The data residing on data storage devices, such as hard disk drives and solid state drives, by way of example, is subject to corruption and attack by malicious software (“malware”). Anti-virus and manageability software packages have been developed by independent software vendors (ISVs) to scan data storage devices to detect corrupted data or malware and/or to provide back-up copies of data. Some storage, security, and manageability ISVs implement services, such as anti-virus scans, removal of malware, system repair, and system reimaging, for example, over the Internet. These Internet-based services typically rely on local software agents running on the local computing device.
Transferring the entire contents of a data storage device over the Internet for scanning by an ISV application, however, is cumbersome and time-consuming. One approach to alleviating this burden is to evaluate which data stored in the data storage device has been altered since a previous scan and transmit only the altered data for scanning. Implementations of this approach have typically relied on the local software agents to determine which data has been altered since a previous scan (for example, by evaluating a Master File Table (MFT) of the data storage device). These software solutions, however, are themselves subject to attack by rootkits, spyware, and other types of malware that operate on the premise of hiding themselves from detection. For instance, malware may be able to provide out-of-date copies of the MFT to a local software agent, fooling the software agent into thinking that no changes to the data have taken place (thereby hiding its subsequent activities from the software agent). Once such malware is able to hide itself and its activities from the ISV applications (e.g., using an old MFT), the malware can observe user activity, capture user data, perform circumvention of user actions, and other malicious activities. An increasing number of incidents of rootkits, spyware, and other malware have been discovered hiding themselves from users and executing in the background of computing systems, collecting sensitive information and slowing down the systems considerably.