"Rootkit scan" option or not

I have a 3-user license for AV.  Two of the PCs are connected via a KVM so I can easily switch between them.  Both have the same F-Secure build numbers:

12.77  100

10.00  19010

4.10  126

8.30  43112

9.90  188

 

However, one has the option to perform a rootkit scan in the GUI (it has four scan options) while the other does not (it has three scan options).  The PC with the rootscan option was recently (yesterday and today) rebuilt, so maybe it caught the newest version, but if so, why aren't the build numbers slightly different?

Best Answer

  • JouniJouni Posts: 135
    Accepted Answer

    Hello baroque-quest,

     

    Apologies for the delayed answer to your post.

     

    Basically this is related to generally restricted access to certain objects in the system.

    Even if the Rootkit scanning would be available for restricted account user, it would anyway require administrative privileges to remove the possibly malicious object.

    Moreover, because detecting a rootkit with a task run under a restricted account would require switching the task’s privileges to that of the local system account, displaying the items discovered by the privilege-escalated task to the user of the restricted account would violate Windows security model.

    It is even possible that rootkits exist on the system as installed by the administrator for some purpose, in which case it is not desirable to inform restricted users about hidden objects found on the system.

Answers

  • well, I think one without rootkit scanner has some problems.... As all of them should have rootkit scanner.
  • I just checked my third system which has not been running for a week.  It has a build of 12.71-102 and a rootkit scanner option.

     

    I think you are hinting that I need to uninstall AV on the system missing the rootkit scanning option and reinstall it.

  • After looking more closely, it appears that the rootkit scan option only appears for admin users.  That was unexpected.

  • JaniashviliJaniashvili Posts: 469

    oh, that's a bug I believe

  • JouniJouni Posts: 135

    Hello baroque-quest and Janiashvili,

     

    Actually this is by design, not a bug. The rootkit scan is indeed only available for user with admin privileges.

  • Jouni, would you please explain the reasoning behind restricting rootkit scans to admin?  I have the admin password for all of my systems, so it is only a theoretical issue for me, but I can imagine a situation where a regular scan turned up malware in an important system file, requiring the use of a Microsoft recovery disc and/or chkdsk.  How is that different than what could happen with a rootkit scan?

This discussion has been closed.