Re: What is a good free antivirus protection program? Is AVG a good free program?

On Tue, 03 Jan 2006 17:18:33 GMT, Leythos <void@xxxxxxxxxxx> wrote:
>cquirkenews@xxxxxxxxxxxxxxx says...
>> On Mon, 2 Jan 2006 21:26:46 -0600, "Charlie Tame" <charlie@xxxxxxxxx>
>> >"Leythos" <void@xxxxxxxxxxx> wrote in message

>> More to the point is the chicken-and-egg question: Were these PCs
>> infected because they were not updated, or could these PCs not be
>> updated because they were infected?

>Since the same systems with current AV definitions had already detected
>and Quarantined the same virus during the same date range, it appears to
>me that the lack of definition updates cause the AV product to Miss the
>new virus, while the other machines were protected with their updated
>definitions.

Makes sense. Sometimes an earlier infection can nuke the
updateability; sometimes it's a Dial-Up Notworking thing, other times
it's user failure (of which the annual feeware death is one form)

>> Re-installing what - the av, or the OS?

>> A malware that knocks out an av's ability to update itself, is
>> unlikely to sit around allowing you to re-install the same av.

>I agree, in the case of machines that are compromised, we may take our
>personal time to clean them as a learning experience, but we never
>return them to the customer as "cleaned", we always wipe/reinstall from
>scratch (the OS and APPS).

That's exactly what I do not do. I have as less faith in "just" wipe
and rebuild as a fix as I do in cleaning (and 100% for either). Your
approach of performing both detection forensics and rebuilding is a
solid one, but has too much adverse impact for my sort of clients.

>> "Just re-install" is not a substitute for malware management :-/

>The only true way to ensure that malware has been removed is to
>wipe/reinstall the OS and APPS. While this is a hard-line to take, it's
>the only true way to ensure that the system is clean at the time it's
>returned.

Meaningless, in that simply being clean at the time of resuming
productive use isn't enough - the system has to *stay* clean.

If simply rebuilt to duhfult fresh install status, this is far from
assured. If building to SP2 specs and then adding patches and
additional risk management, you should be OK, but then if that was how
the infected PC was originbally set up, then clearly it wasn't enough.

The fact that the PC was infected, suggests that what ever the
defenses were, they were not effective. So you'd want to know what
the infectors were, how they got in, etc. to be reasonably sure the
same attack methods will not succeed again.

The degree of "reasonably sure" is fairly similar to the confidence of
having really cleaned an infected system - a malware that can escape
formal detection and cleaning, may also escape detection and
assessment and be able to re-infect the rebuilt system. By
definition, an undetectable malware can't be excluded either way.

So I don't see one approach as being as much "better" as the other,
and I see the blind "wipe and rebuild" approach (i.e. without any
assessment of what the infectors were, and certainly if no further
post-install/post-patch hardening is done) as the weakest method.



>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -
.

Relevant Pages

  • Re: Virus/spyware
    ... We can all accept the fact that no single tool cleans all malware. ... their system is 100.0% clean of malware. ... rebuild in a clean environment from clean ... Calling an illegal alien an "undocumented worker" is like calling a ...
    (microsoft.public.windowsxp.general)
  • Re: Trojan/Browsela/Looksky
    ... >> within normal Windows, then is to be used from Safe Mode, ... >> be likely to run intrafile code infectors, ... >> from a clean PC, and then run them from Safe Mode on the infected PC, ... | scans if they started, then burned the entire folder to a CD, copied the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: viruses and spyware
    ... | malware will try to restore it registry entries, ... Sector Infectors to Internet worms to file infectors. ... accross a IRCBot or IRC Trojan that is infected with the Parite virus. ...
    (microsoft.public.security)
  • Re: after malware removal computer is slow
    ... performance after clean up. ... as you indicated was there any malware / spyware detected by both Onecare. ... >I had to use stopzilla because live one care was not detecting it .I>could see ... it ultimately means flatten and rebuild. ...
    (microsoft.public.windows.vista.security)
  • Re: Attempted Intrusion "Welchia_ICMP_Scan" from your machine against
    ... >Your anti-virus should find this malware. ... "Safe Mode" isn't. ... infectors or certain startup tricks, ... Bad program design that takes stoopid risks ...
    (microsoft.public.security.virus)