{{Header}}
{{title|title=
Deep Scan Ready
}}
{{#seo:
|description=Deep scan ready means owners can inspect the full operating system and boot chain from a clean external system, offline or detached, so malware stays inactive while scanning.
|image=Deep_scan_ready_icon.png
}}
[[File:Deep_Scan_Ready.png|400px|thumb]]
[[File:Deep_scan_ready_icon.png|thumb]]
{{intro|
Security should not require blind trust in the platform vendor (the company that makes the device, firmware, or OS). The {{os}} may be part of the threat model (meaning the OS itself could be compromised). Therefore, users should be able to control keys (cryptographic keys used for verification), verification, and modification (the ability to inspect and change the system). To accomplish this goal, it is important that the operating system is deep scan ready, meaning it supports being deep scanned in principle (you can inspect it from outside, without running it).
}}
= Introduction =
An important rule for deep virus scans is: do not boot a device suspected of being infected with [[malware]], because active malware can hide itself, fake "clean" results, or erase evidence. [
{{quotation
|quote=Live analysis provides valu- able, volatile information that may not be available during an offline analysis of a hard drive, e.g., dynamic data such as running processes and open ports, which are only available during system operation. How- ever, when one of the processes on a machine includes a rootkit, the 90 ADVANCES IN DIGITAL FORENSICS III investigator must question if the results of a live analysis are tainted. When rootkits are running, the data and processes they have modified are still in use by the operating system, but this fact is not visible to the user. In fact, our experiments demonstrate that even if a live response cannot detect what is hidden, it can still provide an investigator with details about what was available to the user. This information can also help the investigator determine what the rootkit was hiding.
|context=[https://opendl.ifip-tc6.org/db/conf/ifip11-9/df2007/ToddBPFSR07.pdf IFIP Open Digital Library: Todd et al. PDF]
}}
{{quotation
|quote=If you suspect a rootkit virus, one way to detect the infection is to power down the computer and execute the scan from a known clean system.
|context=[https://www.kaspersky.com/resource-center/definitions/what-is-rootkit Kaspersky Resource Center: What is a rootkit?]
}}
{{quotation
|quote=Hidden malware: Rootkits can install and conceal other types of malware within your network, making detecting and removing them difficult.
|context=[https://us.norton.com/blog/malware/rootkit Norton blog: Rootkit]
}}
{{quotation
|quote=Use offline scanners: If the rootkit is particularly stubborn or your regular antivirus software fails to detect it, you can try offline scanners. These antivirus tools run from a bootable USB or CD/DVD, allowing them to scan your system without the rootkit being active.
|context=[https://us.norton.com/blog/malware/rootkit Norton blog: Rootkit]
}}
{{quotation
|quote=By analyzing memory dumps, examiners can ensure clean working environment and no active resistance from the rootkit.
|context=[https://www.forensicfocus.com/articles/understanding-rootkits/ Forensic Focus: Understanding rootkits]
}}
See also [https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline Microsoft Defender Offline].
] Instead, power the device off and inspect the storage from a clean external system by performing a read only inspection (so the suspect device cannot write changes back while you are checking it). To learn more, see [[Malware_and_Firmware_Trojans#Basics_of_Malware_Analysis_and_Backdoor_Hunting|Basics of Malware Analysis and Backdoor Hunting]].
Deep scans are usually possible with traditional Linux distributions but often not on most mobile devices such as stock Android, because you generally cannot easily boot a trusted external system or fully inspect storage without unlocking or modifying the device.
= What does deep scan ready mean? =
(Deep scan ready means you can safely and fully inspect a device for malware from outside, while it's turned off.)
* Scan everything: All files on the disk without exception. The file system must be inspectable, meaning the owner can independently check it, including a thorough system boot chain integrity check.
* Not only apps: Deep scan ready means you can inspect the whole system, not just installed applications.
* Include boot components: The scan includes the partition table (how the disk is divided), bootloader (the first program that starts the system), kernel (the core part of the OS), init (initial startup process), system files, etc.
* Keep malware inactive while scanning: Malware must not be active in memory during the scan. This requires:
** Offline deep scan: Or at minimum an Offline Integrity Check; a different boot medium must be used, such as booting from USB (Live USB Checkup).
** Detached deep scan: Even better, remove the disk and scan it from another clean system, from a different computer.
* Support both tools and experts: The system can be scanned by automated tools such as virus scanners, but it could also be examined manually by malware analysts.
= What is the difference of a deep scan versus a normal antivirus scan? =
* Normal antivirus scan: Users typically do an antivirus scan after booting the system that is suspected of being infected with malware. This kind of scan runs inside the system you do not trust, so malware may be able to hide, interfere, or show false results.
* Deep scan: A deep scan aims to inspect the full storage and boot components from outside the suspect system, so malware is not running while you scan.
= Why should I care about computer viruses? =
Malware can secretly spy on you (screenshots, files, keystrokes, webcam/mic) and steal or destroy data, including by encrypting your drive for ransom. It can also plant fake evidence and turn your computer into a "zombie" used for crimes (spam, DDoS, hosting illicit / illegal material). Worst of all, some malware can install persistent [[Backdoor|backdoors]] (including hardware level) that can survive a full operating system reinstall, and if the host is compromised, every {{VM}} is compromised too. See also [[Malware_and_Firmware_Trojans#The_Importance_of_a_Malware_Free_System|The Importance of a Malware Free System]].
= Deep Scan Ready vs Restricted Devices =
Which operating systems are typically deep scan ready? Most, if not all, traditional Linux distributions are deep scan ready. You can boot a clean system and inspect everything, even if the installed OS is compromised. Alternative terminology would be forensic readiness for the device owner.
Which operating systems are typically not deep scan ready? For example, stock Android. This is being elaborated on the [[Android|Android Insecurity]] wiki page.
= Technical Implementation =
How can an operating system implement being deep scan ready? Actually, there is nothing special to add. It's more about what the system '''doesn't''' block the user from doing.
What to avoid is implementing a locked bootloader that cannot be controlled by the user, also known as [[Miscellaneous_Threats_to_User_Freedom#restricted_boot|restricted boot]].
= Threat Model Differences =
This section describes two different trust models, in other words, two ways of deciding who controls your device and what can be trusted.
* Vendor rooted trust: Vendor lockdown, vendor lock in. The platform decides what is allowed, and the vendor controls the root of trust (for example which keys are accepted). You mainly get protection from other attackers.
* User verifiable trust: The platform itself may be in the threat model, so you need ways to check and replace it from outside, without trusting it while you inspect it. Trust minimization.
** Vendor accountability: The vendor cannot quietly (knowingly or unknowingly) ship different updates to different people. (Target malicious upgrades.)
** Independent auditability: Designed for third party checking.
** Vendor independent verification: Verify the system without trusting the provider.
** Full Device Backup Access: The owner has the ability to make a full system backup.
** Verified boot: This is compatible with owner controlled [[Verified Boot]] (User Settable Root of Trust). (A sample implementation work in progress is [[Sovereign Boot]].)
** Tamper Evident Boot: A similar concept is Tamper Evident Boot, where tampering can not only be detected by the vendor, but also by the device owner.
It is about owner capability vs platform restriction.
{{quotation
|quote=Computer users must not be required to seek external authorization to exercise their freedoms.
|context=Free Software Foundation: [https://www.fsf.org/campaigns/campaigns/secure-boot-vs-restricted-boot/ Will your computer's "Secure Boot" turn out to be "Restricted Boot"?]
}}
{{quotation
|quote=“Treacherous computing” is a more appropriate name, because the plan is designed to make sure your computer will systematically disobey you. In fact, it is designed to stop your computer from functioning as a general-purpose computer. Every operation may require explicit permission.
|context=The GNU Project: [https://www.gnu.org/philosophy/can-you-trust.en.html Can You Trust Your Computer?]
}}
Similar concepts. Kali Linux refers to this as [https://www.kali.org/docs/general-use/kali-linux-forensics-mode/ Forensic Mode].
= Advantages of Deep Scan Readiness =
Deep scan readiness discourages targeted malicious upgrades, because it is harder to hide changes when owners can verify the full system from outside.
= Deep Scan Tools =
Deep scan readiness is different from performing actual deep scans.
This process if [[unspecific|unspecific to {{project_name_short}}]].
There are instructions on how to [[Recovery#Boot_from_External_Drive|Boot from External Drive]]. In the future, more documentation and tools are planned to simplify the process of deep scanning, making is accessible to more users.
= out-of-scope =
[[Backdoor#Firmware_Trojan|Firmware Trojan]] such as a [[Backdoor#Hard_Drive_Firmware_Trojan|hard drive firmware trojan]] and [[Backdoor#Hardware_Trojan|Hardware Trojan]] are unfortunately out-of-scope because these are hardware issues that a software-only operating system project cannot solve. These kinds of threats require hardware replacement or forensic hardware inspection.
= Deep Scan Restricted =
Deep Scan Restricted means the device owner cannot inspect the full operating system and boot chain from a clean external environment, because bootloaders, storage access, or verification keys are controlled by the vendor, requiring trust in the running system during inspection.
= Comparison of Deep Scan Ready versus Deep Scan Restricted =
{| class="wikitable"
! Feature
! Deep Scan Ready
! Deep Scan Restricted
|-
| User-verifiable trust
| {{yes}}
| {{no}}
|-
| External inspection possible
| {{yes}}
| {{no}}
|-
| Owner controls keys
| {{yes}}
| {{no}}
|-
| Offline/detached scan possible
| {{yes}}
| {{no}}
|}
'''Figure:''' ''Deep Scan Ready versus Deep Scan Restricted''
[[File:Deep_Scan_Ready_versus_Deep_Scan_Restricted.png|600px]]
= rationale for this page =
Why does this page exist when most traditional Linux distributions are deep scan ready anyhow? Sometimes we do not know what we have until we lose it. This page raises awareness, resists calls to also follow the path of locking device owners out from their devices, and differentiates owner-controlled systems versus vendor-locked operating systems that hinder deep scanning.
= Forum Discussions =
* [https://forums.kicksecure.com/t/bootloader-lock-locked-bootloader/1190 locked bootloader]
* [https://forums.kicksecure.com/t/boot-device-lockdown/1189 boot device lockdown]
* [https://forums.kicksecure.com/t/no-rescue-mode/1171 hard rescue mode refusal]
= See Also =
{{mobile_mininav}}
{{boot_firmware}}
= Footnotes =
{{Footer}}
[[Category:Design]]
[[Category:Development]]