Coffeehouse Thread

38 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

I've got a rootkit...

Back to Forum: Coffeehouse
  • User profile image
    Sven Groot

    @Craig_Matthews: That's not the problem blowdart was talking about. The issue is that such a scanner, even if executed from an isolated environment, can still either only detect known threats, or flag all unknown software as threats. The former will produce false negatives (so you still don't know for sure you're clean) and the latter will produce tons of false positives, as there's way too much software that legimitately hooks into the boot process for such a scanner to keep up with.

  • User profile image

    , blowdart wrote


    And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

    Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

    On the other hand, it seems perfectly valid request to add boot option that only loads Microsoft signed executables on the boot steps.

    Afterall, most drivers on x64 supposed already have supplied driver that have done that. And non-device drivers are usually non-critical for diagnostic boot and can be appropiately skipped in this scenerio.

    There could be other categories, but when this plan puts out, those affected will seek to have Microsoft sign their binaries.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.