14 DAY TRIAL // Malwarebytes is a well-known security software developer, especially for the free version of their product, Anti-Malware. This December, they’re planning on releasing a new tool, specialized in detecting and eliminating rootkit installations.
The name of the tool is Anti-Rootkit and at the moment there is no solid information on whether the company will keep it free of charge. However, it may not digress too much from the current business model of providing a free version and a paid product, with more functionality. There is also the possibility to integrate it in Anti-Malware in order to expand its protection.
Rootkits are among the nastiest forms of malware as they have the property of hiding specific files and registry entries in order to cloak malicious activity on the system by intercepting and modifying low-level APIs. Furthermore, rootkits can install their own components to monitor the activity of the system or send sensitive information to remote locations.
Malwarebytes Anti-Rootkit is portable, so no installation is needed and you can use it on any computer under suspicion of rootkit infection.
Although this is not a tool for the general audience, users of all types can work with it because of the simple, wizard-like interface that offers guidance at every step. All the stages you have to go through for getting to a clean machine are displayed in the right hand part of the application window.
Before you start any scanning, the app requires to be updated to the latest database of malware definitions. This does not take long and you are provided with the version of the latest signature update (heuristics) and the one currently available.
Rootkit activity is capable of disrupting the activity of some security tools on the computer, but because it is portable, you can update Anti-Rootkit on a different machine and then bring it on the infected one and get straight to scanning. Downloading malware definitions did not take long in our case; a progress bar indicates the state of the task.
Scanning focuses on three targets, system drivers, hard disk sectors and system files, the main areas this sort of malware takes residence. During the process the application verifies the Master Boot Record (MBR) as well as the physical sectors of unallocated space.
A log of the entire activity is available in the “Scan” window, but this is the abridged form that shows the main actions taken. For more extensive information, you can look in the Malwarebytes Anti-Rootkit folder for the mbar-logs and the system-log. They are both TXT files and store details about each scan as well as each time the program was used.
Although the verification is done only in specific areas, in some cases the scan may take more than 10 minutes, so patience is advisable. System resources used during the operation may reach high levels but we noted spikes around 50% CPU and 100MB of RAM.
Our tests were conducted on both Windows 7 and 8. In the case of the latter, it flagged a legitimate Windows file as malicious, which is proof enough that the tool is not for novices and that further fine tuning is necessary.
The last step in the application is cleaning up the malware detected. You have the possibility to create a restore point (the option is turned on by default) before any data is eliminated. This way you can return to a running computer should something go wrong with the cleanup process.
There are no guarantees that all items detected by Malwarebytes Anti-Rootkit are indeed malicious and you have to be able to discern the false positives. During our tests, it flagged a valid entry on Windows 8, although on Windows 7 it made no mistake. Once a file is deleted, there is no quarantine folder to retrieve it from.
Update: We reported the false positive to Malwarebytes and the company solved the problem. On a clean Windows 8 system the application no longer raises the flag for legitimate files.
Also included in the application folder there is the FixDamage tool, a command-line utility designed to repair the damage made by rootkits. It simply attempts to restore critical system services such as security center, Windows Updates or firewall to their default configuration. It is to be used only in case of anomalous system behavior (lack of Internet access or firewall protection) after the cleanup procedure.
According to the developer, Malwarebytes Anti-Rootkit has been developed to eliminate MBR infectors as well as blended threats such as ZeroAccess, which combine multiple types of malicious attacks for increased damage and to spread faster.
The application relies on the same Chameleon technology available in Anti-Malware to prevent threats from shutting it down.
The Good
You can create a restore point before deleting any files from your computer.
The Bad
The Truth
Note: Malwarebytes Anti-Rootkit is currently in beta stage of development, hence a project in progress. As such, our rating will remain set to the default three stars until the stable version is evaluated.
