how to avoid getting rootkits

[User001]

I have seen online and on this forum to disable UAC using Win7, but how does one protect against rootkits - it uses admin permissions.

Also, if one disables UAC using Win 7, how does one verifies any incoming 3rd party applications and able to scan them using antiviruses/antispyware...etc.
I have seen a program from Hakin9 previous article where a hacker can create a blank Microsoft certificate using C++.

 

[7mm]

Don't know the BEST manual way.... but, try not to trust anything but the expert...., install a good Antivirus with solid rootkit protection. For me Avast 5 Free should be more than enough for such job. Also, install a good Firewall for catching things that missed by UAC, say nothing's better than Comodo Firewall. Good Luck!

 

[pparks1]

I would disagree with disabling UAC on Windows 7. People who disable it are simply annoyed by it. Others of us, have no trouble with the occasional pop-up here and there and leave it enabled.

 

[Corrine]

Hi, User001.

Certainly there are the standard recommendations to keep not only Windows software updated but third-party software updated as well, have up-to-date anti-virus software and a software firewall -- preferably a router as well. I agree that UAC should be enabled. A UAC prompt is one of the first signals that a program wants to run.

There are two additional important security measures. One is to use a limited user account, not Admin. The other is to keep DEP on. (Data Execution Prevention (DEP) is a security feature that helps prevent damage from viruses and other security threats by monitoring your programs to make sure they use system memory safely.)

 

[Borg 386]

Some good reads on Rootkits

But you don’t have to be at the mercy of rootkits. You can be prepared to deal with these nasty pieces of software should they show up. And even better, you can keep them from happening in the first place.

Read More:

Five tips for dealing with rootkits | Five Tips | TechRepublic.com

Also: 10+ things you should know about rootkits

http://blogs.techrepublic.com.com/10things/?p=416

 

[User001]

rootkit

According to the techrepublic article: I believe I had a #7 & #8 in my Win XP Pro SP3.
I ran Sophos & detected them, but does not know how to delete them.
What are the best ways to get rid?
I was thinking of getting hands on a clean PC running XP Pro & copy its entire registry and replace them in my PC.

 

[Francis93]

Do not disable User Account Control. UAC prompts the user if you allow or disallow programs to be executed and allow/disallow them to make changes to your computer. If you disable it, you'll never know what are the changes that are going to be made by applications to your computer. I suggest you set it to the default setting or to the max setting.

To avoid rootkits, you must scan your PC from time to time with GMER.

 

[pacinitaly]

Do not disable User Account Control. UAC prompts the user if you allow or disallow programs to be executed and allow/disallow them to make changes to your computer. If you disable it, you'll never know what are the changes that are going to be made by applications to your computer. I suggest you set it to the default setting or to the max setting.

To avoid rootkits, you must scan your PC from time to time with GMER.

thank you

 

[User001]

what about using Run as Admin

I was thinking, I read from a Win 7 text, the author suggest to bypass UAC, use Run as Admin.

Is using Run as Admin the same as UAC?
Can I check the Detail before I either Cancel or Install?
If I can Cancel using Run as Admin, where is the file stored and can I scan it using Antivirus before install or delete it if the file was detected as corrupt/infected?

 

[pacinitaly]

do not disable user account control. Uac prompts the user if you allow or disallow programs to be executed and allow/disallow them to make changes to your computer. If you disable it, you'll never know what are the changes that are going to be made by applications to your computer. I suggest you set it to the default setting or to the max setting.

To avoid rootkits, you must scan your pc from time to time with gmer.

gmer gives me errors?

 

[Corrine]

I was thinking, I read from a Win 7 text, the author suggest to bypass UAC, use Run as Admin.

Is using Run as Admin the same as UAC?
Can I check the Detail before I either Cancel or Install?
If I can Cancel using Run as Admin, where is the file stored and can I scan it using Antivirus before install or delete it if the file was detected as corrupt/infected?

Hi, User001.

To begin, as you have been advised by all of the replies in this thread, you should not try to bypass UAC. When selecting Run as Admin, you will receive a UAC prompt.

Second, unless you change the location, when you download files on Windows 7, they are saved to C:\\Users\%UserName%\Downloads. You can navigate to that folder and scan with your antivirus prior to installing. Note, however, that is not a guarantee the file is not infected. You could also scan the file at Virus Total or Jotti as well.

Advice: Download only from vendor and reputable sites.

To avoid rootkits, you must scan your pc from time to time with gmer.

gmer gives me errors?

Hi, pacinitaly.

GMER has not been updated for Windows 7. Besides, even if compatible, it would not help you avoid rootkits. It is for scanning/removal of rootkits.

 

[pacinitaly]

I was thinking, I read from a Win 7 text, the author suggest to bypass UAC, use Run as Admin.

Is using Run as Admin the same as UAC?
Can I check the Detail before I either Cancel or Install?
If I can Cancel using Run as Admin, where is the file stored and can I scan it using Antivirus before install or delete it if the file was detected as corrupt/infected?

Hi, User001.

To begin, as you have been advised by all of the replies in this thread, you should not try to bypass UAC. When selecting Run as Admin, you will receive a UAC prompt.

Second, unless you change the location, when you download files on Windows 7, they are saved to C:\\Users\%UserName%\Downloads. You can navigate to that folder and scan with your antivirus prior to installing. Note, however, that is not a guarantee the file is not infected. You could also scan the file at Virus Total or Jotti as well.

Advice: Download only from vendor and reputable sites.

To avoid rootkits, you must scan your pc from time to time with gmer.

gmer gives me errors?

Hi, pacinitaly.

GMER has not been updated for Windows 7. Besides, even if compatible, it would not help you avoid rootkits. It is for scanning/removal of rootkits.

thanks corrine !!!

 

[Corrine]

You're welcome pacinitaly.

 

[Jacee]

JMH brought this article to our attention last January Some Observations on Rootkits - Microsoft Malware Protection Center - Site Home - TechNet Blogs

 

[pacinitaly]

great read too

 

[pacinitaly]

got it to work on my vista laptop.
I don't know what I'm looking at:huh:

 

[Keiichi25]

got it to work on my vista laptop.
I don't know what I'm looking at:huh:

From that image, you are looking at roughly what I believe is the system uses to start initially. It points out several programs and the process it at starts at, which is where Rootkits try to embed themselves in to avoid being easily removed.

So far, nothing looks out of the ordinary, as there is the normal references to ntkernel and bthport, which I believe is for the Bluetooth port enabling for bluetooth devices like a keyboard to use the laptop.

 

[Jacee]

C:\Windows32\Drivers\PROCEXP141.sys is Process Explorer

 

[pacinitaly]

got it to work on my vista laptop.
I don't know what I'm looking at:huh:

From that image, you are looking at roughly what I believe is the system uses to start initially. It points out several programs and the process it at starts at, which is where Rootkits try to embed themselves in to avoid being easily removed.

So far, nothing looks out of the ordinary, as there is the normal references to ntkernel and bthport, which I believe is for the Bluetooth port enabling for bluetooth devices like a keyboard to use the laptop.

C:\Windows32\Drivers\PROCEXP141.sys is Process Explorer

thank you both very much!!