F-SECURE CLIENT SECURITY 9.01 - RELEASE NOTES Release Note page 11

Restricted user cannot remove malware [54576]
Malware removal fails if the scanning and removal task is run by a user who is logged on to the
computer under a restricted account, and the folder with the infected files does not include write
permissions to restricted users. For example, if the infected files are under the system folders
(e.g. "C:\WINDOWS") or Program Files folders (e.g. "C:\Program Files") then restricted users
will not be able to remove them. Removal will succeed if the files are under the user's own
folder.
This behavior is by design, to make sure that restricted users cannot remove important system
files: sometimes false alarms may occur, and some software, especially those categorized as
"riskware" by the product, may have legitimate uses and should not be removed by users who
do not have administrator permissions.
To be able to remove all malware, log on to the computer under an account that belongs to the
Administrators group.
When a virus is detected, Vista prompts for administrator permission [54418]
When real-time scanning detects malware in a file that is being accessed by the operating
system, the operating system may show an error message "Destination Folder Access Denied:
You'll need to provide administrator permissions to copy this file". After the user decides to
grant administrator permissions for completing the operation, the operation to access the file
still fails and the user is asked to retry. A typical scenario for this error message to appear is
when the user attempts to unpack a compressed (zipped) folder that contains an infected file.
This behavior is by design. When real-time scanning detects an infected file, it blocks access
to this file to any process on the system, including operating system components. Blocking
access to the infected files is necessary to make sure that malicious programs will not activate
on the system. When Vista gets an "access denied" error from the file open operation, it
incorrectly assumes that the operation failed because the user does not have enough privileges
to access the file, and will show the described error message.
Automatic actions for viruses also used for suspicious items [53064]
When the action setting for viruses for manual scanning has been set to Delete, Quarantine or
Rename automatically, and suspicious items (files that are hidden by a rootkit but not found
infected by known malware) are found by rootkit scanning then all the suspicious items
detected will either be deleted or renamed also, according to the following list:

Action for viruses = Delete automatically: suspicious items will be deleted

Action for viruses = Quarantine automatically: suspicious items will be deleted

Action for viruses = Rename automatically: suspicious items will be renamed
Note that as noted above, "Quarantine automatically" will result in suspicious items to be
deleted instead of quarantining, as quarantining of suspicious items is currently not an available
feature in the product.
In some situations, this behavior can be dangerous, for example, in case a rootkit would hide
important operating system or application binaries. This is however not a likely scenario, as
hiding such binaries would make the operating system or the application dysfunctional anyway.
Copyright © 2010 F-Secure Corporation. All rights reserved. Page 11 of 15