Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (39)
  • add to favourites
    Add to Bookmarks

The system restart problem

Read: 6890 Comments: 7 Rating: 15

Monday, February 3, 2020

Tell me, please; can you design the upcoming version of Dr.Web Security Space in such a way that no system restart will be required after I uninstall (if I remove it) or install the application? It would be nice if the program could be installed and removed completely after the system has booted up, because restarting it over and over again can damage the hard drives.

A Dr.Web user's request

Users just don't like to restart their computers—that's how it has been and will always be. We already explained why our anti-viruses sometimes require a system restart and why it’s important (for example, check out our issue Essential reboot).


The diagram shows the list of Dr.Web anti-virus modules under Windows. You can also see that certain modules operate in kernel mode (Core Level). Modern operating systems separate user data from system routines. An ordinary application can't hook into routines that access disk sectors or create files and write data into them. Those routines and system events can't be made accessible to just everyone. Event handlers can catch events in kernel mode. Deploying a new event handler in a system is more complicated than just copying a file to a disk. This routine requires a system restart. No matter how much we'd like to have things our way, these are the rules of the game and it's not up to us to change them. That's why installing and removing an anti-virus is always about deploying and removing event handlers, and that procedure can't be completed without rebooting the system.

Is it possible to accomplish all the tasks without system restarts? Yes, it is. For example, this is how Linux works. But under Unix-like systems, a new event handler doesn't replace the existing one. It will start working with system events that occur after it has been deployed. The previous driver will still handle earlier events and will then be removed. We already described this mechanism in more detail.

Convenient? Sure. But attackers can take advantage of this mechanism, too. In a way, system restarts serve as another self-defence mechanism. To get rid of an anti-virus, attackers will need to remove its drivers. The user will certainly notice that their system is being restarted! Alas, by design Linux and Android don't have this kind of self-defence. And if malware succeeds in disabling an anti-virus, it will easily remove it.

The Anti-virus Times recommends

Of course, system restarts do not ruin hard drives. They don't result in increased disk usage. They are needed so that new anti-virus driver versions can be installed that are potentially equipped with new detection routines or new digital signatures that comply with Microsoft’s latest requirements.

Therefore, reboot without fear!


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.