Re: Can you really 100% clean a compromised machine 100% of the time without wiping it?
From: deebs (deebs_at_xyzlaernot999.bogus)
Date: Wed, 16 Nov 2005 23:24:03 +0000
Shenan Stanley wrote:
> Leythos wrote:
>>Most of us the worked on computers for a living have run across many
>>compromised computers with many different types of malware.
>>As people post with compromised machines we direct them to all of the
>>tools that we know about in an effort to help them regain use of their
>>machines in a malware free mode, or at least enough access to backup
>>their documents and files to restore later.
>>What is really at question is the ability of the current tools we have
>>to clean 100% of the malware 100% of the time in the current and
>>future environment for a givem machine at a given instant.
>>This thread is not personal, about anyone's skills, about any
>>individual, it's only about cleaning malware off machines to the point
>>that we could state that 100% of all malware, known and unknown, is
>>removed from the machine at the moment you finish cleaning it.
>>Do you feel 100% certain that your tools and skills can clean a
>>compromised machine, 100% of the time, without any malware, known or
>>unknow, remaining on the machine - 100% of the time?
>>Since I don't believe that any one can actually say "YES" without
>>limitations, then how do we help all of these clueless users ensure
>>their machines are clean?
>>We all know that you can wipe/reboot/install from clean disks, in a
>>clean environment, and the machine will be clean at that moment.
>>We all know that it takes between 30~90 minutes to restore a machine
>>from scratch (depending on the method, quicker for ghost images), and
>>that it's time consuming to get everything back to normal for
>>We all know that no one wants to wipe/reinstall as it means lots of
>>Now, we also know that removing the malware can take hours in some
>>cases, most takes less. For some malware you have to boot to the
>>recovery console and manually remove it.
>>So, it comes down to this - clean their system enough to save files to
>>CD/DVD, then wipe it to ensure that the malware is 100% removed and
>>the system is clean enough to be certified as clean.
>>While most of us will just clean a machine and reboot it several
>>times, check the registry, tasks, netstat, etc.... then run the
>>malware removal tools several times, etc... It just means that we're
>>willing to take the level of risk for not having to put the time in
>>to ensure that the system is 100% certified clean, which means we
>>don't really want to reinstall everything again :)
>>I know that some will claim they can perfectly clean a machine, but,
>>if you're really that sure you can clean 100% of malware, 100% of the
>>time, now and in the future, of known and unknown malware, without a
>>wipe/reinstall, then I think you're just fooling yourself.
>>Again, are we assuming that by providing "reactionary" tools and
>>methods that don't wipe/reinstall, that we're doing visitors to this
>>group (and others) justice and actually providing them with a 100%
>>clean platform to continue with?
> I'm not 100% sure I'll wake up every morning..
> (or even where sometimes..)
> So - it would be ridiculous for anyone to claim 100% certainty on anything
> with as many variables as that.
I understand that the most secure server is one encased in a concrete
room, well underground with no incoming or outgoing wires (yes,
deductions can be made purely from observations of mains power use).
The trouble is that it ceases to be a server.
On the otherhand, the most functional server is one that can be reached
freely but this tends to be the least secure
Between these two extremes are the do-able IMO