No rootkit in Kaspersky Anti-Virus

Mark Russinovich, who is well known as an IT security expert, and who was a major player in the Sony rootkit scandal, is now suggesting that we use ‘rootkit’ technology in our products. His comments have been picked up in a PCWorld article (,aid,124365,00.asp). He said that “the techniques used by … Kaspersky’s Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC”.

Our products do use a technology called iStreamsTM, which is what Russinovich seems to be worried about. But this isn’t a rootkit.

We started using iStreamsTM technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the user’s system. If a checksum remains unchanged from one scan to another, KAV products know the file has not been tampered with and do not, therefore, require a repeat scan.

To view NTFS Alternate Data Streams you need special tools. When KAV is active it hides its streams because they are its internal data only. Just because you can’t see them either automatically or with a special tool, it doesn’t mean that they’re malicious. It also doesn’t mean that a product which uses and hides these streams is using rootkit technology.We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

  • If a KAV product is active, the streams are hidden and no processes (including system) have access to them.
  • If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)
  • If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database – thus it will destroy the alien code/data.

The PCWorld article goes on to say: “While Russinovich agreed that the Symantec and Kaspersky cloaking techniques are not as dangerous as Sony’s, which was ultimately exploited by virus writers, he said that all three vendors were engaging in a practice that was bad for users and IT professionals”

In short, there is no danger for KAV users at all because there is no way to misuse KAV streams. I think that when we talk about security we need to be clearer about the difference between malicious (or dangerous) rootkits and cloaking technologies, which can’t be exploited by malware.

Our products use iStreamsTM technology to speed up performance. The only downside is that it increases the time it takes to de-install the product, as it has to remove data from the streams. Because of this, and for no other reason, the next version of our product will use a different technology to offer the same benefits.

Russinovich is further quoted as saying “You don’t want IT not knowing what’s on the systems,” he said. “Not being able to go to the system to do software inventory and disk space inventory, that’s just not a good idea.”

I say that there’s no way to know everything that’s on the system. The only way to do that is to format the disk. In this case you know for sure that there is nothing on the disk except boot sectors.

Different software products use different formats to store their data, including data compression and encryption. Thus the IT guys don’t really know what’s inside. I don’t know what’s in every single data file on my own computer, just I don’t know all the facts in every single book in my home library.

To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can’t analyze the situation themselves, shouldn’t be misinformed.

No rootkit in Kaspersky Anti-Virus

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox