program reads files and checks. They are not stored on your machine.
And of course people should be careful and not trust everyone. Not just in a context of rootkits or even computing in general.
they exactly are stored in machine, for example arch, pacman on installation calculates hash of the package compressed file and compares with a hash from mirror and if it's ok so package will be installed and hashes of its files will be stored in mtree files on disk, -rw------- root:root. even rkhunter has some databases which contains known to be original hashes and compares with them. they all comes with packages and are stored in machine
Обсуждают сегодня