Re: How to scan a compromised system?

From: WDms (wdsnews.0226@oregoncity.com)
Date: 06/20/02


From: "WDms" <wdsnews.0226@oregoncity.com>
Date: Thu, 20 Jun 2002 08:46:26 -0700


Except that... all of your ifs are true. If you can think of a situation, I
have a client who experienced it. So the question remains, how do you boot
clean on a modern Windows system?

"x y" <jamescagney90210@excite.com> wrote in message
news:u5avJo#FCHA.1856@cpimsnntpa03...
> You only have this problem with some viruses that are memory resident
> stealth viruses or that purposely try to disable your antivirus program, and
> only if your antivirus scanner does not have that virus in it's database
> already. The most common viruses and worms you're likely to see do not fit
> into either of these categories. Also, these viruses cannot infect your
> machine unless your antivirus scanner is unaware of the new virus. As long
> as your antivirus is set to download updates every day, having a virus slip
> by your antivirus scanner is not very common. We've been running Norton
> antivirus along with Norton Antivirus internet email gateway for 1.5 years
> with no virus outbreak to the best of my knowledge.
>
> If you're in a network environment, running an AV scanner on the network
> drives and running antivirus on an email server or internet email gateway
> can help alert you if one client has somehow been infected. in Windows 2000
> / XP / NT, you can also try monitoring the antivirus service to confirm that
> it is still running on each workstation. IPSentry server monitor and Norton
> Antivirus corporate edition server both allow you to monitor services, as
> would a batch file that uses the netsvc command from the windows resource
> kit or possibly available from www.microsoft.com/download.
>
> Additionally, using registry entries or a .reg file to prevent .VBS and .SHS
> and various other files from having an association in the registry prevents
> many viruses from executing on your computer even if your antivirus is not
> yet aware of them. The lines below, if copied into Notepad and saved as
> filename.REG will roll out some of these settings. I recommend these
> settings for just about everyone. [You can also use Norton Internet Email
> Gateway or Outlook 2000 or XP with the microsoft Outlook security update to
> block file attachments such as the ones below in emails.]
>
>
> :: **************************************************
> :: NOTE: The following command is used in the login script
> w:\update\update.bat file to
> :: automatically import this reg file at every login:
> :: regedit /s w:\utility\chesapeake_update.reg
> :: DISABLE FILE EXTENSIONS ASSOCIATED MOSTLY WITH VIRUSES AND WORMS
> ::
> [HKEY_CLASSES_ROOT\.chm]
> @="chm.file"
>
> [-HKEY_CLASSES_ROOT\.ADE]
>
> [-HKEY_CLASSES_ROOT\.ADP]
>
> [-HKEY_CLASSES_ROOT\.BAS]
>
> [-HKEY_CLASSES_ROOT\.EML]
>
> [-HKEY_CLASSES_ROOT\.ISP]
>
> [-HKEY_CLASSES_ROOT\.JS]
>
> [-HKEY_CLASSES_ROOT\.JSE]
>
> [-HKEY_CLASSES_ROOT\.NWS]
>
> [-HKEY_CLASSES_ROOT\.SCR]
>
> [-HKEY_CLASSES_ROOT\.SCT]
>
> [-HKEY_CLASSES_ROOT\.SHB]
>
> [-HKEY_CLASSES_ROOT\.SHS]
>
> [-HKEY_CLASSES_ROOT\.VB]
>
> [-HKEY_CLASSES_ROOT\.VBE]
>
> [-HKEY_CLASSES_ROOT\.VBS]
>
> [-HKEY_CLASSES_ROOT\.WSC]
>
> [-HKEY_CLASSES_ROOT\.WSF]
>
> [-HKEY_CLASSES_ROOT\.WSH]
>
>
> :: *********************************************************************
> :: DISABLE THE FEATURE WHERE WINDOWS HIDES THE FILE EXTENSION FOR to
> :: CERTAIN FILE TYPES MOSTLY USED BY VIRUSES
> :: E.G. VIRUS.TXT.VBS APPEARS TO BE VIRUS.TXT
>
> [HKEY_CLASSES_ROOT\PIFFile]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\ShellScrap]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\SHCmdFile]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\DocShortcut]
> "NeverShowExt"=-
>
>
>
>
> "WDms" <wdsnews.0226@oregoncity.com> wrote in message
> news:#L4uXc6FCHA.2520@tkmsftngp13...
> > The trouble with the current viruses is they attack the virus scanners.
> Is
> > there a way to boot up a Win2K system without launching the viruses in
> order to
> > run a virus scanner? In the old days we did it with a boot floppy.
> >
> >
> >
> >
>
>



Relevant Pages

  • Re: XP Security - in general
    ... > Signature scanning fails to detect new viruses. ... The email virus scanner passed it as clean. ... localized problems for the antivirus industry ... > years of development before it can replace signature scanning. ...
    (microsoft.public.security)
  • Re: Hung applications and non response
    ... You probably have some combination of a virus and some nasty malware ... Alternatively, you could try rebooting into "Safe Mode", to see if your ... up-to-date antivirus software in Safe Mode and remove the virus ... software is able to identify viruses, ...
    (microsoft.public.windowsxp.general)
  • Re: How to scan a compromised system?
    ... You only have this problem with some viruses that are memory resident ... only if your antivirus scanner does not have that virus in it's database ... machine unless your antivirus scanner is unaware of the new virus. ...
    (microsoft.public.security)
  • Re: question
    ... > it's clear someone has a virus, ... Any company that advertises based on "N viruses ... the sole purpose of showing off, and then distributed only to the antivirus ... to the antivirus companies as demonstrations. ...
    (microsoft.public.security)
  • Re: Mystery process
    ... > I also tried a system restore, but can't do a restore either. ... > online virus scan at one of the following sites: ... Some other applications to try for ANTIVIRUS and SPYWARE elimination can be ...
    (microsoft.public.windowsxp.perform_maintain)