Hi everybody,
I'm glad to present Vba32 AntiRootkit 3.12.5.4 beta build 293.
Download link is the same: http://anti-virus.by/en/beta.shtml
Change list:
+ Low-level operations with disk volumes. Support of MBR and GPT. Support of Microsoft/Veritas dynamic
volumes ( Simple, Spanned, Striped, Mirrored and Raid-5 )
Despite the fact that dynamic volumes are quite rare this is a great step forward in our low-level disk access library. As far as I know there is no any other anti-rootkit that can provide this feature.
+ Boot sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary boot sector in html log.
This might be the most interesting feature of the build. Finally we are able to detect, view, dump and restore forged and non-standard boot loaders ( that means that we can fight many bootkits such as TDL4/Sinowal/Alipop/Rmnet/etc. ). However, I'd like to point that we are still using "old" tdl3 detection code which can be bypassed on some type of disk controllers. We are currently working in this direction and will provide you with some advanced techniques in the near future.
+ Added detection and restoration of abnormal Global Descriptor Table (GDT) entries
Usually used to provide access to privileged instructions from R3 code.
+ Increased the number of checked autorun items
(LSA Providers, SubSystems\Windows и др.)
In every build we increase the number of checked autorun items.
* Detection and restoration of IDT and SysEnter hooks were improved
GDT selector offset and IA32_SYSENTER_CS register now are taken into account. In the previous builds gdt selector offset considered null, which is not right. The most arkit tools have the same bug unfortunately.
* Safe protected handles closure ( CloseHandle )
Serious bug indeed. Thanks to STRELiTZIA
* Checking standard OS Windows Firewall rules
* Overall work robustness of antirootkit was improved
* Help in Russian was improved
Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
I'm glad to present Vba32 AntiRootkit 3.12.5.4 beta build 293.
Download link is the same: http://anti-virus.by/en/beta.shtml
Change list:
+ Low-level operations with disk volumes. Support of MBR and GPT. Support of Microsoft/Veritas dynamic
volumes ( Simple, Spanned, Striped, Mirrored and Raid-5 )
Despite the fact that dynamic volumes are quite rare this is a great step forward in our low-level disk access library. As far as I know there is no any other anti-rootkit that can provide this feature.
+ Boot sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary boot sector in html log.
This might be the most interesting feature of the build. Finally we are able to detect, view, dump and restore forged and non-standard boot loaders ( that means that we can fight many bootkits such as TDL4/Sinowal/Alipop/Rmnet/etc. ). However, I'd like to point that we are still using "old" tdl3 detection code which can be bypassed on some type of disk controllers. We are currently working in this direction and will provide you with some advanced techniques in the near future.
+ Added detection and restoration of abnormal Global Descriptor Table (GDT) entries
Usually used to provide access to privileged instructions from R3 code.
+ Increased the number of checked autorun items
(LSA Providers, SubSystems\Windows и др.)
In every build we increase the number of checked autorun items.
* Detection and restoration of IDT and SysEnter hooks were improved
GDT selector offset and IA32_SYSENTER_CS register now are taken into account. In the previous builds gdt selector offset considered null, which is not right. The most arkit tools have the same bug unfortunately.
* Safe protected handles closure ( CloseHandle )
Serious bug indeed. Thanks to STRELiTZIA
* Checking standard OS Windows Firewall rules
* Overall work robustness of antirootkit was improved
* Help in Russian was improved
Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
