Re: Rootkit discovery tools

[Wyman Miles <wm63 () CORNELL EDU>]

> Interesting, but I take it this is applies to the UNIX environment only.
> We're still
> focused on the Microsoft desktop and was wondering if anyone has used
> BartPE in a big way?
> Might be worth revisiting if a bootable package of tools could be put
> together and used
> without much intervention from the end user.

It'll boot the PC to linux, yes.  One way or another, you're in an OS that
isn't native to the machine being scanned.  We shied away from BartPE
early on when many of the tools we'd otherwise want bumped up against
various licensing requirements.

> Mike
>
>
> Mike Wiseman
> Computing and Networking Services
> University of Toronto
>
>
> > I fixed up the netboot stuff in our re-package of Helix 1.7 to do this.
> > Well, strictly, it was to run spider remotely on a pile of machines.  We
> > threw Clamscan and BitDefender in the bargain, though, which makes
> > essentially what you describe.
> >
> > The systems PXE boot, do their stuff from helix.  It does require that
> > the
> > clients be manually rebooted the following morning, as there's a
> > chicken-and-egg problem in the process.
> >
> > > I'm none too clear on how one might do this, but I'd guess that
> > > maybe netbooting for the first bootstrap might be involved..
> > >
> > >
> > > Graham
> > > PS Rootkitrevealer is the only one I know of that is even likely
> > > to work from within windows itself, if we can't come up with a
> > > clever chained bootstrap trick.
> >
> >
> > Wyman Miles
> > Senior Security Engineer
> > Cornell University


Wyman Miles
Senior Security Engineer
Cornell University