RSSMcAfee Tests Virus Scans During Boot
By David Worthington | Published April 22, 2005, 1:22 PM
McAfee is developing an antivirus product that will intervene in native mode while Microsoft Windows is starting up to provide more flexibility and control over its products.
Geared toward enterprise users, McAfee PreScan integrates with McAfee's ePO 3.0/3.5 and Protection Pilot 1.1 security management software. The software will incorporate McAfee's 4400 antivirus engine, scan and clean FAT and NTFS partitions and scan removable devices.
Antivirus tools that scan in native mode load with Windows before any other application loads, increasing the chances that malware will be detected before it can inflict any damage.
Many security software vendors have had similar capabilities since 1995 when kernel mode drivers were introduced to coincide with the release of Windows 95. Kernel mode scans take place early on in the boot process; however, a native scan takes place even before a kernel driver loads.
For instance, the FunLove network infector walks file shares that load before user mode, which loads after kernel/native mode. Thus, a native scan would be able to detect FunLove's presence and prevent the virus from propagating.
"The earlier scans occur the better," said Jeremiah Grossman, CTO of WhiteHat Security. "There are race conditions, a cat and mouse game between the good guys and the bad guys in security. Whatever code runs first wins. If the process runs first in the stack the larger the chance is of it winning the race."
A McAfee spokesperson told BetaNews that the company has not set a completely firm beta or release date, but that its targets are mid-May and end of July, respectively. McAfee's current intention is to make PreScan a companion product for VirusScan Enterprise. ePolicy Orchestrator (ePO) is will required in order to run the software.
Are they still doing this? I thought they were testing this a year or two ago?
Score: 0
|Most poeple considered this news as a good news.
And most virus makers considered this as a good resource.
Score: 0
|It is a pretty big joke to be honest. This is a basic feature which should be and is already in many anti-virus products. McAfee is only using this as some kind of marketing ploy to make this seem like some kind of discovery.
Score: 0
|Unfortunately the author of the article has misunderstood what this product is doing... This is NOT a kernel mode scanner - as he mentions, this is indeed something that Symantec and others (including McAfee) have had since 1995 or so...
This is a NATIVE MODE application - this runs at the same time during the boot process that applications such as CHKDSK run, before the Windows GUI has actually loaded, and before normal applications can run.
To my knowledge there are NO other AV vendors which have a NATIVE MODE scanner for the NT based platforms...
Regards
Daniel Wolff
McAfee AVERT
Score: 0
|That is not entirely correct - avast! really does have a Native mode scanner for years.
Score: 0
|If an AV scanner can do it, can't spyware? Wouldn't the better option be not allowing this type of software (AV or otherwise) load in native mode?
Score: 0
|I was thinking the same, but I'd think it's a bit harder to get it to run like this than it would be to get it to run "normally."
Also, Windows SHOULD have user levels in place so that you need to be an administrator to install such software, and anything less cannot do it. It's technically somewhat doable now--I doubt it would install on a Limited account in XP (would probably need Administrator)--but poor application compatibility and lack of education still leave most people running as an admin. Longhorn will hopefully change this.
Score: 0
|...lol sometimes I need a reminder every once in a while of why I don't use them...
Score: 0
|shnizzle
Score: 0
|umm Doesn't Avast already scan at boot?
Score: 0
|...which is noted in the article above. A lot of software vendors have had it. McAfee is just expanding its technology to manage its enterprise line of tools it seems.
Score: 0
|It's really just a joke. An entirely seperate product is released to do a simple task that many small freeware products out there do. It shows how poorly designed their line of products are that they have to market a product that does a prescan.
Score: 0
|What to expect from a company which was given a patent to a feature (Instant Update aka. Symantec's LiveUpdate) which almost every decent software has nowadays. Maybe they will be given a patent for version 9 or next homeuser VS 10 which will then be able to do something that other competitive products can't do, detect and CLEAN malware. Thank god there are many products to choose from.
Score: 0
|Actually, I'm not sure any corporate products have managed native scanning. This seems to be more of a module that can be quickly deployed through ePO for a mass native scan. This essentially isn't a stand-alone product you will buy. Comparing it with consumer or stand-alone client software is a bit inaccurate.
Score: 0
|