| 摘要 |
A security system may detect a rootkit by detecting a filesystem configuration of the first system and comparing the filesystem configuration to a known valid filesystem configuration of a second system. The known valid filesystem configuration may be the filesystem configuration of a protected second system, or may be stored in a protected area of the second system. The first and second system may be part of a single device. The filesystem configuration of the first system and the known valid filesystem configuration are compared and differences are analyzed to determine if they are indicative of a rootkit. If a rootkit is detected, some embodiments may provide tools to clean, delete, or quarantine the rootkit. The second system may be provided by a security provider.
|
