Re: How to scan a compromised system?

From: x y (jamescagney90210@excite.com)
Date: 06/20/02


From: "x y" <jamescagney90210@excite.com>
Date: Wed, 19 Jun 2002 19:35:05 -0400


You only have this problem with some viruses that are memory resident
stealth viruses or that purposely try to disable your antivirus program, and
only if your antivirus scanner does not have that virus in it's database
already. The most common viruses and worms you're likely to see do not fit
into either of these categories. Also, these viruses cannot infect your
machine unless your antivirus scanner is unaware of the new virus. As long
as your antivirus is set to download updates every day, having a virus slip
by your antivirus scanner is not very common. We've been running Norton
antivirus along with Norton Antivirus internet email gateway for 1.5 years
with no virus outbreak to the best of my knowledge.

If you're in a network environment, running an AV scanner on the network
drives and running antivirus on an email server or internet email gateway
can help alert you if one client has somehow been infected. in Windows 2000
/ XP / NT, you can also try monitoring the antivirus service to confirm that
it is still running on each workstation. IPSentry server monitor and Norton
Antivirus corporate edition server both allow you to monitor services, as
would a batch file that uses the netsvc command from the windows resource
kit or possibly available from www.microsoft.com/download.

Additionally, using registry entries or a .reg file to prevent .VBS and .SHS
and various other files from having an association in the registry prevents
many viruses from executing on your computer even if your antivirus is not
yet aware of them. The lines below, if copied into Notepad and saved as
filename.REG will roll out some of these settings. I recommend these
settings for just about everyone. [You can also use Norton Internet Email
Gateway or Outlook 2000 or XP with the microsoft Outlook security update to
block file attachments such as the ones below in emails.]

:: **************************************************
:: NOTE: The following command is used in the login script
w:\update\update.bat file to
:: automatically import this reg file at every login:
:: regedit /s w:\utility\chesapeake_update.reg
:: DISABLE FILE EXTENSIONS ASSOCIATED MOSTLY WITH VIRUSES AND WORMS
::
[HKEY_CLASSES_ROOT\.chm]
@="chm.file"

[-HKEY_CLASSES_ROOT\.ADE]

[-HKEY_CLASSES_ROOT\.ADP]

[-HKEY_CLASSES_ROOT\.BAS]

[-HKEY_CLASSES_ROOT\.EML]

[-HKEY_CLASSES_ROOT\.ISP]

[-HKEY_CLASSES_ROOT\.JS]

[-HKEY_CLASSES_ROOT\.JSE]

[-HKEY_CLASSES_ROOT\.NWS]

[-HKEY_CLASSES_ROOT\.SCR]

[-HKEY_CLASSES_ROOT\.SCT]

[-HKEY_CLASSES_ROOT\.SHB]

[-HKEY_CLASSES_ROOT\.SHS]

[-HKEY_CLASSES_ROOT\.VB]

[-HKEY_CLASSES_ROOT\.VBE]

[-HKEY_CLASSES_ROOT\.VBS]

[-HKEY_CLASSES_ROOT\.WSC]

[-HKEY_CLASSES_ROOT\.WSF]

[-HKEY_CLASSES_ROOT\.WSH]

:: *********************************************************************
:: DISABLE THE FEATURE WHERE WINDOWS HIDES THE FILE EXTENSION FOR to
:: CERTAIN FILE TYPES MOSTLY USED BY VIRUSES
:: E.G. VIRUS.TXT.VBS APPEARS TO BE VIRUS.TXT

[HKEY_CLASSES_ROOT\PIFFile]
"NeverShowExt"=-

[HKEY_CLASSES_ROOT\ShellScrap]
"NeverShowExt"=-

[HKEY_CLASSES_ROOT\SHCmdFile]
"NeverShowExt"=-

[HKEY_CLASSES_ROOT\DocShortcut]
"NeverShowExt"=-

"WDms" <wdsnews.0226@oregoncity.com> wrote in message
news:#L4uXc6FCHA.2520@tkmsftngp13...
> The trouble with the current viruses is they attack the virus scanners.
Is
> there a way to boot up a Win2K system without launching the viruses in
order to
> run a virus scanner? In the old days we did it with a boot floppy.
>
>
>
>



Relevant Pages

  • Re: Hung applications and non response
    ... You probably have some combination of a virus and some nasty malware ... Alternatively, you could try rebooting into "Safe Mode", to see if your ... up-to-date antivirus software in Safe Mode and remove the virus ... software is able to identify viruses, ...
    (microsoft.public.windowsxp.general)
  • Re: question
    ... > it's clear someone has a virus, ... Any company that advertises based on "N viruses ... the sole purpose of showing off, and then distributed only to the antivirus ... to the antivirus companies as demonstrations. ...
    (microsoft.public.security)
  • Re: How to scan a compromised system?
    ... > You only have this problem with some viruses that are memory resident ... > only if your antivirus scanner does not have that virus in it's database ... > machine unless your antivirus scanner is unaware of the new virus. ...
    (microsoft.public.security)
  • Re: my dome
    ... NO--You should not, of course, open attachments from unknown senders. ... However, with viruses which spoof the senders address, and even, at times, ... I'd recommend quitting opening attachments in email. ... Antivirus isn't a panacea, however. ...
    (microsoft.public.scripting.virus.discussion)
  • Re: XP Security - in general
    ... > Signature scanning fails to detect new viruses. ... The email virus scanner passed it as clean. ... localized problems for the antivirus industry ... > years of development before it can replace signature scanning. ...
    (microsoft.public.security)