Rootkit detection: offline scanning from trusted media (can't hide from external scanner), memory analysis (Volatility), integrity verification of system binaries (Tripwire), behavioral indicators (unusual system calls).
You can't trust the results of AV running on a rootkitted system — the rootkit hides from it. Boot from trusted read-only media for analysis. Secure Boot + TPM measured boot prevents most rootkits from surviving a reboot. Safest response: assume system is untrustworthy, reimage.