Excerpts from my personal blog follow... Someone tell me I'm wrong? [hr] * The checksum options offered are all CRC-based. Unix root-kits have been circumventing these for years (decades?) and I would assume that many Windows ones do as well. * Checksumming is disabled by default. To turn it on, the user must enable it both globally (disabled by default), and then individually for each file (again, disabled by default.) This is not immediately obvious within the product (and in fact I assumed that the per-file check-list was actually for the "delete selected file from list" funtion.) As a result, the risk of misconfiguration is extremely high. * The interface shows "Checksum Computation Running" even when it is disabled (both globally and on all files). As a result, the risk of misconfiguration is extremely high. * The datestamp tests only check the modification time, rather than the creation time. This is trivially spoofed, and doesn't require any special rights (WinZip does this all the time, for example.) note: Tested on a FAT partition, it is possible that the results on NTFS would be different. * Watch-lists are not encrypted by default, and it is not possible to tell from the GUI whether or not they are encrypted. This would create a serious risk of misconfiguration if it weren't for... * Watch-list "encryption" is little more than XOR with all-bits-one. It is not clear that this achieves anything other than lulling users into a false sense of security. * The product doesn't detect unauthorised changes to its own configuration, even while running. (Although note that it will not actually reload the configuration until restarted.) While it might be claimed that the user will notice configuration changes, I would expect a significant amount of time to pass before this actually happens (if ever -- for example, how many users really come back and double-check their anti-virus settings once they have them set up to their satisfaction?) note: It is not possible to configure the tool to monitor its own configuration as that is stored in the registry, rather than as a file. * The product doesn't appear to store file checksums between runs. As a result, any changes that happen on your system while the filechecker is not actually running will not get detected. For example, if the user picks up malware that only fully installs on a reboot (when fewer files are locked), FileChecker will not detect it.