The following 11 dedicated products for the detection and removal of programs that conceal their presence in the system (rootkits) were tested:

1. Antivir Rootkit 1.0.1.12 Beta 3
2. AVG Antirootkit 1.1.0.29 Beta
3. Trend Micro RootkitBuster 1.6.0.1055 Beta
4. McAfee Rootkit Detective 1.0.0.41 Beta
5. Rootkit Unhooker 3.20.130.388
6. F-Secure BlackLight 2.2.1055 Beta
7. Sophos Anti-Rootkit 1.2.2
8. AVZ 4.23
9. Gmer 1.0.12.12027
10. Bitdefender Antirootkit 1.2.0.0 Beta2
11. UnHackMe 4.0

The anti-rootkit products were tested on the following malicious programs selected according to the criteria described above:

1. Backdoor.Win32.Haxdoor.fd
2. Backdoor.Win32.Padodor.ax
3. Monitor.Win32.EliteKeylogger.21
4. Monitor.Win32.SpyLantern.530
5. Trojan-Clicker.Win32.Costrat.af
6. Trojan-Proxy.Win32.Agent.lb
7. Trojan-Spy.Win32.Goldun.np
8. Trojan.Win32.DNSChanger.ih
9.  Worm.Win32.Feebs.gt

The names of the malicious programs used in this report are based on the Kaspersky Lab classification; alternative names used by other vendors can be found in the detailed testing report.

Testing of the ability of anti-rootkit programs to detect and remove malicious programs was conducted strictly in accordance with the methodology described above.

Table 1: Results of testing for malicious program detection and removal by anti-rootkit solutions

Table 2: Summary of anti-rootkit testing results 

Table 3: Summary of anti-rootkit testing results (released products only)

Almost all of the anti-rootkit solutions tested, with the exception of Gmer, Bitdefender Antirootkit and UnHackMe, demonstrated excellent or good results and can be successfully used to detect and remove malicious programs that use rootkit technologies to conceal their presence in the system.

It should be noted that some anti-rootkit solutions had problems removing (or renaming) the files detected and protecting their own processes. The principal reason for this is that, in addition to rootkit technologies, virus writers use other methods to protect their malicious programs. For example, Worm.Win32.Feebs.gt creates a hidden process that it uses as bait. When an anti-rootkit solution attempts to open this process, the worm terminates the anti-rootkit program’s process. Another widely used method is opening malicious program files with protected access rights.

The three best products based on the test results were Antivir Rootkit, AVG Antirootkit and Trend Micro RootkitBuster. All three products are currently in beta testing. Among those products which have already been commercially released, the best results were achieved by Rootkit Unhooker, Sophos Anti-Rootkit and AVZ.

For detailed test results, including information on the removal of specific viruses, and to verify the calculations used to determine the test results, please download the complete results in Microsoft Excel format.