Re: Proprietary Partitions
From: Zvi Netiv (support_at_replace_with_domain.com)
Date: Tue, 08 Feb 2005 19:55:42 +0200
"Yor Suiris" <yor@canlightNOThall.net> wrote:
> On a number of computer systems the manufacturers (Dell, Compaq, etc) create
> and populate their own partition, for drivers, diagnostics, etc.
> And this partition is often not visible to the O/S (dif file system), and so
> the Virus software does not scan.
> My Question,
> Are there Viruses/Trojans/??? that can embed themselves in the Manufacturers
> Partition and thus load themselves up at boot with out interference from the
> virus software?
The proprietary partitions you are referring to are totally inert during normal
operation of the PC. The special partition can usually be found at the
beginning of the boot drive, where you would expect the primary partition to be.
The proprietary partition isn't recognized during the normal boot sequence,
initiated by the BIOS, by assigning it a non-standard system byte type, in the
partition table in the MBR. Compaq, for example, mark the partition as type 18
(decimal). The special partition can be accessed by calling a custom routine in
the BIOS, during the boot process, by pressing a predetermined key - F10 in
> I ask because we have a Dell machine (XP) that we scan and find nothing.
> Then we run Diskkeepper (Defrag) and the on access scanner keeps finding
> stuff that the recent system scan did not.
Defragmenters affect just the logical drive specified for defragmentation.
Therefore the "findings" of Diskkeeper, or DEFRAG for that matter, are
necessarily located on the drive you are defragmenting, nowhere else.
Yet your question discloses a bad habit. Defragmentation is known to be one of
the causes for file system damage (corruption), if the process suddenly crashes
or hangs. Therefore, you should always stop disk access intensive background
processes before starting a defragmentation session.
Potentially risky processes to defragmentation are: file indexing, on-access AV,
and file transfers (e.g. downloading from the Internet). There is another
aspect to leaving on-access AV active during defragmentation, and it's speed.
The AV will inspect every single file accessed by the defragger every time it is
accessed, which may be tens of times during the session! The result will be
considerable slowdown, not to mention the risk of crashing the process due to an
occasional false alarm or conflict.
Therefore, do this before starting a defragmentation session:
1. Disconnect from the web / LAN.
2. Close all running tasks.
3. Disable on-access AV, file indexing, and every service / process that is
intensive in disk access.
Personally, I prefer defragmenting in safe mode, when the defragmenter is the
only active task except Windows' bare essentials.
-- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities