Under optimal circumstances, system administrators, end users, and security personnel will all agree to the installation of a required rootkit. Of course, it will not be referred to as a rootkit under these circumstances; it will be called something like filtering software or outbound content compliance software. The important point is that the software is intended.
This is not to say the software is desired. When it comes to personal use of corporate assets, most individual users will not wish to be monitored. As such, any form of allowed monitoring should contain some form of compliance feedback, such as link heartbeats or periodic status reporting. Feedback between a rootkit and a monitoring system can also allow a centralized controller to provide concise system conformance reporting, which is a certain requirement in an intended deployment environment.
Another form of feedback to consider is forensic data. Rootkit technology is custom tailored for employee monitoring. This often adds a requirement for forensic data capture. Adding this legal consideration to the initial design of a rootkit can provide a wealth of possibilities when the customer asks, “How do I prove it in court?” Forensic data capture capabilities require not only additional processing and disk space, but also additional anti-tamper functionality. Allowing for this requirement at the initial stages of design will make forensics much easier to support.
When developing client/server compliance and anti-tamper systems, the rootkit designer must choose between two options when non-compliance or tampering is detected. Fail-safe functionality will block operations when tampering is detected. This is opposed to fail-open functionality that will only report the incident and allow unrestricted operation when defeated. Some environments will be more concerned with employee productivity, and require fail-open systems, whereas other environments will not have the luxury of productivity over compliance. Network traffic, USB file transfer, CD/DVD burning, and even print operations can be set to fail-open or fail-safe when there is a clear indication that the monitoring system is not operating properly.