Sophos Anti-rootkit question

[glennc]

Hello,
I don't know if you guys can answer this, but so far you're 100%. Sophos Anti-Rootkit will often show hidden files which are either wrongly identified or are hidden copies of what appear to be plan downloaded backups of program installers in my download folder, sometimes other. So far it has not given the advice to clean any files. Is this a glitch or something that needs to be worried about? I only use it occasionally, to maybe catch something my regular resident and run on demand malware scanners miss. I use Malware Anti-Malware, SuperAntispyware as run on demand, with McAfee paid Internet Suite and Threatfire as resident running.
Any help or explanation is appreciated. Thanx
glennc

 

[mindinka]

Hi glennc the files listed are "possible" threads, and it's not a glitch, as I see you are very secured with Malware Anti-Malware, SuperAntispyware, McAfee Internet Suite, and Threatfire. Do you run all of them in real-time? Best not to...

 

[glennc]

Hello mindinka,
Thank your for responding. Could you possible go into a bit more detail about the "possible" threads, as they are all in the Download Folder and some on PCWizard related files. I run McAfee and Threatfire as resident(real time) and use the other's for manual scans. I don't know if you can explain the problem of running multiple AV's or Spywares as real time. I have previously done it without apparent consequences up to XP Pro. I just don't understand the failings of a multilayered coverage. I know that Threatfire is designed to run with a Real time Firewall, AV and Malware program.
Just confused. Appreciate your time.
glennc

 

[marsmimar]

A lot of people hear the word rootkit and immediately think the worst. A rootkit is actually any kind of software (or program) that provides access to resources, files and system information. So by definition, if law enforcement installs some kind of software to monitor someones computer, or if a parent installs a nanny program to monitor their childrens computer usage, that computer has a rootkit installed.

Sophos is a well respected anti-malware firm that got its start in a business environment. Because their clients deal with huge sums of money, international transactions, etc. their programs are designed to err on the side of caution. When they opened their products to individuals, they really didn't change their software too much. And that has led to those "wrongly identified" notices. Again, the logic is to bring it to the users attention and let the user decide if it's really something to worry about. If you want to double check your system Trend Micro also has a lightweight scan called Rootkit Buster you could use. You might need to run it in administrator mode.

 

[mindinka]

As marsmimar already said "possible" does not necessary mean real thread, the virtual driver for instance could be a "thread" in some cases, although it's not, some anti-malware applications conflict with each other because of that, if you try to run trainer for game, that could become as "possible thread". If all of your security software did not detect any threads... ThreatFIre is very good at finding nasties and yet... it gives sometimes false-positive on some things like game trainers... It's of course up to you to trust or not what the Sophos application shows to you, but it's possible to check "untrusted" programs with other security applications, which you have.

 

[glennc]

Gentlemen,
Thanks for your time in explaining in more detail the questions I had. With this new found knowledge, I believe I am pretty safe. Who really knows. Take care.
glennc

 

[mindinka]

Of course you are... Stay SAFE...