Hidden Rootkit

Hello Dan,

good work. Guess you've found the cause.

Hidden doesn't mean totally invisible - how else could SAR find it. Maybe this explanation can make it a little bit clearer: Names of objects (files, folders, registry keys, ...) are recorded in a parent object. If you have at least read access to the parent object you can enumerate these names. Sometimes the Windows interfaces (e.g. Explorer) hide (by default but you can de-select this) the (names of) objects because of certain attributes or ACLs (access control lists). If you have a folder where only SYSTEM has access (System Volume Information is an example) you will get Access denied when trying to open it. But using the properties dialog you - as administrator - can take ownership and then add yourself to the access list and then you'll see what's inside (no, I don't recommend you try it). Sometimes a vendor thinks that users must be protected from themselves (and their product from the users) and they try to hide certain data from casual inspection and alteration (and in some cases try to enforce intellectual property rights this way). While often (but not always) done with good intentions this approach is arguable - as you see yourself.

This is why SAR (and similar products) only speak of possibilities unless additional findings (or matching signatures) confirm that the detected item belongs to a rootkit.

Christian   

Hello Dan,

good work. Guess you've found the cause.

Hidden doesn't mean totally invisible - how else could SAR find it. Maybe this explanation can make it a little bit clearer: Names of objects (files, folders, registry keys, ...) are recorded in a parent object. If you have at least read access to the parent object you can enumerate these names. Sometimes the Windows interfaces (e.g. Explorer) hide (by default but you can de-select this) the (names of) objects because of certain attributes or ACLs (access control lists). If you have a folder where only SYSTEM has access (System Volume Information is an example) you will get Access denied when trying to open it. But using the properties dialog you - as administrator - can take ownership and then add yourself to the access list and then you'll see what's inside (no, I don't recommend you try it). Sometimes a vendor thinks that users must be protected from themselves (and their product from the users) and they try to hide certain data from casual inspection and alteration (and in some cases try to enforce intellectual property rights this way). While often (but not always) done with good intentions this approach is arguable - as you see yourself.

This is why SAR (and similar products) only speak of possibilities unless additional findings (or matching signatures) confirm that the detected item belongs to a rootkit.

Christian