Caution: adjust paranoia level to DEFCON 5 for me for a minute please. Thanks. Ok, so you've got some bullet-proof setup. You're running 64-bit Win 7 or Vista so have PatchGuard as well. You need to install some new drivers or what you think is a legitimate program and so you take down your "shields", give admin rights. But you've actually got some nasty sophisticated rootkit that has stolen certificates and is 0-day so scans clean etc. What are the specific attack vectors that need to be protected to stop this thing from gaining the power to completely subvert the operating system and hence evade detection forever? I've been reading about TDSS a bit and it seems that there are two main tactics: writing to the MBR and partitioning the disk to create a new boot partition (with the rootkit on it of course - fricking genius you have to admit). I can also imagine that writing to the BIOS could be another avenue. If each of these are covered, and you have PatchGuard to protect the kernel (from what I've read PatchGuard seems to have been 'avoided', e.g. by the above methods, rather than ever actually being broken i.e. a compromised kernel), is there anything left? If this stuff can be 100% protected against (barring of course the inevitable currently unknown exploit), all you have to worry about is some persistent infection that at least will eventually be detected by a periodic scan, as opposed to a sneaky little bugger that can control your hard drive and hide from scanners. Second question - how much of this can be protected against using just the tools that come with the OS? Is it possible? Or do we need third-party software, and if so, which ones can pro-actively defend against these threats as outlined above? I'm aware that the MBR at least can be protected by MBR Guard from Blue Ridge, which is now no longer available and is part of AppGuard.