Detecting hidden rootkits using Partizan

Looking to the progress of rootkit development since last year we have the opinion that the rootkit detection on the working computer is not real. We can not get you the 100% guarantee free of rootkits on the working computer connected to network.

Partizan is a boot watch anti-rootkit.

Rootkits authors like to play games.

"We hide rootkit files/drivers/registry keys and after that try to find us" รป they said.

We didn't play the games.

Our strategy is different:

You hide yourself while we're watching how you do it.

Each rootkit need a way to automatically start after computer reboot.

We can detect it and remove a rootkit from auto start.

What are the user benefits?

  1. Detecting kernel rootkits without a lot of BSOD.

  2. Partizan checks the computer automatically during every Windows boot.

  3. Partizan uses small number of computer resources.

  4. Partizan takes only a couple seconds for checking. Compare it with full disk scan.

  5. Partizan is a powerful. It can detect a remove any kernel/usermode rootkit, Trojan/Spyware/Adware components.

  6. You can use other anti-rootkit software in addition to Partizan as well.

 

How does the Partizan work?

Partizan activates several agents for monitoring the Windows boot process.

1. Anti-Bootkit. Used against Bootkit rootkits located in the boot sectors (in development).

2. Partizan boot driver. Used against Rustock clone rootkits. It can trace registry services and delete a service. Partizan driver starts on the early stage of the Windows boot process.

3. Partizan Native application. It is started from the BootExecute registry key.
Used against Rustock clone rootkits. It can trace registry services and delete a service. Partizan driver starts on the early stage of the Windows boot process. Partizan driver has additional "safe" mode allows to skip processing of the Winlogon and similar registry keys by Windows operation system to avoid infection and for easy removing infection.
4. Secure Start. It starts before Windows shell starts using RunOnceEx key.

Secure Start executes UnHackMe application for rootkits testing using information from the Partizan boot driver.