Re: Recommend a good free anti-virus utility

From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 05/27/05 

Date: Fri, 27 May 2005 09:18:35 +0200

On Thu, 26 May 2005 12:57:53 GMT, spam@spamcop.com (Bob) wrote:
>On Thu, 26 May 2005 11:00:48 +0200, "cquirke (MVP Windows shell/user)"

(extended to microsoft.public.security.virus as I wish those eyeballs
to see this discussion too, if that's OK with everyone)

>>>| Speaking of backup, I just installed an Enermax 352 RAID-1/Backup unit
>>>| with 2 drive bays. I am going to use it exclusively in the Backup mode.

Oops, I missed that second sentence :-)

>>>| The entire operation is done in H/W automatically - no boot to
>>>| DOS, no UNBOOTABLE DEVICE errors, no incremental nightmares, no
>>>| missing files not backed up. The entire disk is copied once every day
>>>| automatically

>>An extra 2 x HDs purely for backup is quite a hefty outlay, mind, so
>>this solution isn't for everyone.

>I can get the WD 80GB 8MBCache SE drive for $60.

HDs are prolly cheapest cost-per-Meg at those capacity levels, which
is why I have a pile of 200G floating around. S-ATA makes it easier
(and safer, at the hardware level) to swap them around, but right now
the OS doesn't have a clue - it still thinks every newly-discovered HD
is "part of the system" and starts drooling SR on it, etc.

>>The backup HD removable, I take it?

>Yes. The Enermax 352 has two removable trays. They are hot swappable
>too.

Nice.

>>>| I will backup each morning at 4:00 am, after I have scanned the disk
>>>| with eTrust at 3:15 (I have auto updates set for every hour).

>>Ah, there's a weak spot - relying on a provocative system scan from
>>within the infected installation. If you're actively infected, the av
>>failed, and is likely to continue to do so even if subsequently
>>updated (assumes the active malware allows it to update itself and to
>>run the scan). If the malware responds punitively, you'd have to fall
>>back a day. That's assuming you are not backing up over yesterday's
>>backup, which is in itself bad backup practice.

>Elsewhere I pointed out that I am going to keep one of the 3 disks as
>a disaster recovery archive. Each week I will rotate the 3 -disk set
>putting the boot disk on the shelf and moving the daily backup disk to
>boot position and moving the weekly backup disk to daily backup

Ah, that's nice - gives a bit of temporal depth. Assumes any
infection will come to light within 7 days, though... the other
approach is to retain cast-in-stone system backups made after
significant code changes, onto which a pure data backup is restored.

Once again, the need to scope out data from code arises, in both
directions, and MS OS design is only weakly dabbling with this (SR,
FAST). Without a hard data vs. code distinction, and an awareness
that incoming material should be handled with fire tongs, we can only
get so far with this approach.

As it is, your current backup philosophy relies on time as your scope.
Backup precedes the disaster, and an insidious disaster such as silent
malware ownership is hedged by throwing in a bigger time delta.
There's only so far that approach can take you.

A question to ask when planning backups is: What scenarios am I
hedging against? That determines how you scope.

>I will do that on Sunday when I have time to do other things like a
>complete AV scan, disk cleanup, CHKDSK, defrag, Registry clean

The order that you do things in will be important, i.e. I'd backup
before a "registry clean" myself.

You need better tools than ChkDsk too, and you don't have them unless
you are prepared to chuck out NTFS. Else you have a problem - should
you backup before ChkDsk "fixes" detectable damaged files into
undetectable damaged files, or after, or both?

If you do chuck out NTFS, and your HDs are < 137G, you can operate
from DOS Mode as a maintenance OS. That means you can do an
interactive Scandisk and base the decision on whether to backup pre-
or post-repair on what Scandisk finds, backing out if it is about to
do something stupid ("The C:\WINDOWS directory is invalid, and will be
repaired by truncating it at the first invalid entry" etc.).

That also means you can use one of a few full-breadth DOS-based
antivirus scanners to scan for malware while the infected system is
not runningm, and thus while the malware is unable to defend itself.

In NTFS, you'd use Bart's PE as your maintenance OS. You're still
stuck with ChkDsk, but at least you can run it without the /F ("F me,
I trust you!") parameter and believe the results; as the OS isn't
running from C:, you won't get spurious errors from files in use.

Then you'd have to find something approaching a full-breadth av
scanner. You might pay hundereds of dollars for a year of Avast on
Bart, or you'd have to settle for weak-breadth scanners such as McAfee
Stinger, Trend SysClean and similar killers of subsets of available
malware from Avast, AVG etc. Of these, SysClean is the broadest, but
it is slow, doesn't show results as it goes, and reporting is hell.

If it's NTFS and you have to do everything twice (ChkDsk to evaluate,
ChkDsk /F if safe; multiple partial-breadth av scans) then a single
day may not be enough clock time. If on FATxx, it's faster.

>I am of the belief that virus/trojan prevention depends on not letting
>anything in to begin with.

Sure, but "security in depth" means you never assume your defences
will hold up and plan what to do next when these fail. This clue is
still conspicuously absent in XP, where the assumption is that because
XP on NTFS is "so secure" and "so stable", that the need to regain
ownership from malware or recover data from a barfed file system will
never arise. If that were true, the only scenario you'd have to
backup against would be hardware (failure, destruction or theft).

>I have a NAT router plus Kerio firewall plus CA AV plus Ad-Aware
>plus 3 different Registry scanners. Not much is going to get in to
>my machine to begin with, and if something does sneak by me, I
>will find it - assuming these programs are any good.

Yes, there's a lot of optimism in there, and I'd expect those measures
to cut down the mean time between infection to once in X years, rather
than (worst-case, i.e. pre-SP2 XP duhfault install) 10 minutes to
Lovesan. But the mean thing about "mean time" is that it's
indeterminate; the average may be 5 years, but your particular
experiential sample may be two weeks.

The main optimism is that tools running from within the infected
installation can taxi off the runway and get airborne while active
malware sits up there in the clouds and allows this to happen.

The other optimism is that you won't get a new malware within the Day
Zero period, before mugshot-recognition scanners (av, AdAware etc.)
have got a sample, analysed it, ensured it's not a legitimate program,
created a detection for it, tested that, deployed it to their update
servers, and your system obtains and integrates the defence.

During Day Zero, no tools see the threat, and no-one has any clue as
to what is going on or what should be done to fix things. All you
have is core malware theory to fall back on, and if you get that
wrong, you can not only lose your "live" installation and data but
taint your backups too.

Day Zero is why I take this stuff seriously, because it can create an
unmanageable bulge in the demand for tech services that make it
impossible to maintain promised service levels (unless you have one
tech dedicated to each client site).

Day Zero can escalate rapidly - Sapphire (Slammer) went global in 10
minutes. That's a big-bang start; if defences take the nominal "day"
to chase after the galloping horse to lead it back to the stables,
it's going to be one hell of a day.

>>>| I rotate the 3-disk set every Sunday - the 3rd disk will go on the
>>>| shelf away from the computer. That way I am no worse off than a few
>>>| hours if something happens, and if the entire unit craps out, I am no
>>>| worse off than 1 week.

>>In addition to the above, I'd maintain a few generations of pure-data
>>backup via more conventional means, applying hygiene to maintain data
>>purity (no infectable code, no incoming material, no sealed-box .ZIP
>>etc.) to hedge against malware attack. A malware that goes active and
>>evades your av will pervade all your backups within a week.

>I am considering that. I have a standard removable bay that I can use
>a disk cloner to backup to. But that means I have to buy a 4th disk or
>use the 3rd disk for that instead of rotating it thru the Enermax 352.

What I do is the following:
  - choose safe edge apps that don't run data as code
  - choose safe edge apps that don't mix incoming code with data
  - locate data, and only data, in a particular subtree off C:
  - locate incoming material in a different subtree off C:
  - create a 2am Task to archive data set to another HD volume
  - that archive process retains the last 5 backups on FIFO basis
  - create a read-only LAN share of the backup location
  - create a 4am Tak to pull most recent backups from these shares
  - manually do the "last mile" of collated backups to writable disk

Reading the above makes it obvious there's no Outlook Express, much
less Outlook, in use. Outlook is the worst; not only is it dumb
enough to be exploitable from email "message text", and merges
incoming attachments with data you want to keep, it stores all of this
in a single unscannable .PST file and can be scripted to expose email
and address book data, automate malware transmission, etc.

Outlook is trying to be less easy to exploit in such ways, but the
same inherently dumb design remains. It takes more than 50 coats of
weatherproof paint over soggy cardboard to build a lighthouse.

>However, no matter what I do, I still have to create this long-term
>backup, and it is just as possible for it to become contaminated by
>the same reasoning applied to the weekly and daily backup.

Yep.

>That's why it is crucial to prevent malware to get on your system to
>begin with.

Sure, but that is a goal you can approach, but can never be sure you
have attained. Perhaps our perspectives differ; as a user, you'd do
what you can and call in tech assistance when things go wrong. My
perspective is from that of the tech you might call in, and with
current OS design, much of my cupboard is bare.

"NTFS? Sorry mate, you're ^&%$ed"

XP is simply not built with data recovery of the regaining of
ownership from malware in mind - no-one has thought that far.

>---------- ----- ---- --- -- - - - -
   Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -