Re: Safe to create Ghost image of infected partition?
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 03/11/05
- Next message: Gary: "Re: Which do you like best??"
- Previous message: What's in a Name?: "Re: Which do you like best??"
- In reply to: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Next in thread: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Reply: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 11:31:23 +0200
On Wed, 09 Mar 2005 16:28:56 +0200, Zvi Netiv
>Ian JP Kenefick <ian_kenefick@eircom.net> wrote:
>> On 8 Mar 2005 04:48:03 -0800, vitoprimo@yahoo.com wrote:
>> A solution :) Slave the infected disk on an uninfected machine. This
>> means you physically hook up the infected disk to an uninfected
>> machine with up to date antivirus and scan the infected disk removing
>> any viruses detected as infected. You should be able to boot windows
>> normally provided you were able to disinfect as opposed to delete the
>> infected files. Then put the slaved disk back in its PC and boot up
>> windows.
>Bad advice. The concept of "clean boot" for disinfecting, also known as "formal
>scanning" is a remain from the early nineties, when that approach was justified,
>and was perpetuated by those that have difficulties in adopting new techniques,
>and abandon old ones that won't do anymore.
False. The risks from informal scanning, and especially blind
informal cleaning, are as high as they ever were.
>Windows should be cleaned from Windows, preferably from safe mode WITH COMMAND
>PROMPT, when booted from its native system drive.
For malware, Safe Mode isn't, for reasons that I'd prefer to flesh out
in email - though the obvious ones are obvious enough. Safe mode
(yes, even Cmd only) abounds with opportunities to autorun malware,
and it's easy for malware to know it's running in Safe Mode.
>The reason is that current malware (spyware included) affect more
>than just a single object and modify entries in the registry, in startup
>files and in various configuration files (INI, HOSTS, startup groups,
>etc.). Effective cleaning requires that the changes in the registry
>be reverted and all configuration areas be inspected and fixed.
Sure, that's a given. The safety chart is:
Detect Clean
Formal Safe YMMV1
Informal YMMV2 YMMV3
So the idea is:
- formally *detect* malware
- if unfamiliar malware, swot it up
- proceed as per information you read
The reason you do not want to tackle malware while it is running is
because active malware will be in a position to strike back.
>Moreover, some cleaners use those system changes as cues to detect the
>presence of particular threats.
Sure, which makes it easier for rootkits to hide them. That's also
the reason why I retain Temp and TIF when scanning.
Some advocate cleaning them to speed up the scan, but the fastest scan
is to do nothing at all; once you do take the time to scan, you want
that to be as effective as possible.
>By booting clean, on a surrogate PC, you deprive the cleaner, whichever it is,
>from pointers to the most critical elements such as the registry file and the
>entire set of configuration elements.
Hosted scanning has its own risks and benefits. It is potentially
formal, in that the boot process doesn't boot the infected HD, but
this can be undermined if the infected HD is browsed from the host -
then the risk increases, including risk of infecting the host.
The other problem is one you refer to; that the av will be accessing
the wrong registry and settings files, i.e. those on the host.
Depending on the av's logic, it may:
- miss infections, if relying on settings cues
- mis-clean by deleting detected files but cleaning wrong settings
It's possible to write av so that it's aware of the hosted context,
and thus have it manage the correct settings. This is more likely to
be developed for Bart's PE than XP itself,and I'd expect that
awareness in any av that is written for Bart's PE.
Avast's av for Bart's PE tackles this in a way closer to your own
approach; it seeds the HD's startup axis with settings to fix the
malware the next time the HD is booted. As long as Avast do this
properly on a case-by-case basis, this should be OK in that when Avast
comes to something that cannot be safely cleaned in this way, they
would be unlikely to ship such cleaning logic.
At that point they'd have to do what ideally they should have done
already; predicted the inherent unsafety in tackling active malware
while it is running. You cannot presume malware coders will
under-exploit such opportunities forever.
>This is why Windows cleaning should be
>conducted after booting of its own system.
That's the logic Avast's Bart's PE av uses at present. Let's enjoy
that while it lasts, but have no illusions this will always be safe
practice, because it's not.
FWIW, my first scans would be:
- F-Prot for DOS, detect only, from DOS mode diskette boot
- Trend SysClean, detect only, from Bart's PE
If NTFS, you have to skip the first.
>-------------------- ----- ---- --- -- - - - -
Reality is that which, when you stop believing
in it, does not go away (PKD)
>-------------------- ----- ---- --- -- - - - -
- Next message: Gary: "Re: Which do you like best??"
- Previous message: What's in a Name?: "Re: Which do you like best??"
- In reply to: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Next in thread: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Reply: Zvi Netiv: "Re: Safe to create Ghost image of infected partition?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
