• Total Posts: 43063
  • Total Topics: 16241
  • Online Today: 5251
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Windows Live OneCare and Live Safety Scanner, Perfect Rootkit Victims  (Read 5056 times)

0 Members and 2 Guests are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum

Microsoft's security solutions, including the Windows Live Safety Scanner version 1.1.3007.0 and Microsoft 
Windows Live OneCare 1.6.2111.32 (1.1.2803.0), have nothing on rival  products from Avira, BitDefender,
Kaspersky, Gdata, Symantec, Panda, Trend Micro and others. Independent security test outfit AV-Test performed two rootkit detection and removal benchmarks the past month on 32-bit copies of Windows XP Home and Windows Vista Ultimate.

AV-Test threw in the same arena Internet Security Suites, web-based online scanners, and specialized anti-root kit tools on Windows XP, as well as general purpose security solutions on Windows Vista. "In the caseof Windows XP, all products (in their most current versions) were updated and then frozen on 25 October 2007. The only exceptions were the online scanners, which were tested on 25 October and 2 November 2007," revealed security researchers Andreas Marx and Maik Morgenstern from AV-Test.

On Windows XP, the tests involved a variety of stages, including detection of inactive, active and malware hidden rootkit samples. At the same time, the security products were tested in accordance with their capacities to remove rootkits, either active or inactive, as well as malicious codes hidden by rootkits. The initial tests consisted of on-demand detection and removal with the exception of the dedicated anti-rootkit products which failed to feature on-demand scanning capabilities.

"This already revealed some missing signatures in the scanners’ databases. The results of the on-access scanning were identical to the on-demand results, so they are not listed separately in the results table. The maximum number of samples the tools could detect was 30 dedicated rootkits, and no more than 27 rootkits could be removed because we used the original (and thus, write-protected) CD and DVD media with the three ‘commercial’ rootkits," Marx and Morgenstern revealed.

The anti-rootkit technologies managed a detection rate of approximately 80%, with security suites at just 66% and online tools at just 53%. Microsoft Windows Live Safety Scanner 1.1.3007.0, for example, detected only 20 inactive samples, 17 active, and just 25 malicius code samples hidden by rootkits. In each category, Windows Live Safety Scanner should have detected 30 rootkit samples. When it comes down to removal, Microsoft's online scanner performed even worse, being capable of removing just 19 inactive samples, 10 active and just eight pieces of hidden malware.

On Vista, AV-Test run only what it referred to as "pure" anti-virus products. "The tools were last updated and frozen on 2 October 2007. To our surprise, the detection rate of inactive samples reached just 90% on average, even though most of the rootkits used were released during 2005 and 2006. Only four of the six installed rootkits could be detected by an average tool and the cleaning rate was even lower with 54%. AVG (with one of the best standalone tools on Windows XP) performed poorly with no detection or cleaning of running rootkits on Vista," Marx and Morgenstern added.

On Windows Vista, Windows Live OneCare 1.6.2111.32 (1.1.2803.0) is no impediment at all for rootkits. The antivirus did detect five inactive samples, but just one active and succeeded in removing a single rootkit. By comparison, F-Secure Anti-Virus 2008, Norton Antivirus 2008 and Panda Security Antivirus 2008 achieved a perfect score by detecting and removing all the rootkits on Vista.

"Tests of the active rootkit detection and cleaning features of anti-malware products are rather time consuming and require a lot of resources to perform. However, programmers and testers should dedicate more attention to these features, as most AV tools still perform poorly in this area. Without proper anti-rootkit features a protection program may give the user the wrong impression about the status of his PC," Marx and Morgenstern concluded.

News Source: SoftPedia

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising