A testing methodology for rootkit removal effectiveness presented at Virus Bulletin 2007

by Josh Harriman (Symantec),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2007/abstracts/Harriman.xml

Summary : Testing the effectiveness of an anti-rootkit product can prove difficult because of one simple fact. The threats you
will be using to test these products will probably be hidden from most system monitoring tools. These tools are
needed when evaluating anti-virus, anti-spyware or stand-alone anti-rootkit products, but could have little use
against certain threats.We need to consider taking a different approach when confronted with threats that hide their presence and
modifications to the system under test. Using an offline discovery technique, we can find system changes that are
made by these threats so we can successfully record their actions. This information is crucial when you are
conducting an evaluation of one or more types of anti-rootkit products. We will walk through this methodology and explain how to use the tools and gather the proper results. This technique
should be used by independent testers when performing security product reviews against current rootkit threats.