"Rootkit scan" option or not

Champion

"Rootkit scan" option or not

I have a 3-user license for AV.  Two of the PCs are connected via a KVM so I can easily switch between them.  Both have the same F-Secure build numbers:

12.77  100

10.00  19010

4.10  126

8.30  43112

9.90  188

 

However, one has the option to perform a rootkit scan in the GUI (it has four scan options) while the other does not (it has three scan options).  The PC with the rootscan option was recently (yesterday and today) rebuilt, so maybe it caught the newest version, but if so, why aren't the build numbers slightly different?

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure Product Expert

Re: "Rootkit scan" option or not

Hello baroque-quest,

 

Apologies for the delayed answer to your post.

 

Basically this is related to generally restricted access to certain objects in the system.

Even if the Rootkit scanning would be available for restricted account user, it would anyway require administrative privileges to remove the possibly malicious object.

Moreover, because detecting a rootkit with a task run under a restricted account would require switching the task’s privileges to that of the local system account, displaying the items discovered by the privilege-escalated task to the user of the restricted account would violate Windows security model.

It is even possible that rootkits exist on the system as installed by the administrator for some purpose, in which case it is not desirable to inform restricted users about hidden objects found on the system.

Best Regards,
Jouni

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.

View solution in original post

7 REPLIES 7
Senior Advisor

Re: "Rootkit scan" option or not

well, I think one without rootkit scanner has some problems.... As all of them should have rootkit scanner.
Champion

Re: "Rootkit scan" option or not

I just checked my third system which has not been running for a week.  It has a build of 12.71-102 and a rootkit scanner option.

 

I think you are hinting that I need to uninstall AV on the system missing the rootkit scanning option and reinstall it.

Champion

Re: "Rootkit scan" option or not

After looking more closely, it appears that the rootkit scan option only appears for admin users.  That was unexpected.

Senior Advisor

Re: "Rootkit scan" option or not

oh, that's a bug I believe

F-Secure Product Expert

Re: "Rootkit scan" option or not

Hello baroque-quest and Janiashvili,

 

Actually this is by design, not a bug. The rootkit scan is indeed only available for user with admin privileges.

Best Regards,
Jouni

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Champion

Re: "Rootkit scan" option or not

Jouni, would you please explain the reasoning behind restricting rootkit scans to admin?  I have the admin password for all of my systems, so it is only a theoretical issue for me, but I can imagine a situation where a regular scan turned up malware in an important system file, requiring the use of a Microsoft recovery disc and/or chkdsk.  How is that different than what could happen with a rootkit scan?

F-Secure Product Expert

Re: "Rootkit scan" option or not

Hello baroque-quest,

 

Apologies for the delayed answer to your post.

 

Basically this is related to generally restricted access to certain objects in the system.

Even if the Rootkit scanning would be available for restricted account user, it would anyway require administrative privileges to remove the possibly malicious object.

Moreover, because detecting a rootkit with a task run under a restricted account would require switching the task’s privileges to that of the local system account, displaying the items discovered by the privilege-escalated task to the user of the restricted account would violate Windows security model.

It is even possible that rootkits exist on the system as installed by the administrator for some purpose, in which case it is not desirable to inform restricted users about hidden objects found on the system.

Best Regards,
Jouni

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.

View solution in original post