McAfee Tests Virus Scans During Boot
McAfee is developing an antivirus product that will intervene in native mode while Microsoft Windows is starting up to provide more flexibility and control over its products.
Geared toward enterprise users, McAfee PreScan integrates with McAfee's ePO 3.0/3.5 and Protection Pilot 1.1 security management software. The software will incorporate McAfee's 4400 antivirus engine, scan and clean FAT and NTFS partitions and scan removable devices.
Antivirus tools that scan in native mode load with Windows before any other application loads, increasing the chances that malware will be detected before it can inflict any damage.
Many security software vendors have had similar capabilities since 1995 when kernel mode drivers were introduced to coincide with the release of Windows 95. Kernel mode scans take place early on in the boot process; however, a native scan takes place even before a kernel driver loads.
For instance, the FunLove network infector walks file shares that load before user mode, which loads after kernel/native mode. Thus, a native scan would be able to detect FunLove's presence and prevent the virus from propagating.
"The earlier scans occur the better," said Jeremiah Grossman, CTO of WhiteHat Security. "There are race conditions, a cat and mouse game between the good guys and the bad guys in security. Whatever code runs first wins. If the process runs first in the stack the larger the chance is of it winning the race."
A McAfee spokesperson told BetaNews that the company has not set a completely firm beta or release date, but that its targets are mid-May and end of July, respectively. McAfee's current intention is to make PreScan a companion product for VirusScan Enterprise. ePolicy Orchestrator (ePO) is will required in order to run the software.