Re: Stinger

• Previous message: guru sundara: "Hostile Script Message"
• In reply to: Jupiter Jones [MVP]: "Re: Stinger"
• Next in thread: Robert Moir: "Re: Stinger"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Jun 2004 11:46:05 +0200

On Sun, 27 Jun 2004 18:00:17 -0600, "Jupiter Jones [MVP]"

>Sounds like you mean a regular AV application.

Yep.

>Hopefully you have one installed.

Yes, but that won't hit the spot Stinger is designed for.

>Additionally many of the AV makers have online scanners.

I'd use those ONLY in the context of uploading particular suspect
files to be scanned. I wouldn't allow a web site to inspect all the
files on my system while online for reasons that should be obvious.

>However you should still have one on the computer.

I think the poster is looking for an after-the-fact av scanner to look
for *active* malware, i.e. after whatever risk management (including
the installed av, which I agree he should have) has failed.

In that sense, anything that has to be installed is doomed. You need
something that runs formally, i.e. without running any potentially
infected code first. What's doomed to varying extents are:

1) Windows-based av

That you suspect active malware means this has already failed.
Several modern malware are av-aware, and simply nuke a long list of
running tasks by name, re-direct av URLs, and/or tangle with installed
files to render these inoperative or uninstallable.

2) Online scanners

Modern malware may miss these, and thus allow them to run, if the site
plays "musical chairs" with URLs and task names etc. but even so, you
are scanning for active beats hat are well-positioned shoot first.

3) Stinger and other dedicated cleaners

These can be run fresh, thus free of pre-existing pre-emptive strikes,
and new downloads can play "musical chairs" to keep the malware on the
back foot, just as new malware keeps av on the back foot. The risk of
triggering a counter-strike may be lower, in that malware that are not
the target of a specific cleaner may ignore it.

They work well as a postfix/back-check after a formal scan has
hopefully de-activated the malware, being better able to clean up
registry settings etc. So an approach may be to use a formal scanner
to rename-away rather than delete malware code, so that the fixer can
still detect it and thus do the appropriate settings clean-up.

If FATxx, then there are several good, free DOS-based av that can do
that scanning: stick www. and .com onto f-prot, nod322 and sophos and
there you go. If NTFS, well... let me know what you find, because
NTFS is horribly "maintenance-challenged" as per
http://cquirke.mvps.org/whatmos.htm

In theory, you may run an av from Bart's PE CDR boot. But the av
would have to be one that:

1) Doesn't require installation; Stinger qualifies
2) Has or doesn't need a special "plug-in" wrapper for Bart's PE
3) Is Bart-aware so that it writes to HD not Bart's CDR registry

Without (3), you are no better off than an NT-unaware DOS-based
scanner, in that you have to do the registry cleanup yourself. Still,
that's a vast improvement on not having a clue whether theree's nil to
be found vs. smart malware that can't be found informally.

In theory, you can use a CDR-bootable Linux, such as Knoppix (oh, the
irony - having to rely on a Linux to pull NT out of trouble). Your
challenges, as a Linux know-nil, will be to:
  - download and make the Linux boot CDR
  - ensure your hardware is supported
  - download and integrate a Linux-based av
  - download and integrate av updates on an ongoing basis
  - do above preferably without making a new CDR every time (USB?)

If not for the NTFS maintenance crisis, I'd have no reason to learn
Linux, battle with tar or gz archives and all that stuff that I
currently have no interest in. But when a product is bad enough, one
is more or less forced out of one's comfortable nest to start looking.

>-------------------- ----- ---- --- -- - - - -
   No, perfection is not an entrance requirement.
   We'll settle for integrity and humility
>-------------------- ----- ---- --- -- - - - -

• Previous message: guru sundara: "Hostile Script Message"
• In reply to: Jupiter Jones [MVP]: "Re: Stinger"
• Next in thread: Robert Moir: "Re: Stinger"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]