Coffeehouse Thread

38 posts

I've got a rootkit...

Back to Forum: Coffeehouse
  • User profile image
    Sven Groot

    @Craig_Matthews: That's not the problem blowdart was talking about. The issue is that such a scanner, even if executed from an isolated environment, can still either only detect known threats, or flag all unknown software as threats. The former will produce false negatives (so you still don't know for sure you're clean) and the latter will produce tons of false positives, as there's way too much software that legimitately hooks into the boot process for such a scanner to keep up with.

  • User profile image
    cheong

    , blowdart wrote

    *snip*

    And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

    Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

    On the other hand, it seems perfectly valid request to add boot option that only loads Microsoft signed executables on the boot steps.

    Afterall, most drivers on x64 supposed already have supplied driver that have done that. And non-device drivers are usually non-critical for diagnostic boot and can be appropiately skipped in this scenerio.

    There could be other categories, but when this plan puts out, those affected will seek to have Microsoft sign their binaries.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.