Detecting and removing Absolute persistence technology

  • Absolute persistence technology amounts to a persistent rootkit pre-installed by many device manufacturers (Acer, Asus, Dell, HP, Lenovo, Samsung, Toshiba, etc) to facilitate LoJack for laptops, and other backdoor services:

    The Absolute persistence module is built to detect when the Computrace and/or Absolute Manage software agents have been removed, ensuring they are automatically reinstalled, even if the firmware is flashed, the device is re-imaged, the hard drive is replaced, or if a tablet or smartphone is wiped clean to factory settings.

    Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process.

    This has echoes of both Rakshasa and vPro.

    Also, like other corporate rootkits, it increases the attack surface available on the host PC and thereby opens the door to additional malware:

    The protocol used by the Small Agent provides the basic feature of remote code execution [and] creates numerous opportunities for remote attacks in a hostile network environment. ... A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.

    If a user legally purchases, secondhand or new, a device that originally had Absolute persistence technology built-in and may even have had it activated, and wishes:

    • to detect whether the technology is still present in the device; and, if so,
    • to remove that technology from the device (i.e. disinfect the device),

    how best should the user go about this?

    I'm guessing that Coreboot is part of the answer.

    Unless there is a dedicated chip onboard for storing such preinstalled modules, flashing with a clean or moded version of BIOS is enough. Coreboot also can be used. To detect the presence, the best way is to observe the system deeply and carefully, check settings in bios, reverse engineer the BIOS etc.

    @Nikhil_CV, I've no idea whether there is a dedicated chip, or indeed if the rootkit persists by homing itself in multiple chips/firmwares/etc (e.g. is it related to "Intel Anti-Theft Technology" in many modern Intel CPUs?). If you know more than I do, then please expand on your comment in an answer, and provide sources for your information. Thanks!

  • "Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process."

    So, in addition to removing the agent, you will need to flash the BIOS or firmware of the device, with a version without the technology.

    Since "core boot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers", it is potentially part of an answer.

    Of course, you haven't specified a device, so it's impossible to provide you with a detailed answer. The only correct answer is 'it depends'.

    The functionality of the technology requires that removing it remain infeasible, so its quality/repuation hinges on us being unable to provide you with a detailed answer.

    It's really not one technology, but many; review the NSA's ANT technology codenamed DEITYBOUNCE, IRONCHEF, FEEDTROUGH, GOURMETTROUGH, etc; see

    I didn't specify a device because I'm interested in in the general case and I don't know whether there's a common implementation or if implementation varies from model to model. Still, if you want a specific suggestion, how about the ThinkPad X60?

    That's cool. The only correct answer is 'it depends', because the implementation varies from model to model. I don't have specifics for the ThinkPad X60. For the Juniper brand, for example, there are three implementations in the NSA toolbox. Can these be detected? Not readily. There is no answer to your question 'till someone knows what the technology is in a specific case. How to go about knowing that? Buy the tech, and compare a protected system to an unprotected one.

    I'm not sure what you mean by "protected". Presumably, you mean one with the Absolute rootkit removed. Anyhow, this still begs the question of *how* to get both a protected and unprotected X60 (for instance) in order to make such a comparison.

  • The only way I know of is to contact Absolute Software and request removal of the agent. They are friendly enough, they will ask for some identifying information on the laptop, and then they will send a message to the original owner and ask if they sold it or got rid of it (I guess).

    I waited on the order of six months for the final resolution, just got my message. Here is what it looks like:

    The agent has been removed from device XXXXXXXX, make sure that the device is connected to a wired network, must have Windows O.S. installed, perform some reboots and please allow 24.5 hours in order to complete the whole process. Please let us know if you need further assistance.

    Interesting to know that this option is available. However, it requires the user to trust MS and to place even more trust in *Absolute Software* than might otherwise be so. I.e. it requires the user to: trust *AS* with (pseudonymous?) contact info associated w/the PC in question; trust *AS* (& anyone they share info with) not to misuse their ability to correlate that identity w/the PC's connections to the Internet; trust the agent to do no harm while still present; trust *AS* to get back to you; and trust *AS* to be have been truthful if/when they finally tell you they have removed the agent.

    Upvoted, because this is *plausibly the approach that AS intends for users who wish to remove the agent*. So, thank you for pointing it out. However, I have not marked this answer as "accepted", because the approach outlined in it seems to me to be slow, dangerous, and unverifiable; and because it does not address the "[how] to detect whether the technology is still present in the device" part of my question.

  • You could, as I did, write a windows service that loads early in the windows boot order ,in my case before network service, and waits for the service injected by the apm module to load. Once detected it will stop the apm service and delete the services file. I kept my service running in the background just in case the apm module could somehow re-inject and run the apm service.

    This method worked with my acer travelmate from 2012, maybe things have come along since then.

  • According to the FAQ:

    What if the Absolute software agent needs to be removed from a device?

    IT administrators that have been authorized to do so, may carry out this function themselves within the Absolute Customer Center for Computrace, or from within the Absolute Manage console for Absolute Manage software agent removal.

    I.e. you have to allow CompuTrace to be installed, persuade Absolute that you are the authorised user now, get control transferred to you, and de-activate it using their managed service.

    Which will certainly involve sending them money.

    I am guessing that CompuTrace will be detected by any competent antivirus as "remote management software" which you can probably flag not to run.

    I'm afraid this FAQ answer ("*What if the Absolute software agent needs to be removed from a device?*") doesn't address my question, as it would only remove the software agent, not the Active persistence technology.

    As for using mainstream antivirus software to block the execution of any part of the Active system, that's unlikely to work: **"the Absolute"**.

  • I reached Absolute Software tech support at the provided number and gave him the PC serial number. He told me that their records said that Computrace had been disabled by the original PC owner 5 years ago, however there is nothing that Absolute Software can do to help, that my only recourse is to see about purchasing a replacement motherboard from the manufacturer.

  • My Thinkpad T490 has a bios option in the security tab to "permanently disable the Absolute Persistence Module". It's in no way clear what this option actually does, but I've just disabled it on my system. This option, or similar options, are available for many Thinkpads. For discussion, see

  • I have CTES From Absolute on my Dell laptop board and consider it Corporate spyware. This is how I defeated it. I went to C:\Windows\system32\ and grouped everything by manufacturer, made a list of everything from Absolute so I could create a .cmd file to delete it all, hey It's gonna come back right? Did the same in SysWOW64. There is 5 services to stop, CscService, Ctes Manager, CtesHostSvc, rpchdp and rpcnet. These were stopped using NET STOP in my .cmd file, before I deleted everything like this:

    @Echo Off
    NET STOP CscService /Y 
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CscService" /v "Start" /t REG_DWORD /d "4" /f
    NET STOP Ctes Manager /Y
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Ctes Manager" /v "Start" /t REG_DWORD /d "4" /f
    NET STOP CtesHostSvc /Y
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CtesHostSvc" /v "Start" /t REG_DWORD /d "4" /f
    NET STOP rpchdp /Y
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpchdp" /v "Start" /t REG_DWORD /d "4" /f
    NET STOP rpcnet /Y
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpcnet" /v "Start" /t REG_DWORD /d "4" /f
    DEL /F /Q /A C:\Windows\SysWOW64\cshost.dll
    DEL /F /Q /A C:\Windows\SysWOW64\CTLojack.dll
    DEL /F /Q /A C:\Windows\SysWOW64\DIAGDLL64.DLL
    DEL /F /Q /A C:\Windows\SysWOW64\identprv.dll
    DEL /F /Q /A C:\Windows\SysWOW64\pkgmgr.dll
    DEL /F /Q /A C:\Windows\SysWOW64\pcnet.dll
    DEL /F /Q /A C:\Windows\SysWOW64\wceprv.dll
    DEL /F /Q /A C:\Windows\SysWOW64\instw64.exe
    DEL /F /Q /A C:\Windows\SysWOW64\pkgslv.exe
    DEL /F /Q /A C:\Windows\SysWOW64\rpcnet.exe
    DEL /F /Q /A C:\Windows\System32\cshost.dll
    DEL /F /Q /A C:\Windows\System32\CTLojack.dll
    DEL /F /Q /A C:\Windows\System32\DIAGDLL64.DLL
    DEL /F /Q /A C:\Windows\System32\identprv.dll
    DEL /F /Q /A C:\Windows\System32\pkgmgr.dll
    DEL /F /Q /A C:\Windows\System32\pcnet.dll
    DEL /F /Q /A C:\Windows\System32\wceprv.dll
    DEL /F /Q /A C:\Windows\System32\instw64.exe
    DEL /F /Q /A C:\Windows\System32\pkgslv.exe
    DEL /F /Q /A C:\Windows\System32\rpcnet.exe
    RD /S /Q C:\ProgramData\CTES
    RD /S /Q C:\ProgramData\Rpcnet

    OK services stopped, everything deleted. CTES is now off the system temporally, temporally because it's on the motherboard and it will reinstall to your system, but now you have your .cmd file you can run but that's not enough, CTES must contact a server to update itself and then upload data, and it's considerable. Go to the CTES folder and have a look at CtesPersistence.txt to get an idea of what's happening. I stopped that Internet traffic cold by blocking these servers in the hosts file:

    I have effectively disabled a rather well thought out piece of Corporate Spyware. CTES service still installs because it's on my laptop board. I have Process Hacker from Source Forge, it notifies me when the CTES service installs, so I give it an hour then go to %ProgramData%\CTES and confirm that nothing was updated or uploaded.

    To understand just how persistent this is, have a look at Administrator’s Guide for Absolute Agents Once the software is activated, you can only block it. And most laptops are shipped with it activated. Please note this is my system, yours may be different, but it's a jumping-off point.

    So to answer the question, I will say quite definitively that this technology is not coming off that board... ever. It can only be managed.

    Here's some reference:  80 and 443  Absolute agent communication for Windows and Mac   80  Data Delete & Device Freeze  80  Absolute Consumer agent   443 End of Life (EOL) Data Delete  80  Absolute Persistence 2.x  80  Absolute Persistence 2.x    80  Real-Time-Technology over IP (RTT-IP)   443 Absolute 7 components   443 Absolute 7 components delivered from Microsoft Azure Content Delivery Network  80  Data Transfer
    .and embedded URL    443 End User Messaging  443 Web Services API   443 Professional Services   443 Professional Services  443 Professional Services  443 Absolute agent communication for Android and Chromebook   443 Absolute for Chromebooks Extension Web Store   443 Google Cloud Messaging for Android and Chromebook  80  Absolute holding account 80  CRL Distribution Point 80  CRL Distribution Point 80  CRL Distribution Point    80  Authority Info Access - On-line Certificate Status Protocol    80  Authority Info Access - On-line Certificate Status Protocol 80  Authority Info Access Certification Authority Issuer 80  CRL Distribution Point    80  Authority Info Access - On-line Certificate Status Protocol 80  CRL Distribution Point 80  CRL Distribution Point    80  Authority Info Access Certification Authority Issuer 80  Authority Info Access - On-line Certificate Status Protocol 80  CRL Distribution Point

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM