| By Ryan Russell |
I’d like to introduce you today to three free rootkit scanning tools you can add to the ones I briefly reviewed on Sept. 20.
Based on reader feedback, I’m covering this additional set of antirootkit tools and explaining some different schemes for rootkit detection.
The difference between anomalies and signatures
The antirootkit tools I reviewed two weeks ago were mostly anomaly detectors. That is, they look for hidden files, suspicious hooks, and general weirdness. This leaves the user with the job of deciding whether or not the detected items are really a problem.
The other major style of detection is signature-based. These applications store a set of signatures for known rootkits. Signature-based programs don’t typically flag something as suspicious unless they’ve determined exactly what it is.
Signature-based detection is the model that the vast majority of antivirus tools use to catch viruses and similar malware. There’s a lot of value in being able to identify a specific piece of malware. A vendor can write a much more specific algorithm to clean up an infection, for example.
If an anomaly scanner, by contrast, finds a suspicious item and blindly removes it, some piece of software you actually want might quit working, or Windows itself might no longer boot.