> > Well, Not for this case,
For absolutely any case (if the AV has the databases fresh enough).
Always assume that your AV database is not fresh enough.
No need in rootkit revealers in any kind, absolutely any kind. Just
boot from
a clean CD/DVD/another hard drive and run the usual AV with fresh
databases.
If your AV database knows about version n, then the rootkit only has to
be version n+1 and you will either find nothing, or will fail to clean a
hook or two and the virus will be right back on the next boot.
> that AV scanners scans for files and not for disk sectors and I
found that
> the said rootkit just put its
> data at some sectors
Not important. It will still need to patch some usual location (boot
sector or
a file) for this hidden file to gain control.
They are finding more and more places to patch unfortunately.
> Another must have thing to clean that using this method is
signatures for
> that rootkit file, which may not
> have any information pertaining to the said malware
If the AV software is obsolete, then the game is lost so is the
obsolete
rootkit revealer
Always assume your AV software is obsolete. I’m getting to the point
where I think the only good AV software is software that either
completely disconnects the computer from the network (some do, but I’m
sure a virus that was motivated enough could disable that) on detected
infection (‘something is not right’ detection), or wipes the bootsector
and turns it off hard, like the OP wants to do, forcing a reinstall (or
a bootfix)
> And than if certain tool is saving a customer from a format on the
price of a
> hard reboot
Sooner or later, the customer’s machine will experience random crashes
and
hungs with such software, and format (at least Windows reinstall) is
the
fastest and most cost-effective way of curing this.
And if the computer is on a network, probably all the other machines on
the network too (port 445 exploits anyone?)
James (feeling paranoid this morning