Hunting for Rootkits
Posted Mar 2, 2007 16:49 UTC (Fri) by giraffedata
In reply to: Hunting for Rootkits
Parent article: Hunting for Rootkits
it's absolutely worthless to run checksums from a running system
There are lots of intrusions that running checksums from a running system do catch. Lots of systems are vulnerable to having important files compromised but not to having the checksumming stuff compromised. And lots of attacks are sophisticated enough to replace a file, but not to disable the checksumming facility. Given how much cheaper doing the checksums on the suspected system is than running checksums somewhere else, it's a good compromise for many systems.
to post comments)