require a repeat scan.

To view NTFS Alternate Data Streams you need special tools. When KAV is active it hides its streams because they are its internal data only. Just because you can't see them either automatically or with a special tool, it doesn't mean that they're malicious. It also doesn't mean that a product which uses and hides these streams is using rootkit technology.

We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

  • If a KAV product is active, the streams are hidden and no processes (including system) have access to them.

  • If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)

  • If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.

Kaspersky Labs News: Viruslist.com»
  • 0

Advertisements

Back to Off-Topic · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Discussion
  3. Off-Topic

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP