"Rootkit scan" option or not
I have a 3-user license for AV. Two of the PCs are connected via a KVM so I can easily switch between them. Both have the same F-Secure build numbers:
12.77 100
10.00 19010
4.10 126
8.30 43112
9.90 188
However, one has the option to perform a rootkit scan in the GUI (it has four scan options) while the other does not (it has three scan options). The PC with the rootscan option was recently (yesterday and today) rebuilt, so maybe it caught the newest version, but if so, why aren't the build numbers slightly different?
Comments
-
-
-
-
-
-
Jouni, would you please explain the reasoning behind restricting rootkit scans to admin? I have the admin password for all of my systems, so it is only a theoretical issue for me, but I can imagine a situation where a regular scan turned up malware in an important system file, requiring the use of a Microsoft recovery disc and/or chkdsk. How is that different than what could happen with a rootkit scan?
-
Hello baroque-quest,
Apologies for the delayed answer to your post.
Basically this is related to generally restricted access to certain objects in the system.
Even if the Rootkit scanning would be available for restricted account user, it would anyway require administrative privileges to remove the possibly malicious object.
Moreover, because detecting a rootkit with a task run under a restricted account would require switching the task’s privileges to that of the local system account, displaying the items discovered by the privilege-escalated task to the user of the restricted account would violate Windows security model.
It is even possible that rootkits exist on the system as installed by the administrator for some purpose, in which case it is not desirable to inform restricted users about hidden objects found on the system.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!