Posted Mar 2, 2007 10:45 UTC (Fri) by drag
In reply to: Signed Executables.
Parent article: Hunting for Rootkits
Remember that you can't trust a root comprimised system to be honest about the checksums and signitures.
A kernel-level rootkit (all non-trivial modern ones are) can make any file it modifies come back with any value or checksum it wants by interecepting system calls and such things from kernel-land.
This is a major problem for Windows since the systems are trivially compromised there is no reliable way a Virus scanner or Anti-adware applicaiton to successfully clean a system.
to post comments)