maybe a built-in process monitor??

i know nothing about the inter workings of a computer. the way these rouge/fake av 's are able to infect the mbr, add another partition, infect your host file, change permissions, and hide files does not seem like normal behavior and should trigger a prompt asking you what to do before allowing this to proceed.   this post brought on after helping a friend recover from system check infection after he clicked on american airlines fake email.  thanks     he has nis 2012 up to date when this happehed.