"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:(E-Mail Removed)...

[...]

> Btw, if you had physical access to a Windows machine, is there a
> simple check you could carry out to quickly determine if the machine
> had, indeed, been compromised? (other than scanning with anti-malware
> programmes).

Yes, but not very simple really. The problem is that you could *not*
determine that it had *not* been compromised. Most malware is going to
want to "do stuff" with the computing power it is stealing from you, if
it does that stuff - you know the machine has been compromised.

IOW, if it spews out malicious packets when you sufficiently emulate a
networking environment for it (or use a "test network"), that's a pretty
good indicator. However, If it doesn't do any obvious stuff, it doesn't
mean anything at all.

"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:35SdnQv8T-(E-Mail Removed)...
> FromTheRafters wrote:
>> "~BD~"<BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>> news:(E-Mail Removed)...
>>
>> [...]
>>
>>> Btw, if you had physical access to a Windows machine, is there a
>>> simple check you could carry out to quickly determine if the machine
>>> had, indeed, been compromised? (other than scanning with
>>> anti-malware
>>> programmes).
>>
>> Yes, but not very simple really. The problem is that you could *not*
>> determine that it had *not* been compromised. Most malware is going
>> to
>> want to "do stuff" with the computing power it is stealing from you,
>> if
>> it does that stuff - you know the machine has been compromised.
>>
>> IOW, if it spews out malicious packets when you sufficiently emulate
>> a
>> networking environment for it (or use a "test network"), that's a
>> pretty
>> good indicator. However, If it doesn't do any obvious stuff, it
>> doesn't
>> mean anything at all.
>
> Hmmmmm! Thanks for that. 'Ant' said quite simply, "no"!

He answered the question I think that you *meant* to ask.

"Is there a simple way to show a system is *not* compromised once you
have physical access to the machine aside from using antimalware
antivirus tools?" - and since absence of evidence is not evidence of
absence the answer is indeed no - even with AM/AV.

> I said - on another group:-
>
> > I wonder how many realise that installing an anti-virus programme
> > > *after* a machine has already been compromised might well give
> > > comfort to the user ...... but provide absolutely NO protection
> > > from
> > > malware!

True, it could be installed and be kept from accessing certain areas by
a rootkit.

> Dustin Cook said in reply:-
>
> "*That's not true, BD*. In fact, if the malware is known to the
> antivirus app, there's a very good chance it can be removed without
> harm to the system."

True, and the reason is that most of those apps will attempt to remove
known installed malware before it actually installs itself on the
machine. Many of them check for rootkits before allowing installation to
proceed. So, what Dustin said was true, but your eyes might have glazed
over when he wrote the word "known".

The Virus Description Language used to create the definitions to detect
and identify a malware item also includes clues as to how to go about
removing the identified malware.

> I'd also said:-
>
> > > In other words, today's 'nasties' can (and do) protect themselves
> > > when subjected to what they consider an attack! Bad news!
>
> Dustin Cook responded:-
>
> "They don't do anything "new" today that they couldn't do back in the
> 80s and 90s. "rootkit" on windows is another word for stealth, it just
> sounds better in newsprint."

True again, some actual viruses have in the past used some of the same
tricks that are essential to rootkit technology. The term "rootkit" is
just a renaming of these stealth methods that are used similarly to the
unix style tool replacement kits. That is to say that in addition to
stealing your computer power, they steal more in order to take measures
to hide that fact from the user (or admin, or even the system itself).

> /I/ think *Dustin* is wrong. I believe that installing an anti-virus
> programme on an already compromised machine is, in all probability, a
> futile exercise.

They used to say that you shouldn't install an AV on a compromised
machine.

Dustin didn't actually say otherwise, but he *did* say that known
malware would probably be removed without a problem when an attempt is
made to install the AV. My guess is that he considers the scan to be
part of the install process, and I believe it is these days.

> I'd be interested to learn the views of others on this particular
> matter.

Are you asking if flatten and rebuild is actually the *only* way to be
absolutely sure? Keep in mind that most people are content to be
'reasonably sure' after scanning their system and installing their AV
program. If reasonably sure isn't good enough for someone, I recommend a
robust back-up/restore method so that 'flatten and rebuild' does not
seem so daunting as it *does* provide better confidence.

Another thing, it would be important to know what you mean by
"compromised". Some malware is pretty lame, would it constitute a
compromise to you if it sent spam but had no command and control network
activity? Hell, sometimes all you need to do is hit the delete button to
send a malware to the bit bucket.

BD

You are Trolling. You already went through with this exact same exercise last year
on the MS newsgroups and you know the answer.

WTF are you playing these pitiful games for. You are a Troll that is hungry for
more food. In other words , you are a fool and an idiot who likes to play games. Get
a life already


--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
http://www.microsoft.com/protect

"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:35SdnQv8T-(E-Mail Removed)...
> /I/ think *Dustin* is wrong. I believe that installing an anti-virus programme on
> an already compromised machine is, in all probability, a futile exercise.
>
> I'd be interested to learn the views of others on this particular matter.
>
> --
> Dave
>
>

~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:35SdnQv8T-(E-Mail Removed):

> /I/ think *Dustin* is wrong. I believe that installing an anti-virus
> programme on an already compromised machine is, in all probability,
> a futile exercise.

LOL, you would certainly be in the minority if you think I was wrong in
the advice I provided concerning malware. Remember one important aspect,
****stick; I know malware from two sides: coding it AND removing it. You
don't even know it well from the removal side.

> I'd be interested to learn the views of others on this particular
> matter.

And atleast one knowledgable fellow posted, further clarifying what I
said and agreeing with me.

Any more **** you'd like to try and stir, moron?




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

Dustin wrote:
>Remember one important aspect,
>****stick; I know malware from two sides: coding it AND removing it. You
>don't even know it well from the removal side.

That's our raidieboi,
always thumping his chest over the only thing he ever learn't (coding virii)

>Any more **** you'd like to try and stir, moron?

and displaying the usual (for him) diplomacy.

Is it any wonder so many routinely reject his vulgar tirades
even as he's thinking his advice is accepted and appreciated?

~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:(E-Mail Removed):

> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:35SdnQv8T-(E-Mail Removed):
>>
>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>> anti-virus programme on an already compromised machine is, in all
>>> probability, a futile exercise*.
>>
>> LOL, you would certainly be in the minority if you think I was
>> wrong in the advice I provided concerning malware. Remember one
>> important aspect, ****stick; I know malware from two sides: coding
>> it AND removing it. You don't even know it well from the removal
>> side.
>
> I regret to advise you that you are well behind the times, young
> man!

Let's say for a moment I was behind the times; I'm *still* lightyears
ahead of you if that was the case.

> *Much* has changed since you were a 'script kiddie', Dustin.

I didn't do any script kiddie style work, BD. Mine we're actual exe
infectors.


>>> I'd be interested to learn the views of others on this particular
>>> matter.
>>
>> And atleast one knowledgable fellow posted, further clarifying what
>> I said and agreeing with me.
>
> FTR made an excellent reply, for which I thank him. Cheers, FTR!
>
> However, if you read what he said again, carefully, you might
> understand that he was not in /full/ agreement with what you had
> said.

Difference of opinion, not only was he in agreement; he actually
explained why.

>> Any more **** you'd like to try and stir, moron?
>
> I simply want you to understand that you are *not* God's Gift to
> fighting Cybercrime, Dustin. Much has happened in recent years and
> the *really* bad guys are *much* more clever that /you/ have ever
> been - or will ever be. Believe me! ;-)

BD, your a complete and utter ****ing fool. Nothing has changed, the
technology and the methods for doing the nasties is still VERY MUCH the
same. The underlying principles are what causes this, ****stick.




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:ifCdnZBsxp-(E-Mail Removed):

> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:(E-Mail Removed):
>>
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:35SdnQv8T-(E-Mail Removed):
>>>>
>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>> anti-virus programme on an already compromised machine is, in
>>>>> all probability, a futile exercise*.
>>>>
>>>> LOL, you would certainly be in the minority if you think I was
>>>> wrong in the advice I provided concerning malware.
>
> [....]
>
>
> What FTR actually said .....
>
> "True, it could be installed and be kept from accessing certain
> areas by a rootkit".

A rootkit still has to play by certain hardrules; nothing can be hidden
completely. Some in house developed tools for prior work with
malwarebytes are likely useful in such a scenario.

I didn't say I couldn't do it without any tools. I just said I wouldn't
provide details. And what would be the point in doing so anyway? You
wouldn't understand what I was writing about... and I'd just be
providing information to anyone interested in circumventing technology
rootkit style. While I don't feel it's information that they couldn't
acquire on their own, I see no real point in.. well, advancing the
technology ahead of schedule.

> Do you *really* disagree with that?

Of course not, a rootkit is nothing more than stealth; BD. However,
it's not foolproof. The old addage is this: "Whatever software can do,
software can undo."; That does *not* include crypto, however. Another
beast entirely.

To further on my post previous to you BD, Technology and the underlying
principles hasn't really changed that much. Computers are faster now,
sure; but they still follow the same laws if you will that the older
ones did. In the DOS days, TSR software could be what you would say is
a rootkit in the windows world; providing it was instructed to hide
folders from dir or windows explorer *g*.


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

ASCII <(E-Mail Removed)> wrote in news:4c647925.3763375@EDCBIC:

> That's our raidieboi,

Hello ASCII.

I didn't check the headers BD set for the thread he's recently hijacked
to hell. My bad.





--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

"Dustin" <(E-Mail Removed)> wrote in message
news:Xns9DD3B747B5F97HHI2948AJD832@no...

[...]

> The old addage is this: "Whatever software can do,
> software can undo."; That does *not* include crypto,
> however. Another beast entirely.

It can be sucessfully argued that it still holds even for crypto. The
thing is, the length of time required to do the undoing outlasts the
value of the retrieved information, so it wouldn't be worth it. In fact
the time scales involved in software reversing of long keylength crypto
may be greater than the age of the universe or perhaps even of its
future expected lifespan (whatever that might be) but I don't see how
that could ever be provable.

"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:ifCdnZBsxp-(E-Mail Removed)...
> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:(E-Mail Removed):
>>
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:35SdnQv8T-(E-Mail Removed):
>>>>
>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>> anti-virus programme on an already compromised machine is, in all
>>>>> probability, a futile exercise*.
>>>>
>>>> LOL, you would certainly be in the minority if you think I was
>>>> wrong in the advice I provided concerning malware.
>
> [....]
>
>
> What FTR actually said .....
>
> "True, it could be installed and be kept from accessing certain areas
> by a rootkit".
>
> Do you *really* disagree with that?

One thing you are apparently not getting the significance of is that the
"installation software" for the proposed AV that you want to install on
the "compromised" machine likely has its own detection software for
known malware (including some rootkits) *and* rootkit detection software
that alerts to inconsistancies in what is presented through APIs to the
other tools due to filter drivers and the like.

It may be impossible to install such AV programs on a "compromised"
machine, if the preinstallation detection software is aware of, yet not
capable of removing detected malicious activity - it may tell you that
you need to address the other issue before attempting to install that
software (I'm not aware of this actually happening though).

The most likely scenario is that the installation goes off smoothly
without a hitch on *most* compromised machines (removing the compromise
in the process) - which, I believe, is Dustin's point.