Re: Cannot run my antispyware or antivirus program
- From: chame1eon <chamee1eon@xxxxxxxxx>
- Date: Thu, 06 Nov 2008 14:29:00 -0500
On Wed, 05 Nov 2008 14:46:55 -0500, Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxx> wrote:
On Tue, 04 Nov 2008, in the Usenet newsgroup alt.computer.security, in article
<op.uj3ob2g26vfhnv@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>, chame1eon wrote:
<ibuprofin@xxxxxxxxxxxxxxxxxxxxxx> wrote:
You are depending on your tools to be able to detect the mal-ware.
How do you know that 1) your tools haven't been compromised? 2) the
access to the disk and/or operating system hasn't been altered such
that your tools can't detect all of the alterations? 3) your tool[s]
are even _aware_ of the latest version of the mal-ware? 4) your
tool[s] have removed that _cause_ of the problem - the hole that the
mal-ware used to gain control of your system in the first place.
I actually prefer things like hijack this, Ice sword, and the Systems
Internals tools that aren't as likely to need contstant updates.
Obviously it would be a little crazy to avoid the scanners that rely
on definitions.
Your tool should then know exactly what your system looks like in an
uncompromised state. The usual answer to that is something like 'aide'
(a modern replacement for 'tripwire'). Briefly, you have a snapshot
of the system - often, multiple hashes to provide confidence - that is
kept in a secure place. When you want to check the system, you bring
out this magic (bootable) media, and run the various check-sums and
hashes, comparing your snapshot with what-ever is on your system now.
You use a separate operating system to avoid being had by an alteration
in the normal O/S that either ignores data, or fakes the hash/checksum
algorithms - everything is fine, citizen, nothing to worry about...
The problem that usually defeats this type of system comparison is that
your system is not static. Things are changing, perhaps frequently. It
might be O/S updates/errata/patches, someone clicking on the "save this
desktop arrangement - I like it" icon, or it might be someone
installing a "helper" tool they found on some website to give them an
innocent looking (to Mommy or the Significant Other) icon to click that
will take them directly to their favorite gaming or pr0n site. How do
you separate the wheat from the chaff - the real bad stuff from the
stupid annoyances? Oh, and how do you know what the changes are
actually doing?
I can see how any of them could fail especially when rootkits are
involved, and when I'm not sure exactly how they hide themselves and
where exactly things like Ice Sword and rootkit revealer are reading
the information from.
Another disturbing thought: Does your anti-malware know how to talk
_directly_ to the disk/what-ever? Or as is MUCH more likely, it is
using O/S calls to find out what files are out there (trivial to
subvert) never mind accessing those files.
I guess when security is really important, or when someone isn't
completly aware of the risks a clean install is the safest.
You might be highly skilled at debugging an operating system or an
application, but how many others are? That's why this enormous
aftermarket in anti-mal-ware tools exist. And the tools have to be
built such that your Aunt Bessie (who has a hard time figuring out
how to operate a light switch) can use them.
I just hate resorting to formatting and I don't see how you can learn
anything about how the virus got there what, it was doing, and how,
if you erase all of the evidence.
Not a problem. You do have spare disks, right? Pop the contaminated
or questionable one out, drop in the replacement, and away you go. You
are aware of mal-ware that installs itself in RAM, then erases the
delivery files, right? It's gone when you reboot, never-mind doing a
wipe and reinstall, but while it was there it could have been mailing
death threats to your national politicians, spamming every customer of
the ten largest ISPs in the world, mailing home any credit card and
banking data it finds, as well as your SSH keys (so that other systems
you have access to become 0wn3d by the bad guy).
Old guy
I think your right that malware could be a lot more sophisticated, but because a large number of users don't take countermeasures, it doesn't need to be. So when it comes to things I think I'm likely to encounter on my home pc convienience can take precidence.
I'm trying to get a degree for something computer related, so depending on what
I end up doing, knowledge about tighter security could become an issue.
I still want to see what aide does though, so thank you.
I would switch out disks, but I don't even have a good way to back up the stuff I have untill I get more money :( Most people who's pcs I've cleaned don't have spares either.
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
.
- Follow-Ups:
- Re: Cannot run my antispyware or antivirus program
- From: Moe Trin
- Re: Cannot run my antispyware or antivirus program
- References:
- Re: Cannot run my antispyware or antivirus program
- From: chame1eon
- Re: Cannot run my antispyware or antivirus program
- From: Moe Trin
- Re: Cannot run my antispyware or antivirus program
- From: chame1eon
- Re: Cannot run my antispyware or antivirus program
- From: Moe Trin
- Re: Cannot run my antispyware or antivirus program
- Prev by Date: Re: Cannot run my antispyware or antivirus program
- Next by Date: Re: Cannot run my antispyware or antivirus program
- Previous by thread: Re: Cannot run my antispyware or antivirus program
- Next by thread: Re: Cannot run my antispyware or antivirus program
- Index(es):
Relevant Pages
|
