Searching for rootkits using the double scanning technology

Most rootkits conceal their presence in the system by hooking system function of the operating system. They hide certain registry keys that point to their bodies, contain their startup parameters or other related information.

When you launch the standard registry editor (Registry Editor - regedit.exe), you will not see these data in the registry. Seems like they have never been there! But the rootkit starts and functions in your system every time your OS is loaded, steals your personal and banking information, credit card numbers, passwords, etc.

You will get the same results if you use other registry scanners, even those that are included into various antivirus and antispyware applications. They won’t find anything! An active rootkit will successfully trick them and report that there are absolutely no records about them in your system registry.

There are two types of rootkits: the ones that control the system on the application level and the ones that do that on the OS kernel level. If a system driver is included into a scanning module of an antivirus or antispyware application, this application will easily detect application-level rootkits, as they will be receiving information about objects on the kernel level. However, the most serious rootkits, kernel rootkits, will remain undetected.

CESAM handles this problem even without a system driver! It can detect rootkits of both types and mark them in red color in the list of downloaded components (more about color statuses).

You do not need to install any drivers or reboot your computer to start scanning. Just launch a regular application and anti-rootkit scanning will start as well. How is it possible? CESAM utilizes a unique double scanning technology – direct analysis of the system registry without using OS functions.