Sophos Anti-Rootkit, shown in Figures A-12 and A-13, is similar to the RootkitRevealer and BlackLight rootkit detectors. In all three cases, the operator can simply press a button to check for signs of a rootkit, though Sophos adds the capability to uncheck unwanted detection methods.
Sophos is very good at finding hidden processes and hidden registry entries. It will find both the hidden HideMe.exe process and the hidden MyDeviceDriver registry key presented in this book, though it will not find the hidden directory. Sophos will also find several thousand false positives while scanning the registry. Until Sophos detection methods can be filtered to screen out false positives, the true anomalies caused by rootkits can be hard to find.