Re: Scanning from a CD
- From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
- Date: Sat, 31 Mar 2007 15:53:23 +0200
"Bill Ridgeway" wrote:
I have a computer which I suspect has viruses and spyware which I would like
to scan from a CD. Is it possible to copy the required NIS files (including
the up-to-date signatures) to a CD?
NIS being Norton Internet Security? I think there's a Bart plugin for
at least part of that, but it's not what I'd use.
I do like the approach of scanning from outside the system, i.e. with
no part of the infected installation code running.
For old Win9x PCs with under 64M RAM, a DOS EBD diskette boot and DOS
av scanners such as those from F-Prot, Sophos and/or NOD32 would work.
For newer PCs up to XP and Server 2003 with at least 64M RAM, Bart PE
(built with an \i386 file set from XP SP2 or Server 2003) would be a
better bet, as this runs several Windows-based tools as well as the
DOS ones mentioned earlier, and overcomes 137G and NTFS barriers.
For Vista PCs, you'd use WinPE 2.0, WinRE or the Vista DVD itself as
your DVD-booted maintenance OS (mOS). The range of effective tools
may be more limited than Bart, however, especially for Vista64.
Tools that I've plugged into my Bart CDR include:
- Trend TsysClean *
- McAfee ScanPM CLI scanner
- McAfee Stinger (*)
- F-Prot CLI scanner and F-Prot for DOS
- Sophos CLI scanner *
- Kaspersky CLI scanner *
- AdAware **
- Spybot
- A Squared **
- HiJackThis **
- Norsoft utilities **
* = can get and update via David Lipman's MultiAV
** = requires RunScanner plugin to operate relative to HD registry
Google( Bart PE ) to learn about this mOS. It's probably the best out
there, though it can't read Win9x and Vista registries; it's the only
one that has any seamless registry access, thanks to the RunScanner
plugin, as effective on Win2000, XP and Server 2003.
It can seem daunting, getting tools "plugged in" to Bart, but
fortunately there are existing plugins for many tools. Once you do
get the hang of Bart plugins, you can plug in many tools quite easily,
but some remain difficult. There are excellent Bart forums for help.
Some caveats when scanning from CD with Bart:
- RunScanner needed to operate with HD registry in effect
- even so, driver and service reporting will be relative to CD OS
- Bart sees USB devices at boot; won't see swaps or late inserts
- Bart can see SD card swaps within a reader present at boot
- Bart boots and runs off CD, not via RAM disk as WinPE does
- so you cannot eject the Bart CD during the runtime!
- Bart uses RAM disk for workspace; may be too small
- plugins can be used to resize RAM disk, or direct Temp to HD
- no "undo" info is kept when cleaning from Bart
- rootkit behavior detectors aren't useful from Bart
- System Restore is not active during a Bart session
So while Bart lets you operate on malware "while it is sleeping" and
can't defend itself, it also means no "undo" via installed scanners or
System Restore will be possible - so be careful.
Not as formal (in that it does run from the infected OS, though
booting to Safe Mode Cmd Only will help a bit) but a lot easier, is
David Lipman's Multi-AV. You can also use that to update its
scanners, then copy those scanners to your Bart build subtree.
HTH
-------------------- ----- ---- --- -- - - - -Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -.
- References:
- Scanning from a CD
- From: Bill Ridgeway
- Re: Scanning from a CD
- From: -_-
- Scanning from a CD
- Prev by Date: Re: superantispyware.com and spylocked.com
- Next by Date: What does "cannot find script file "H:\Bha.dll.vbs"" mean?
- Previous by thread: Re: Scanning from a CD
- Next by thread: Windows XP shuts down... on antivirus scan
- Index(es):
Relevant Pages
|
