Just recently, I have come across a PC infected with Packed.Generic.200 (Symantec name) trojan/rootkit.
I used McAfee, Symantec, Malwarebytes, Comodo, and few other AV softwares, and none of those was able to clean this nasty infection.
Most of them, including Comodo, were able to detect suspicious files, but none was able to permamently remove them, since they were written/injected back to HDD, and hidden processes before anything could intercept them. So, after PC reboot, malicious files were back in place (no matter what boot mode).
I was finally able to conquer this nasty infection using McAfee Rootkit Detective.
(http://vil.nai.com/vil/stinger/rkstinger.aspx)
Would it be possible to add similar functionality to Comodo IS, not only to detect, but also remove similar types of infections, including hidden regisrty entries, hidden files, hidden PnP devices (as this infection created as well), and process injections. Or if not directly in CIS, maybe to design additional removal tool, similar to that cited above, since more rootkits are quickly spreading.
Thanks in advance.
Sincerely,
Komodo-Dragon
I think the best thing would be if they made a bootable CD that not only included the newest daily signatures on it but also things that can only be done off of a cd such as rootkit removal, virut disinfection, etc. Maybe it could be linux based making it fast and free.
Bootable CD is only part of the solution, removing infected files. What about detecting malicious hidden registry entries, hijacked processes, etc? This can only be detected while system is running in normal mode, not even in safe mode or command line mode.
About Linux bootable fixing Windows NTFS partitions, I would wait until NIXes writing to NTFS partitions is better mastered.
Yet, thanks for suggestions.
+1 on adding some sort of support for rootkit detection and removal.
!ot! Why didn’t Comodo detect the program running and prompt to deny/allow? Even if Comodo couldn’t remove the file, it should have at least killed it from running.
!ot! As I have said, I encountered an infected/intruded computer, and that happened before CIS was involved. I used it to try to remove this intrusion, which CIS detected, yet was not able to remedy it properly, neither any other well known market product, which I tried (see first post).
How CIS would behave while under such an attack, I cannot say, and even for experimental purposes, I do not intend to get my machines infected with such a nasty bug. I will leave it up to Comodo AV team to check and determine, of course, if they are willing to do it. The most important is they are now aware of such cases.
I am not sure if you tried it already, but Superantispyware is often able to remove malicious files (including some rootkits) that cannot be removed by other anti-malware programs.
For me, there were many times that a-squared, avira, avast, malwarebytes, spybot, panda-antirootkit, etc. failed to remove the malware (even if it was detected). But Superantispyware removed the malware in every circumstance. This is my experience… Anyhow, .it may be worth a try.
I agree, Comodo needs to maximize detection and removal for future releases(including rootkits).
+1 some free antivirus software can’t detect rootkit.
:o Comodo can’t detect rootkit !?
It can but like most AVs has a hard time getting rid of it.
+1