Re: Can you really 100% clean a compromised machine 100% of the time without wiping it?

From: Shenan Stanley (newshelper_at_gmail.com)
Date: 11/17/05 

Date: Wed, 16 Nov 2005 17:04:18 -0600

Leythos wrote:
> Most of us the worked on computers for a living have run across many
> compromised computers with many different types of malware.
>
> As people post with compromised machines we direct them to all of the
> tools that we know about in an effort to help them regain use of their
> machines in a malware free mode, or at least enough access to backup
> their documents and files to restore later.
>
> What is really at question is the ability of the current tools we have
> to clean 100% of the malware 100% of the time in the current and
> future environment for a givem machine at a given instant.
>
> This thread is not personal, about anyone's skills, about any
> individual, it's only about cleaning malware off machines to the point
> that we could state that 100% of all malware, known and unknown, is
> removed from the machine at the moment you finish cleaning it.
>
> Do you feel 100% certain that your tools and skills can clean a
> compromised machine, 100% of the time, without any malware, known or
> unknow, remaining on the machine - 100% of the time?
>
> Since I don't believe that any one can actually say "YES" without
> limitations, then how do we help all of these clueless users ensure
> their machines are clean?
>
> We all know that you can wipe/reboot/install from clean disks, in a
> clean environment, and the machine will be clean at that moment.
>
> We all know that it takes between 30~90 minutes to restore a machine
> from scratch (depending on the method, quicker for ghost images), and
> that it's time consuming to get everything back to normal for
> customers.
>
> We all know that no one wants to wipe/reinstall as it means lots of
> extra work.
>
> Now, we also know that removing the malware can take hours in some
> cases, most takes less. For some malware you have to boot to the
> recovery console and manually remove it.
>
> So, it comes down to this - clean their system enough to save files to
> CD/DVD, then wipe it to ensure that the malware is 100% removed and
> the system is clean enough to be certified as clean.
>
> While most of us will just clean a machine and reboot it several
> times, check the registry, tasks, netstat, etc.... then run the
> malware removal tools several times, etc... It just means that we're
> willing to take the level of risk for not having to put the time in
> to ensure that the system is 100% certified clean, which means we
> don't really want to reinstall everything again :)
>
> I know that some will claim they can perfectly clean a machine, but,
> if you're really that sure you can clean 100% of malware, 100% of the
> time, now and in the future, of known and unknown malware, without a
> wipe/reinstall, then I think you're just fooling yourself.
>
> Again, are we assuming that by providing "reactionary" tools and
> methods that don't wipe/reinstall, that we're doing visitors to this
> group (and others) justice and actually providing them with a 100%
> clean platform to continue with?

I'm not 100% sure I'll wake up every morning..
(or even where sometimes..)

So - it would be ridiculous for anyone to claim 100% certainty on anything
with as many variables as that. 

-- 
Shenan Stanley
     MS-MVP
-- 
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Relevant Pages

  • Re: Pretty BAD Viruses and Spyware. Please Help Choose
    ... >If you are not willing to sign a document stating that the machine is ... to remove a virus or malware ... >>> enough to sign a document stating that it's clean, ... but that without a complete wipe/reinstall I will not certify ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: about:blank
    ... cleaning, a re-install of the OS may often be a better choice than cleaning. ... If you want to try and clean your machine, then read ALL of this carefully ... Before you try to remove spyware using any of the programs below, download ... The process of removing certain malware may kill your internet connection. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: about:blank
    ... cleaning, a re-install of the OS may often be a better choice than cleaning. ... If you want to try and clean your machine, then read ALL of this carefully ... Before you try to remove spyware using any of the programs below, download ... The process of removing certain malware may kill your internet connection. ...
    (microsoft.public.windowsxp.general)
  • Re: Search from address bar failure
    ... You've have CWS - see information below to clean it. ... The process of removing certain malware may kill your internet connection. ... Download, UPDATE before running, and run: ... malware garbage from your System Restore backups after you've cleaned up. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Help as a "system cleaner"!
    ... >to people's houses and offices and cleaning malware and viruses ... The first decision to make, especially when you get busy, is what jobs ... - clean, log results ... Mugshot-recognition scanners for traditional malware ...
    (microsoft.public.security.virus)