Re: Can you really 100% clean a compromised machine 100% of the time without wiping it?

From: deebs (deebs_at_xyzlaernot999.bogus)
Date: 11/17/05

  • Next message: Steven L Umbach: "Re: XP Home Password Policies?"
    Date: Wed, 16 Nov 2005 23:24:03 +0000
    
    

    Shenan Stanley wrote:
    > Leythos wrote:
    >
    >>Most of us the worked on computers for a living have run across many
    >>compromised computers with many different types of malware.
    >>
    >>As people post with compromised machines we direct them to all of the
    >>tools that we know about in an effort to help them regain use of their
    >>machines in a malware free mode, or at least enough access to backup
    >>their documents and files to restore later.
    >>
    >>What is really at question is the ability of the current tools we have
    >>to clean 100% of the malware 100% of the time in the current and
    >>future environment for a givem machine at a given instant.
    >>
    >>This thread is not personal, about anyone's skills, about any
    >>individual, it's only about cleaning malware off machines to the point
    >>that we could state that 100% of all malware, known and unknown, is
    >>removed from the machine at the moment you finish cleaning it.
    >>
    >>Do you feel 100% certain that your tools and skills can clean a
    >>compromised machine, 100% of the time, without any malware, known or
    >>unknow, remaining on the machine - 100% of the time?
    >>
    >>Since I don't believe that any one can actually say "YES" without
    >>limitations, then how do we help all of these clueless users ensure
    >>their machines are clean?
    >>
    >>We all know that you can wipe/reboot/install from clean disks, in a
    >>clean environment, and the machine will be clean at that moment.
    >>
    >>We all know that it takes between 30~90 minutes to restore a machine
    >>from scratch (depending on the method, quicker for ghost images), and
    >>that it's time consuming to get everything back to normal for
    >>customers.
    >>
    >>We all know that no one wants to wipe/reinstall as it means lots of
    >>extra work.
    >>
    >>Now, we also know that removing the malware can take hours in some
    >>cases, most takes less. For some malware you have to boot to the
    >>recovery console and manually remove it.
    >>
    >>So, it comes down to this - clean their system enough to save files to
    >>CD/DVD, then wipe it to ensure that the malware is 100% removed and
    >>the system is clean enough to be certified as clean.
    >>
    >>While most of us will just clean a machine and reboot it several
    >>times, check the registry, tasks, netstat, etc.... then run the
    >>malware removal tools several times, etc... It just means that we're
    >>willing to take the level of risk for not having to put the time in
    >>to ensure that the system is 100% certified clean, which means we
    >>don't really want to reinstall everything again :)
    >>
    >>I know that some will claim they can perfectly clean a machine, but,
    >>if you're really that sure you can clean 100% of malware, 100% of the
    >>time, now and in the future, of known and unknown malware, without a
    >>wipe/reinstall, then I think you're just fooling yourself.
    >>
    >>Again, are we assuming that by providing "reactionary" tools and
    >>methods that don't wipe/reinstall, that we're doing visitors to this
    >>group (and others) justice and actually providing them with a 100%
    >>clean platform to continue with?
    >
    >
    > I'm not 100% sure I'll wake up every morning..
    > (or even where sometimes..)
    >
    > So - it would be ridiculous for anyone to claim 100% certainty on anything
    > with as many variables as that.
    >
    I understand that the most secure server is one encased in a concrete
    room, well underground with no incoming or outgoing wires (yes,
    deductions can be made purely from observations of mains power use).
    The trouble is that it ceases to be a server.

    On the otherhand, the most functional server is one that can be reached
    freely but this tends to be the least secure

    Between these two extremes are the do-able IMO


  • Next message: Steven L Umbach: "Re: XP Home Password Policies?"