A robust and reliable mechanism is disclosed for detecting whether a system has (or may have) been booted into a compromised or otherwise unprotected environment, so that a persisted clean file cache can be used across boots when appropriate. As such security scanning of files. A clean file cache can be maintained and used by a security application to avoid unnecessarily re-scanning a file that has not been modified since last being scanned and determined clean. Unnecessary scans are therefore avoided.