What is the difference between quick scan and deep scan?

[bad-antics]

rupurt has quick and deep scan modes. What exactly does each one check?

[bad-antics]

Here is what each scan mode covers:

Quick Scan (runs in seconds):

• Check /proc for hidden processes (PID comparison)
• Verify system binary integrity (hash check of key binaries)
• Check loaded kernel modules against whitelist
• Look for common rootkit files/directories
• Basic network socket analysis

Deep Scan (can take minutes):

• Everything in Quick Scan, plus:
• Full filesystem integrity scan (all system binaries)
• eBPF program enumeration and analysis
• Kernel symbol table verification
• System call table integrity check
• Inline hook detection in kernel functions
• Memory analysis for hidden processes
• Network traffic analysis for covert channels
• Full signature database scan (280+ signatures)
• Volatility-style memory forensics

When to use each:

• Quick Scan: Regular scheduled checks, incident triage
• Deep Scan: Post-incident forensics, baseline verification, compliance audits

You can also run specific modules individually with the --module flag.