Videos

Published on October 4th, 2019 📆 | 3681 Views ⚑

0

Rootkit Detection and Removal

iSpeech

In this video, we’ll demonstrate how Kaspersky Endpoint Security for Business detects and removes #rootkits. Rootkits are programs that apply different concealment techniques to malicious code and activities, so to avoid detection and remediation by traditional antivirus software.

Our Anti-Rootkit module detects and removes this form of stealthy infection.

Here we have a system protected by Kaspersky Endpoint Security for Business.

But first, let’s turn off our security solution to demonstrate actual rootkit functionality.

Now we’ll run four samples of #malware, one by one. As you can see, all the samples are running successfully.

Now, let’s add samples to Autorun in the registry, to imitate active infection. A real rootkit would do this automatically when it's executed, so the malware remains in the system even after the machine is restarted. We’re doing this manually here, just to demonstrate how it works.

Now we’ll use a special tool that emulates different rootkit methods of hiding malicious code. In the first instance, we block access to the sample by any other process, so this sample can’t be read, scanned, or deleted by classic AV products. But our Anti-Rootkit technology can overcome this, as we'll see later.

Let's apply other methods of hiding to other samples. These are popular techniques used by real rootkits to conceal malicious code. See how our samples disappear or became unreadable?

Now we’ll block and hide the corresponding registry entries. After doing this to the first entry, an error message tells us that the entry couldn’t be removed by the standard method – hence the need for anti-rootkit technologies. We’ll apply different methods to hide the other entries. And again, the system tells us it can’t display these registry entries. They became “invisible”.

However… let’s see what happens as we turn on Kaspersky Endpoint Security for Business.

First let’s run the Critical Areas Scan, which includes Autorun Scan. We’re speeding this up a bit to save time.

Look, the rootkit is detected! Let’s agree to Advanced Disinfection. Here we’re using a special mode which includes system blocking. Guaranteed Rootkit disinfection now requires a reboot.

After the system reboot, we check out all the places where we put malicious components. And they have all now been removed.

Let’s check the product logs. Here, we can see a complete history of detection and removal, and if we click on a particular record we can see each piece of removed malware in detail.

Let’s run another Critical Areas Scan. It confirms that all rootkits have been removed, and no more threats have been detected.

#Kaspersky #cybersecurity #ITsecurity

source

Tagged with: detection • operating system Rootkit • removal • rootkit