No “rootkit” in Kaspersky® Anti-Virus

Kaspersky Lab responds to claims by Mark Russinovich regarding the use of rootkit technology in the company's products

Mark Russinovich, an IT professional, has recently been reported as saying that Kaspersky Lab makes use of “rootkit” technology in its Kaspersky® Anti-Virus products.

Kaspersky Lab believes that the iStreams™ technology utilized in Kaspersky Anti-Virus cannot be exploited by a malicious user, and to call this technology a rootkit is incorrect.

iStreams™ technology was first implemented in the Kaspersky Anti-Virus 5.x product range almost two years ago and improves scanning performance. In basic terms, Kaspersky Anti-Virus products use NTFS Alternate Data Streams to hold checksum data about files on the user's system: if a checksum remains unchanged from one scan to another, Kaspersky Lab's products know the file has not been tampered with and do not, therefore, require a repeat scan.

NTFS Alternate Data Streams are not visible to the naked eye; special tools are required to view them. The fact that these data streams are not automatically visible does not mean technology which utilizes these streams is potentially exploitable or malicious.

Kaspersky Lab believes that the technology used is not vulnerable to exploitation for the following reasons:

1. If a Kaspersky Anti-Virus product is active, the streams are hidden and no processes (including system processes) have access to them.
2. If the product is disabled, the streams will be visible if viewed using the appropriate tools.
3. If a stream is rewritten with some (possibly malicious) data or code (for example, after rebooting in Safe Mode), when the system is next restarted, Kaspersky Anti-Virus will read the stream and not recognize the format. Kaspersky Anti-Virus will then begin to rebuild the checksum database. This means that potentially malicious code will be deleted.

Kaspersky Lab antivirus products utilize iStreams™ technology as it offers users a significant performance benefit.

The only drawback of this technology is that it increases the time taken to deinstall the product as the data streams have to be deleted. For this reason, and this reason alone, the next version of Kaspersky Anti-Virus will use an alternative mechanism to deliver the same performance benefits.

Eugene Kaspersky has commented further on this issue in the Kaspersky Lab Analyst's Diary.

About Kaspersky Lab

Kaspersky Lab (www.kaspersky.com) develops, produces and distributes secure content management solutions that protect customers from IT threats. Kaspersky Lab's products protect both home users and corporate networks from viruses, spyware, adware, Trojans, worms, hackers and spam. For many years now, the company has waged a battle against malicious programs, and in doing so has gained unique knowledge and skills that have resulted in Kaspersky Lab becoming a technology leader and acknowledged expert in the development of secure content management solutions. Today, Kaspersky Lab's products protect more than 200 million users worldwide and its technology is licensed by leading security vendors globally. To find out more about Kaspersky Lab, visit www.kaspersky.com.