Deleted member 21043

Most on demand scanners dont need drivers
Unless the on-demand scanner needed to load a driver to scan for rootkits and then clean any detected rootkits up.

Example: MBAM loads a driver.
Last edited by a moderator:

Deleted member 21043


View attachment 54262

and etc...........:D
Congrats you gave me 1 example. Malware bytes ≠ most on demand scanner. ;) There are so many that don't use a driver
The on-demand scanners may use the drivers for things like rootkit scanning, process termination, permissions, ... There are many reasons as to why they may be used. Being in kernel mode is better in general.

For example, the scanner may load a driver which may be used to try to look for traces of a SSDT hook. After finding any, it would then need to clean it up. For this, it'll have to be done in kernel mode (through the kernel mode driver).

Of course there are products which don't use a driver, however at the same time, they don't have the features the products which take advantage of kernel mode have. For example, Xvirus Personal Guard doesn't have a driver however then again, it doesn't have any features like rootkit detection (on-demand or with the behavioural blocker). Crystal Security doesn't have a driver either.

I think it's better if the product used a driver not just for the rootkit scanning, detection and then cleanup, but for things like process termination. If a threat is detected and it's protecting itself from being terminated from the usual TerminateProcess() API call (this is what Task Manager uses by default), then kernel mode will be necessary. From the driver, the security products (in this case the on-demand scanners) can attempt to remove the hooks.

After scanning has completed, the user mode process may send up back the information (so the target process PID) and then from kernel mode the process will be tried to be terminated.

For example, if you were infected by a rootkit (on a 32-bit system in this case) and it performed SSDT hooking (System Service Dispatch Table hooking), it may change the first bytes in the API which was targetted (Inline) (so if it wanted to hook NtTerminateProcess to try to prevent it from being terminated from e.g. Task Managers)... Instead of this, it may change the addresses in the System Service Dispatch Table. For a Anti-Rootkit supporting product to detect this, they'd have to load a driver into kernel mode.

Those were just some examples.

Point being, some products make use of drivers, some don't. Products like Zemana Antimalware, Malwarebytes Antimalware do. So for this reason I agree with both @Dani Santos and @Petrovic.

Cheers. ;)

EDIT: @FireShootSK I was writing when you replied so I never saw. Hopefully you aren't mad at me for replying to Dani and Petrovic. Maybe this post will clear up the situation anyway.


Level 85
Very tight configuration there, if you want more program then add a fully virtualized function like Shadow Defender or Toolwiz Time Freeze (haha likely redundant)

But to save a snapshots of system state then you may consider Toolwiz Time Machine or Rollback RX however in that state its already fine. ;)