LocalSystem Account

[KevinFF 0]

I would like to know if "eset" is able to clean/remove a process running on that account, let's say a malware is installed on that account while the antivirus is disabled, would that be fatal?

[Marcos 5,070]

For instance, if a rootkit installs under an account with administrator rights, you may need to resort to using ESET SysRescue to boot a clean system and run a disk scan from there.

[KevinFF 0]

but if the rootkit has a kernel mode driver, can eset SysRescue detect and remove it? I've never had a problem with these things, it's just curiosity

[Marcos 5,070]

40 minutes ago, KevinFF said:

but if the rootkit has a kernel mode driver, can eset SysRescue detect and remove it? I've never had a problem with these things, it's just curiosity

Yes because you boot Linux from a clean medium.

[KevinFF 0]

I see, but without using SysRescue, eset has no stopping/eliminating power, could you give a brief explanation why? a process running under the system account or a kernel-mode driver

I say this because eset also has kernel mode drivers and eset also runs under the system account...

[Marcos 5,070]

Malware run with administrator permissions can do virtually anything, including disruption or removal of the AV. Whether or not there are issues cleaning malware cannot be said in general. If you have a particular malware in mind that runs under the system account, let us know and we can look into it. However, as already stated once malware is run with admin privileges anything can happen.