Malware scanning from a Preinstalled Environment

Hi there.
Is it more beneficial to scan an infected Windows installation for
malware by running scans while booted to the infected OS, or would it
be better to scan the infected hard disk after booting to a "clean"
environment such as a BartPE liveCD? Or, would it be better to place
the infected hard disk in a different machine and run a scan on the
infected partitions from an different, existing clean Windows
installation? I assumed either of those latter two methods would
generally be more effective at finding and eliminating infected data or
OS files since they wouldn't be loaded into memory at boot time, but
one big concern I had was whether or not antimalware progs are capable
of scanning through the registry and properly enumerating its contents
when it is "static" like it would be in those situations.

Any insights you could give are gladly appreciated.

revolution_158@hotmail.com wrote:
> Hi there.
> Is it more beneficial to scan an infected Windows installation for
> malware by running scans while booted to the infected OS, or would it
> be better to scan the infected hard disk after booting to a "clean"
> environment such as a BartPE liveCD? Or, would it be better to place
> the infected hard disk in a different machine and run a scan on the
> infected partitions from an different, existing clean Windows
> installation?

the code that gets control first wins... if you boot from the infected
OS you can't guarantee that a known virus, if present, will be detected...

as for whether it's better to use the bartpe disk or slave the drive, be
careful with slaving the drive as it has been known to result in an
'upgraded' filesystem if the OS on the slave isn't the same version as
the OS on the master... (darn microsoft and their NTFS 'versions')

> I assumed either of those latter two methods would
> generally be more effective at finding and eliminating infected data or
> OS files since they wouldn't be loaded into memory at boot time, but
> one big concern I had was whether or not antimalware progs are capable
> of scanning through the registry and properly enumerating its contents
> when it is "static" like it would be in those situations.

the registry shouldn't really be a big deal... once the malware is
removed it should be possible to restore from whatever registry damage
it may have done (regedit in safe mode, last known good configuration,
etc)...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

kurt wismer wrote:

> the registry shouldn't really be a big deal... once the malware is
> removed it should be possible to restore from whatever registry damage
> it may have done (regedit in safe mode, last known good configuration,
> etc)...

The more deeply-hooking malware I've investigated (including all rootkits
I've looked at) are executed, and function, in Safe Mode. All that's
required for this is the trivial alteration of a registry key. One would
have to copy off the hive files and edit them on a clean system.

Also once a machine's been rebooted once, post-infection, the last known
good will be infected too.

Safe mode isn't as safe as some assume :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEIVkC7uRVdtPsXDkRAjPFAJ0cwjLYsjjII9q/Ygoeu7/VH9XFmwCdH38B
Fa+n184fnMsh048S7eR+ugc=
=cRSq
-----END PGP SIGNATURE-----

Adam Piggott wrote:
> The more deeply-hooking malware I've investigated (including all rootkits
> I've looked at) are executed, and function, in Safe Mode. All that's
> required for this is the trivial alteration of a registry key. One would
> have to copy off the hive files and edit them on a clean system.

What would I use to edit a registry that I haven't booted to? Is
Regedit capable of that? Or better still, is there an existing BartPE
tool I could use to do that? Also, I'm a bit confused about your
mention of rootkits. Are you saying that rootkits hook into the
Windows registry? I was under the impression they went even more
low-level than that... But I'm definetly not a security expert, so
please don't think I'm contradicting you. =) But, assuming I'm wrong
and they do simply hook into the Windows registry, is there a more
efficient way to prune an infected registry than manually editing the
hives? At that rate I might as well just run DBAN and reinstall the
OS. =)

Thanks to all very much for the great help.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sol wrote:
> Adam Piggott wrote:
>> The more deeply-hooking malware I've investigated (including all rootkits
>> I've looked at) are executed, and function, in Safe Mode. All that's
>> required for this is the trivial alteration of a registry key. One would
>> have to copy off the hive files and edit them on a clean system.
>
> What would I use to edit a registry that I haven't booted to? Is
> Regedit capable of that?

Regedit on Windows XP or Regedt32 on Windows 2000 can open the "hives" or
actual files that the registry data are held in. These are typically in
%systemroot%\system32\config.

I wouldn't advise this procedure, or anything regarding the registry, for
computer users who don't know what they're doing. This Microsoft article
details the steps needed to load a registry hive into regedit:
http://support.microsoft.com/kb/168646/en-us

> Or better still, is there an existing BartPE tool I could use to do
> that?

Not that I know of, but a web search should show if this is the case.


> Also, I'm a bit confused about your mention of rootkits. Are you saying
> that rootkits hook into the Windows registry?

In some (if not all) cases yes - they have to be started somehow!


> I was under the impression they went even more low-level than that...
> But I'm definetly not a security expert, so please don't think I'm
> contradicting you. =)

They are low-level indeed, as their job is to fool Windows as well as a
user and their protection software! I've looked into a few rootkits (some
installed with spyware/viruses) and most of them, if not all, used the
registry to start their drivers that intercept Windows' ability to "see"
them and their protected files/settings.


> But, assuming I'm wrong and they do simply hook into the Windows
> registry, is there a more efficient way to prune an infected registry
> than manually editing the hives? At that rate I might as well just run
> DBAN and reinstall the OS. =)

The problem with loading the registry hives into a "clean" computer is that
spyware/virus scanning software probably won't detect all of the registry
settings as they look in specific places for some items, for example
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, rather than
HKLM\TestHive\etc.

If you're infected with malware that's so viral it has got you examining
the registry from another PC it's going to be very difficult to exterminate
any malware references by hand. You're better off just running the disk (in
a clean PC) against a virus scanner that has good spyware/rootkit detection
such as Eset's NOD32. Or DBAN it >:-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEIdwZ7uRVdtPsXDkRAoefAJ92q6C6eXpZZ0iFW5pPzUTuBWn+PACfciwU
PdBxGKkP6dRcgI2adgzJWT0=
=vvzx
-----END PGP SIGNATURE-----

Adam Piggott wrote:
> If you're infected with malware that's so viral it has got you examining
> the registry from another PC it's going to be very difficult to exterminate
> any malware references by hand. You're better off just running the disk (in
> a clean PC) against a virus scanner that has good spyware/rootkit detection
> such as Eset's NOD32.

Are there any free alternatives to NOD32 that you could recommend? I
personally like BitDefender Free Edition; how does that stack up in
your opinion?

Thanks very much.

Adam Piggott wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> kurt wismer wrote:
>
>> the registry shouldn't really be a big deal... once the malware is
>> removed it should be possible to restore from whatever registry damage
>> it may have done (regedit in safe mode, last known good configuration,
>> etc)...
>
> The more deeply-hooking malware I've investigated (including all rootkits
> I've looked at) are executed, and function, in Safe Mode.

which is why i prefaced it all with "once the malware is removed"...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sol wrote:
> Adam Piggott wrote:
>> If you're infected with malware that's so viral it has got you examining
>> the registry from another PC it's going to be very difficult to exterminate
>> any malware references by hand. You're better off just running the disk (in
>> a clean PC) against a virus scanner that has good spyware/rootkit detection
>> such as Eset's NOD32.
>
> Are there any free alternatives to NOD32 that you could recommend? I
> personally like BitDefender Free Edition; how does that stack up in
> your opinion?

I don't know, in my experience of free anti-virus it is markedly less
effective than the likes of NOD32, Kaspersky and other reputable non-free
anti-virus products. I also only provide the best for my clients which is
why I resell NOD32 :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEIgBc7uRVdtPsXDkRAslBAJ457ZG/cK3QhOcEVCVfBF3e33wsBwCfVGKX
RUipJ8NGUAQi4dThxXjaHHQ=
=WR/y
-----END PGP SIGNATURE-----

[editing registry on drive you didn't boot from]
>
> > Or better still, is there an existing BartPE tool I could use to do
> > that?
>
> Not that I know of, but a web search should show if this is the case.

I think I recall a utility on the Ultimate Boot Cd For Windows
(which uses BartPE) which does it. But it's been a while since
I've used it so I can't be sure.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Sol wrote:

> Adam Piggott wrote:
>
>>If you're infected with malware that's so viral it has got you examining
>>the registry from another PC it's going to be very difficult to exterminate
>>any malware references by hand. You're better off just running the disk (in
>>a clean PC) against a virus scanner that has good spyware/rootkit detection
>>such as Eset's NOD32.
>
>
> Are there any free alternatives to NOD32 that you could recommend? I

Yes.

> personally like BitDefender Free Edition; how does that stack up in
> your opinion?

They (free AVs) don't.

Here is my 0.02 on the AV subject. No AV app is of any use to you if
it doesn't work with your system, your particular needs and your
internet usage (P2P, online gaming, etc.). All of them allow for an
evaluation period. Use it.

AFAIAC, polls and the reviews of sites that accept advertising from AV
vendors are pretty much worthless. Stick to tests and comparatives.
Some AV info for your perusal:

AV-Test (Andreas Marx - Germany)
(http://www.av-test.org/)
AV-Comparatives (Andreas Clementi - Austria)
(http://www.av-comparatives.org/)
Virus.gr (VirusP - Greece)
(http://www.virus.gr/english/fullxml/default.asp)
Food for thought (Eugene Kaspersky)
(http://www.viruslist.com/en/analysis?pubid=174405517)

Here are the preferences that I have gleaned from the various
security/paranoia NGs in which I hang out:

Free: AVG, Avast!, AntiVir
Paid: KAV, NOD32
Bottom of the List: Norton, McAfee

The knock against NAV and McAfee is due to bias (they're the big guys)
and issues not related to detection rates. Note that these assessments
are for AV apps for home/SOHO/personal use. The same may or may not be
said about the enterprise or corporate editions. I have personally
used McAfee, Norton, AVG and KAV.

KAV - Kaspersky Labs:
(http://www.kaspersky.com/us/products)
NOD32 - Eset:
(http://www.nod32-av.com/products/products.htm)

AVG - Grisoft
(http://www.grisoft.com/doc/Programs/lng/us/tpl/tpl01)
Avast! - ALWIL Software
(http://www.avast.com/eng/programs.html)
AntiVir PersonalEdition Classic
(http://www.free-av.com/)

All of the above freeware AV apps may be upgraded to a
Professional/Full-Featured AV app for a fee.

Some General Anti-Virus info:
(http://home.neo.rr.com/manna4u/virusprevention.html)
(http://www.claymania.com/safe-hex.html)

A word to the wise. Unlike Anti-Spyware applications, where the
multi-layered approach is preferable, Anti-Virus (resident)
applications absolutely do NOT like each other, and one should be
uninstalled completely before installing another. In many cases, eg.,
with Symantec products, this is easier said than done. And so, before
you install ANY AV application, make sure that you acquire all
information/tools/utilities that are necessary for its COMPLETE removal.

FWIW, that same list:

Free: Bus, Subway (AVG, Avast!, AntiVir)
Paid: Mercedes, Lexus (KAV, NOD32)
Bottom of the List: Ford, Chevy (Norton, McAfee)

You can drive a Ford back and forth to work, and save the cost of a
Mercedes for your kids' college fund. But wouldn't it **** you off if
you found out that you could have a Mercedes for the same price as a
Ford? IMO, unless you are an absolute freeware purist, there are some
things worth spending money on. An AV app on a WinXP box is one of
them. As I said, just my 0.02.

Ron