Seems like some antivirus companies are taking rookits very seriously. F-Secure have a new technology called 'blacklight' which will aid in the elimination of rootkits. This technology is expected to be built into the anti-virus by the end of the year.

You can get the download from:

http://www.f-secure.com/blacklight/

How many tools is a windows system going to need to keep it secure!? You need anti-spyware tools, virus scanners and other bits constantly monitoring the system to keep it safe. Dont think i will have any processing power left to run any other applications by the time i have all the security software bundled on!

Yeah, it is kinda ridiculous...should be bundled with AV already.

Whoever can integrate all aspects of fighting malware (phishing, spyware, adware, rootkits, viruses, trojans, etc) into one excellent product will succeed...but it will never happen. Jack of all trades, master of none as they say. And besides that, they can make more money separating it out.

It is strange that they've focused on this so much recently. It is obviously due to Microsoft's announcement - they always go direct to the mainstream media, which means consumers hear about it and more importantly, investors are paying attn...and investing more into companies that address this "new threat."

I'm running this F-Secure Rookit Eliminator now, and it is essentially an AV scanner but obviously it searches for different hooks, etc into the OS that are rootkit-ish. Put it in your AV product F-Secure!!!

Ive haven't seen much response from other companies for detecting rootkits. F-Secure always seem to be on the ball.

Let me know how you get on with blacklight, i would be interested to here you thoughts on it.

In a few years time how many resources are users going to need to protect their systems? Its going to be interesting to see how many different types of threats there are still to come and what users will have to do to counteract them.

It is quite simple, more proactive security measures are required.

Companies that are deploying technologies that go beyond definition-based detection have the best products. Buffer overflow protection, basic network protection, known-good program lists...etc.

I think there will always be a need for definitions-based scanning, but additional layers of security have to be added to aid in defending users from malware.

Take a look at McAfee VirusScan Enterprise 8i for an excellent example of this. They use definitions, buffer overflow protection, and network port blocking. On the home side of things, believe it or not, Norton AntiVirus 2005 has the edge. They have similar features as the McAfee product which end up creating a "user proof" system (i.e. even the most careless users are protected almost 100%). See the attached images ("live" shots of Norton AntiVirus 2005 running on one of my honeypots)...pretty impressive for a $49.95 home user product! HIDS, IPS, and basic firewall features...no real need to pony up the extra $$$ for Norton Internet Security 2005.

But surely with the continued development of tools systems could in theory achieve a 'deadlock' state. The tools to protect a system are becoming increasingly advanced to counteract the intelligent methods of attacks. Windows users are seeing a continual increase of system resources being consumed (cpu usage, bandwidth) to try and keep their systems secure. I have several applications running to secure my windows systems, and now with the introduction of 'blacklight' it is yet another application that will have to be added (is blacklight real time protection?).

I think security should be implemented at a hardware level and should attempt to move the user away from implementing their own security. For example, i attended a Cisco conference a few months back and the lecturer was discussing the idea of implementing all security on a hardware level and moving away from the operating system managing the security.
Other companies have adopted a similar approach by implementing virus protection on the CPU. (http://www.pcstats.com/releaseview.cfm?releaseID=1122)

While i partially agree with this i dont think security could ever be fully removed from an application perspective. I think security should be implemented at an operating system and hardware level. However, i suppose it is not a logical move for companies such as Microsoft to try and offer 'rock solid' security in their OS because its no good for generating revenue.

Its going to be interesting to see where this heads, as users pile on more security applications more system resources are consumed and the user will loose the user friendly aspect of the system. I think the battle has only just begun. The sooner I have fully migrated to Linux the better.

I don't know, rootkits are a *nix rather than a windows phenomenon. Hence the name "root"kit. They have moved on to and are more prevelent on windows now since windows is much more common.

And you don't have to run any AVs or spyware scanners to be completely secure. Run all you're connections through a good router which blocks all non-essential ports. Keep you're system patched and run a browser that doesn't interact with core windows permissions and spyware becomes powerless.

Do you're every-day computing under reduced/limited privileges to prevent anything that has slipped by from installing itself. To date I don't know of a single method to escalate privileges in a patched machine, so that should keep you secure.

Use only you're administrator account when doing sytem changes and disconnect from the internet while doing so.

Remove all non-essential system services (google for black-viper's guide.) And there you go, a lean, more efficient and nearly unhackable system. Requires no additional software, AV, local firewall, etc.

I appreciate what you are saying but by taking that approach you are moving the whole idea of user friendliness from a windows system. I think theres a very fine balance between keeping a window system secure and keeping it user friendly. Im no expert in Linux but what ive seen so far is that the user can be 'less' concerned with the setup of security measures without hindering user friendliness.

Referring to the windows setup you just explained - is that an approach you take on your windows system? I could never see myself using a windows system without an AV or antispyware, even if i did take all the approaches you just discussed. I can see how it would improve security but i think it would never be enough on a windows system.

I'm also not an expert on linux, but from what I heard most linux distros are unsecure out of the box. That is if you do absolutely nothing to it security-wise and just begin regular computing immediately. Dont' hold me to this though since I'm sure there might be some linux distros that are designed to be secure upon installation. Somebody who is familiar with multiple linux distros can clarify this for us.

As for user-friendliness, the lack of it in all *nix OS's is what deters me from using them in the first place. If we are discussing user-friendless versus potential security, then linux is impracticle for 99% of all computer users. Most users are not familiar enough with computers to really know how to work with windows let alone linux. What I'm thinking though is that no matter what software you use, if you're not decently familiar with how you're OS of choice works, you will never be secure.

The approach that I described is one that I've been using for a while now. The problem with antivirus software is speed. I don't know if you remember the sql slammer worm, but it infected most vulnerable machines in the first 15 minutes. That time window was too fast for AV companies to respond. By the time a "fix" comes out it is already too late. My approach would have stopped that since external (WAN) UDP 1434 would have been blocked via the router, hence even if my machine was unpatched it would'nt have been affected.