Content



McAfee Rootkit Detective Beta

McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.

Download it

The Rootkit Detective Beta can be downloaded here.

Features

Following are the features of this program that are designed to proactively detect and clean rootkits from the system. This program is not dependent on any signatures and can proactively detect most of the existing and upcoming rootkits and allow the user to clean them.

  • Designed to proactively detect the system objects like processes, files and registry that are hidden to the user.
  • Provides information about all running processes in the system.
  • Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks.
  • Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry.
  • Allows the user to terminate the malicious processes.
  • Users can submit samples using the submission feature present in the tool.
  • Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis.

Rootkit Detective log file contains details of the hidden files. The files once renamed after reboot will have a .REN extension. User can search for the same on the system and can submit these files for further analysis with your comments to stinger@avertlabs.com. Zip the files and password protect with “infected” and mention “Rootkit Detective” in the subject line when you send the mail.

Supported Operating Systems

  • Windows XP Home Edition with SP2
  • Windows XP Professional Edition with SP2
  • Windows 2000 with SP4
  • Windows 2000 Server
  • Windows 2003 Server SP1

How to Use Rootkit Detective Beta

  1. When prompted, choose to save the zip file to a convenient location on your hard disk (such as your Desktop folder)

  2. When the download is complete, navigate to the folder that contains the downloaded Rootkit Detective Zip file and extract it to a folder on your system. We recommend creating a folder specifically for Rootkit Detective.
  3. Once extracted, launch the Rootkit_Detective.exe. file.

  4. The Rootkit Detective Interface will be displayed.

  5. Consult the included ReadMe.txt file and Help within Rootkit Detective for more information.

Known Issues

  1. This tool will detect registry entries pertaining to McAfee Entercept Products if installed on your system.
  2. This tool will detect mfehidk.sys file pertaining to McAfee Antispyware Enterprise (Standalone) as a hooked service.
  3. This tool will detect IAT/EAT hooks in Windows 2000 SP4 system pointing to shim.dll.
  4. This tool will detect vsdatant.sys from Zone Alarm as hooked service for rootkit like behavior.
  5. This tool will detect Goback2k.sys as hooked service on system having Go Back software installed system for rootkit like behavior.
  6. This tool will detect fsndis5.sys as hooked service from F-Secure if F-Secure Internet Security Suite 2006 is installed on the system.
  7. This tool will detect klif.sys as hooked service from Kaspersky if Kaspersky Internet Security 2006 is installed on the system.
  8. This tool will detect FireTDS.sys as hooked service from McAfee if McAfee Desktop Firewall is installed on the system.
  9. This tool will detect Hidsys.sys as hooked service from McAfee if McAfee Host Intrusion Prevention is installed on the system.
  10. This tool will detect Service Name ZwCreateThread when VSE product is installed on the system.
  11. This tool will not run on Windows 2000 platforms when Kaspersky Internet Security 2006 is installed.
  12. This tool will detect many IAT/EAT hooks and SSDT hooks of legitimate applications.

NOTE: Some or all of the above issues may be addressed in the future releases.

DISCLAIMER: McAfee Rootkit Detective is considered a beta release for the use of McAfee's customers, and is NOT tested or approved for general production release. THE MCAFEE ROOTKIT DETECTIVE IS PROVIDED AS-IS, WITH NO WARRANTY, EXPRESS OR IMPLIED, WHATSOEVER, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. MCAFEE MAKES NO REPRESENTATION THE FILE(S) PROVIDED TO YOU WILL BE FREE FROM ERRORS OR OTHER INTERRUPTIONS OR THAT THEY WILL MEET YOUR REQUIREMENTS. YOU AGREE THAT THESE LIMITATIONS SHALL BE ENFORCEABLE TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.