ROOKTKIT
Comments
-
Hello,
Sorry for my long words. And sorry if I wrong understand your points and create words about totally another things.
Sorry for my questions and reply (maybe more nice there... just wait response from F-Secure team with normal response... and do not create my suggestions, which just my dreams around).
When you talk about situation - do you mean that something missing (such as F-Secure do not detect some of examples)?
There was rootkit-engine/technology - Blacklight and "drop"-status comes some/many releases ago (probably you mean this is engine as expired-engine). Not sure about "expired", but maybe engine start be not so powerful and partly re-placed by other engines-technologies (to cover same points). Because Blacklight engine created long years ago (how I can to understand).
How I can to understand current design:
There can be different meanings. If you start use F-Secure protection-software and before this.... you have experience with protection-software under current system (as installed one, for example). There meanings... that potentially.. your system should not be with active troubles. And after installation you able to use full scan or specific tools. Which means.... that if there will be something fresh - F-Secure should to detect it by real-time. If there was something else.. possible to detect it by scans. If there hard to detected files.. so.. this is can be too (or not known malicious things for F-Secure. Or hard tricks).
If you start use F-Secure protection-software and your system potentially can be with troubles as active malicious things (include rootkit things)... installer should to trigger F-Secure Cleanup Tool (Online Scanner), which will be as "briefly" check for critical places. This (same) tool possible to launch later too (as tool/type-of-scan/part of F-Secure SAFE/AV solution).
Current technologies called partly as "Lighthouse" and there have SOME OF engines (include other technologies by F-Secure and actual-design of work). Where can be cloud-points, fuzzy hashing and other.
By design.... I can to think.. that current step should to detect potential rootkits/active malicious files under system.
In fact... I think it's not really work as can be. Maybe you mean something same too. But I more think about "can not to detect many of potential malicious files and hard-to-detect malicious files" and not about "that required download databases" as something critical.
When scan completed and installer think that "potentially" system is clean.... will be other part of installation.
Where installed full modules and downloaded main databases. AV-module have some of engines too. One of them... can be as "main". Most size of databases (and signature-based scanning) related with this engine.
All of other have additional layers around.
Include DeepGuard, which something as NHIPS-complex-protection. With many of additional step-by-step (related with configuration).
When you talk that "required to add engine".. potentially it's good point and I thought about this too.
But how I can to understand... current status took F-Secure Online/Cloud technology.
Partly it's based on things, which can be visible under F-Secure Online Scanner (cleanup tool), F-Secure ULAV.
F-Secure Cleanup Tool (should be available as tool / type of scan) marked as tool, which able to detect "rootkit"-things and scanning for critical-system-places (where should be active malicious things or hidden tricks). And meanings there.... that "potential engine" already added. But added as "specific" tool/technologies under one of "meaning".
And some part of previous "expired" technology... re-placed by re-designed for other engines (as additional step) too.
Sorry for my long reply again!
Thanks.
-
Hi Avisitors,
May be this article can shed more light on this issue. Blacklight has reached its EOL and has been removed from all supported products.
-
Thank you for you reply.My first language isn't English so we may have some misunderstand.We can use F-Secure Cleanup Tool detect rootkict --- you are right but the scan almost complete for an instant when I use this function,and I consider my f-secure safe had damage so I restore it but still happen.Soon I learn fs antirootkit engine had expired from a form .Associate it I guess the engine possiblly expired.May be I am wrong.
F-secure safe,is good product.Your answer make me great confidence.Thank you
-
Hello,
Sorry for my words (because my words - hard to understand).
Maybe scan should not be "too much speedy".
You can to re-check next thing also:
--> Under settings for Manual Scanning there have three (or should be) options for scan-process.
By default there can be different situation.
For "long" scan possible to use options (as checked) about "Scan compressed files" and "Advanced scan".
And uncheck option about "Scan just only known type of files".
With meanings - will be scanning for compressed (zipped, archives, other "unknown") files, advanced scan (where potentially can be wrong-detection.. because based on "potential" suspicious view) and will be scanned all type of files (and not just files, which can be "malicious". Such as.. some of extensions/files will be not LIKELY malicious).
But also... I just decided to create next points (as my dreams, which scan-processes can be there with F-Secure Safe), when F-Secure SAFE installed (about other things around time):
Spoiler-> Main UI with first window (as Status) have button "Scan".
It will be brief-scan as check for critical system places. Usually related with next meanings: scan of the system for active malicious things. Will be more speedy, because this is not full scan of hard drives. There goes be check just for critical places under system, where potentially can be malicious result or malicious active file. Also potentially there can be briefly check about critical registry-points.
Based on "knowledge" design of malicious/suspicious things.... and check for critical-places/system-scan. Helpful if there active malicious files or if some of "not active" files placed under critical-places (or there previously was malicious).
-> Main UI with second window (as Tools) have button, where you able to choose - which kind of scan you want to launch:
---> "previous" System-scan (Check for viruses/spyware).
---> Full scan (will be scan for FULL drives and include System-scan).
Can to take hours.
---> Cleanup tool (which will be or planned be as "kind of rootkit-scanner").
There should be downloaded executable-file and launch with administrators rights (partly system-rights maybe). After thisre-downloading databases for scan and certain scan-process.
With my experience. it's take minutes. Can be three, five, ten. But not one minute or fifteen.
Related with "briefly" scan for critical places, folders and using some technologies/engines.
Closely related with cloud-design (for normal scan - should be active network connection) and can be detection for something other.
Description for tool.. have words that... the tool able to detect rootkits. Maybe.... not sure about this, but previous Blacklight Engine maybe can not be more nice, than current design (except... previous engine was just for one type. but Cleanup tool can be with more meanings).
Speed of scan based on "how many files" and "system configuration". But probably should to take more than three minutes and less than fifteen. BUT.... just for first scan (or when databases not re-downloaded). Next scan for processes will be briefly skip recently scanned files.