Due to the difficulty of detecting rootkits (because they are easily modified), I got to wondering about maybe a different approach to detection/prevention that I hadn't seen covered anywhere. Since I am a Linux newbie, maybe something like this is already implemented, and I haven't found it yet.

One of the difficulties with rooting windows lies in the implementation of Windows File Protection (XP) and System File Protection (WinME), which in my understanding, are a built in intrusion detection system. Without getting too long winded, upon startup and at regularly scheduled times, WFP scans sensitive files to see if they have been altered. When it detects a change, it looks in the dllcache, driver.cab, or the original installation files to see if it is there. If it finds a good version, it over-writes the bad version. If it can't find a good version, it pops an error message.

Does linux incorporate a similar system? I t seems to me that it wouldn't be too difficult to implement, but I am not a coder. For all I know, it opens another can of worms.

Any thoughts?