VirusBlokAda Ltd. glads to offer you a new version of Vba32 AntiRootkit and invite you to participate in beta testing of our product.
Links to download:
ftp://anti-virus.by/beta/Vba32arkit_beta.rar
ftp://anti-virus.by/beta/Vba32arkit_beta.zip
ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar
ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip
The following techniques of kernel-mode rootkit detection are implemented in Vba32 AntiRootkit:
searching for SYSENTER hooks;
searching for hooks by replacing addresses in SSDT table;
searching for hooks by replacing addresses in Shadow SSDT table;
searching for hooks by modifying IDT table;
searching for export table modifications of main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
searching for hooks by modifiying machine code (splicing);
searching for hooks by replacing addresses of IRP packet handlers;
searching for hooks by replacing addresses of FastIO request handlers;
searching for kernel modules hidden in the memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
searching for processes hidden in memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
searching for kernel modules which image on the hard drive doesn't correspond to the image in the memory. Such objects will be marked as Modified image;
searching for installed kernel mode notificators.
Moreover the following additional techniques are implemented:
scanning autoruns;
scanning drivers and services specified in the registry;
scanning all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
checking digital signature of all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
displaying additional information retrievied from file resources.
The following features are designed for neutralizing rootkits:
restoring hooks in SSDT table;
restoring hooks in Shadow SSDT table;
restoring hooks in IDT table;
restoring hooks in main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
restoring hooks made by machine code modifications;
restoring SYSENTER hooks;
removing specified objects from autoruns;
enabling/disabling drivers/services specified in the registry;
copying specified files to the quarantine early in the system boot;
deleting specified files early in the system boot;
scanning and deleting autorun.inf files;
removing installed kernel mode notificators.
Vba32 AntiRootkit allows user to collect information, which may help in solving problems at user's computer.
Vba32 AntiRootkit has English help (Vba32ArkitEN.chm file).
You can send your feedback to beta[at]anti-virus.by or post it here.