Hidden Rootkit

Anti-Rootkit tools (including Sophos) scan at a high level using API's and a low level (raw Content) and then compare the difference.

Therefore items can be hidden to the API scan but exist in the raw scan that are not malicious at all so items show hidden for legitimate reasons.

Also temporary files that are present in one scan and not the other will show.

This will account for many of the hidden items (scan difference) seen when a rootkit is not present on a machine.

Please also remember that some of the more complex rootkits will have more complex techniques (anti-anti-rootkit) and will be aware of a raw data scan occuring and so will unhook and therefore avoid detection. But a rootkit will be there to do something in order to generate revenue for the author and there is always a tell so please contact support if you are unceratin of what any Anti-Rootkit scan shows.

Anti-Rootkit tools (including Sophos) scan at a high level using API's and a low level (raw Content) and then compare the difference.

Therefore items can be hidden to the API scan but exist in the raw scan that are not malicious at all so items show hidden for legitimate reasons.

Also temporary files that are present in one scan and not the other will show.

This will account for many of the hidden items (scan difference) seen when a rootkit is not present on a machine.

Please also remember that some of the more complex rootkits will have more complex techniques (anti-anti-rootkit) and will be aware of a raw data scan occuring and so will unhook and therefore avoid detection. But a rootkit will be there to do something in order to generate revenue for the author and there is always a tell so please contact support if you are unceratin of what any Anti-Rootkit scan shows.