Traditional antivirus software performs periodic or real-time scans of a computing device by running the software from within an operating system for which protection is sought. This type of software works well for known viruses, as the antivirus software is able to use known virus signatures to detect infected files as they enter the computing device. These files may enter the computing device via user downloads, network access, or new files that have been copied from an external drive of the computing device. Traditional antivirus software detects these known viruses by scanning the computing device on a periodic basis.
While this approach works well for known viruses, this approach is less effective in instances where the virus signatures of the software are not up-to-date. This approach is also less effective for new viruses for which no signatures have yet to be created (so-called “zero-day exploits”). This limitation becomes even more apparent when viruses on the computing device employ “rootkit” techniques.
In short, these rootkit-enabled viruses function to hide themselves from the antivirus software running on the computing device. If a rootkit-enabled virus infects the computing device (e.g., via a zero-day exploit or when the software's signatures are out of date), the antivirus software has very little chance of detecting the presence of the virus and, hence of removing the virus from the computing device.
To combat the limitations, some antivirus software attempts to detect rootkit-enabled viruses by detecting discrepancies in the operating system of the computing device. Because this approach is predicated on weaknesses in the masquerading techniques of the rootkit, rootkit developers can continue creating better and better rootkits to avoid detection. In other words, this approach leads to a potentially never-ending arms race.
Another approach to rootkit detection includes booting the computer from a known “clean” operating system image. While this solution is effective, this solution requires significant user interaction. That is, a user of the computing device must proactively choose to scan the computing device. This proactive scan often requires the user to close down all open applications and reboot the computing device. Due to these impositions, users often do not scan the computing device from the clean operating system and, hence, the computing device remains subject to attack by rootkit-enabled viruses.