Jump to content

Scan for Rootkits in MB 2.0

Recommended Posts

I notice the "Custom Scan Config" doesn't have the "Scan for Rootkits" checked.

Has anyone checked it?

If so, what is the result?

Does it take (much) longer to run a scan?


I wonder how many members HAVE checked it and how many HAVE NOT checked it?


Is it 'best' to leave it unchecked, or should it be checked?


We are trying to decide whether we should or shouldn't check that box.


Any help would be appreciated as we are very new at all of this, especially since we don't know anything about Rootkits, etc. Scary indeed. So many things to learn!

Link to post
Share on other sites

ARK (antirootkit) scanning is a new, optional feature in 2.0.
It's entirely up to the individual user whether or not to enable it.
Doing so may slightly increase the time it takes to perform a scan -- this is normal, and is nothing to worry about.
If the computer has a hard drive encrypted with software OTHER THAN TrueCrypt (such as BitLocker, SecureDoc or others), then ARK should be left DISABLED.
That is because ARK scanning is not supported on such an encrypted drive.  This is explained in the FAQ here


And from the User Guide:

Scan for rootkits utilizes a specific set of rules and tests to determine if a rootkit is present on your computer. For readers who unfamiliar with this term, an explanation may be handy. A rootkit is malicious software that can be placed on a computer which can modify operating system files in a manner that hides its presence. Malware detection methods that rely on hooks to the operating system for detection and analysis would prove ineffective if the hooks had been purposely manipulated by the malware. Our testing method is more intensive and more effective, but including rootkit scans as part of your overall scan strategy increases the time required to perform a scan.


Bottom line: unless you have an encrypted hard drive, it's fine to enable the feature. 

If you find that it increases scan times too much for your liking (especially on an older, slower computer), then it's OK to disable it, unless you suspect a possible rootkit because of abnormal computer behavior.


Hope this helps,




Link to post
Share on other sites

Really don't know if I have "encrypted hard drives." If I did have encrypted hard drives, would the MB Scan for Rootkits not run/work?


Well, then you probably do not. :)

Most people whose drives are encrypted know it, because they installed or activated software to accomplish the encryption.


If you do not know, then we'd have to see some diagnostic logs from the computers in order to see if encryption programs are installed or running (BitLocker would be a common one, as it is built-in to some of the fancier flavors of Windows 7 (and Vista? and 8?).


The only encryption product supported with MBAM 2.0 ARK is TrueCrypt.


If you were to enable ARK on an drive encrypted with a program other than TrueCrypt, it would probably either not work, would generate an error, or would generate erroneous results.

This is explained in the FAQ >>here<<.

That is why users with encrypted drives are instructed NOT to enable ARK scanning.

And that is one reason that the feature is disabled by default when MBAM 2.0 is installed.

ALSO, for additional information:

There is an FAQ Section here: Common Questions, Issues, and their Solutions

And here are links to the MBAM 2.0 User Guide: Online and PDF

And there are many useful KB topics and videos at the helpdesk support page

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.