A method of reducing on-demand scanning times

[null]

Okay, so there's a /clone switch in xxcopy. Very inaccurate
terminology.

Take a look at robocopy. Much more in line with your Scrooge price
range where /mir (mirror) is close to what you describe. You can get
it for nowt as part of ms win2k3 resource kit tools.

http://www.ss64.com/nt/robocopy.html
http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

I use only Win 98SE and Win ME for one thing. For another, the
freeware version of XXCOPY has done the job well for me for years.
Here's a comparison to Robocopy that Yan put up at the XXCOPY site:

http://www.xxcopy.com/xxcopy30.htm

Among the several methods available to fortunate users of Win 9X/ME
for Restoring Windows or whatever else, Odi's LCOPY can be used in
plain DOS with appropriate command line switches:

http://lfntools.sourceforge.net/

It's another excellent Scrooge freeware that handles LFNs in plain
DOS. It uses low level interrupts, so it doesn't require any special
LFN drivers to support it.

Insofar as terminology goes, I know there there are some who insist
that only sector by sector cloners are "true" or "actual" or "real"
cloners. You can play semantic games all you want. Those of us who use
"file/folder cloners" call them cloners, and so their authors. The
terminology is indeed quite varied and confusing. People use the term
"imager" and "mirror" for many kinds of functions, so such terms are
no improvement. And you have the old Norton "ghost" as well to throw
in the terminology pot.

Art

http://home.epix.net/~artnpeg

 

[cquirke (MVP Windows shell/user)]

On Sat, 16 Apr 2005 19:12:49 -0400, "Doug"

Begs the point....what do you do with something like the Kelvir worm?......
masks itself and hides so that Norton and McAffee report false directory
locations...courtesy of one of it's dll's......and under xp....it copies itself
everywhere. If you didn't get rid of the restores....and do the safe mode
...it's always with you.

I've always maintained that trusting an infected OS to host cleaning
attempts is doomed at the theory level (it's nice that so few malware
coders push the knife handle when the blade's already at our throat).

So this situation is hardly a surprise. The only surprise is that
folks still believe in Safe Mode, let alone the noddy-and-big-ears
fantasy of "on line scanning sites". Wow, that's an engorged teat
just waiting to be milked via DNS redirection!

http://cquirke.mvps.org/whatmos.htm refers for the NTFS age, while
http://cquirke.mvps.org/virtest.htm still applies for FATxx. The fact
that the newer article is way longer than the older one says it all.

---------- ----- ---- --- -- - - - -

Gone to bloggery: http://cquirke.blogspot.com

 

[cquirke (MVP Windows shell/user)]

No, the question is how avoid wearing out your hard drive(s)
with on-demand scanning. I've mentioned a couple of methods
I use in this thread.

Different Q, but one worth answering ;-)

What I do is direct all incoming material to a particular subtree, and
ensurenothing is hidden within mailboxes etc. Then I scan that
subtree from a handy QuickLaunch one-click. This also picks up
malware that may have arrived earlier, but at that time wasn't known
to the av for some reason, but now is.

What this does not do (and does not attempt to do) is detect *active*
malware. It's great for checking stuff that may have arrived but not
been run yet, and because you're only scanning that subtree, it's not
particularly tedious to do.

Active malware is potentially a different kettle of fish; you can no
longer believe what you see, if staring out from within the belly of
the beast. I don't like to count on the malware being too dumb to
hide or defend itself, so I'd go "formal" there.

As I've posted, I use a system backup in case of drive failure.
I used it to Restore Windows just once when I screwed it up
with my messing around. I'm far more dangerous than any
malware

Oh, for that it's good; there isn't usually that time lag there

Then you must not have used the command line disk cloners
like XXCOPY which only copy new or modified files. Takes me
but a minute or two to backup in this way. Of course, the initial
cloning takes awhile. But updating time is insignificant.

No, I was thinking of "making a clone" not "making a clone and then
maintaining it though change updates" <g> ...my bad; your approach is
more elegant than what I'd initially thought you were talking about..

What OS, though? I ask, because Win2k/XP don't survive file-level
copyover. Do you create the initial clone via partition imaging?

---------- ----- ---- --- -- - - - -

Gone to bloggery: http://cquirke.blogspot.com

 

[null]

Different Q, but one worth answering ;-)

What I do is direct all incoming material to a particular subtree, and
ensurenothing is hidden within mailboxes etc. Then I scan that
subtree from a handy QuickLaunch one-click. This also picks up
malware that may have arrived earlier, but at that time wasn't known
to the av for some reason, but now is.

What this does not do (and does not attempt to do) is detect *active*
malware. It's great for checking stuff that may have arrived but not
been run yet, and because you're only scanning that subtree, it's not
particularly tedious to do.

Active malware is potentially a different kettle of fish; you can no
longer believe what you see, if staring out from within the belly of
the beast. I don't like to count on the malware being too dumb to
hide or defend itself, so I'd go "formal" there.

So you must do routine formal scans then since active malware
can disable all your Windows tools. Which brings up two major
problem areas. One problem is having scanners that run on your
alternate OS. Spyware/Adware scanners are designed for use
in Windows. The other major problem area is that many "above
average" users, like myself, eventually refuse to wear our their
hard drives running full scans often ... especially when those
scans never detect anything.

Oh, for that it's good; there isn't usually that time lag there



No, I was thinking of "making a clone" not "making a clone and then
maintaining it though change updates" <g> ...my bad; your approach is
more elegant than what I'd initially thought you were talking about..

What OS, though?

My wife uses our Win ME PC, and I'm using Win 98SE.

I ask, because Win2k/XP don't survive file-level
copyover. Do you create the initial clone via partition imaging?

No, I used XXCOPY (which only works in Windows, BTW). Don't
worry. The initial clones are checked for malware later on.

Which brings up a weird idea. Periodically Restore from the known
clean backup clone. Treat data backup separately (as it should be
anyway and as I do in addition to the full drive clone on a different
partition). Restoration of the clone kind involves some copying and
wear and tear on the drives. But probably not anywhere near as
much as in-depth full drive scanning by several scanners. However,
you still have the wear and tear of scanning the clone before the
Restore. So that blows that idea

It is a rather interesting, though draconian and paranoid, sort of
idea to consider theoretically anyway.

Art

http://home.epix.net/~artnpeg

 

[null]

To Chris:

My wife uses our Win ME PC, and I'm using Win 98SE.


No, I used XXCOPY

Sorry for this gibberish response. I was trying to figure out why you
asked the question, and the thought went through my mind to reply that
the procedure for preparing a bootable separate physical drive
installed as a secondary master is at the XXCOPY web site, for anyone
interested. I've posted elsewhere here that I use a separate physical
drive on a removeable tray.

I also create two partitions on the backup drive, (and a additional
partition on my main drive(s)). I use the extra backup drive partition
for archiving old valuable data and some utils I've written ... stuff
that is rarely updated. It's stuff that could be copied to CD as well.

Art

http://home.epix.net/~artnpeg

 

[cquirke (MVP Windows shell/user)]

So you must do routine formal scans then since active malware
can disable all your Windows tools.

I do such scans if I have any reason to suspect a malware infection -
and yes, that could be "gee I haven't done a scan for X days",
depending on what the PC's been exposed to!

Having my Windows tools fall over (like the proverbial canary in a
coal mine) would be an excellent cue to formally scan the box!

One problem is having scanners that run on your alternate OS.
Spyware/Adware scanners are designed for use in Windows.

As at April 2005, we still consider "commercial" and "traditional"
malware to be different beasts. We expect trad malware to be vicious
and nasty, but commercial malware to be benign enough to chase
informally. We aren't surprised when these resist detection and
removal in Safe mode, but we would be if one of these nuked the system
in retaliation. So there isn't the same demand for formal anti-cm
tools as there is for formal anti-"virus" tools.

This may change, but for now my approach is to first formally exclude
or get rid of trad malware, and then informally (Safe Cmd Only) manage
commercial malware. For every 1 trad malware, I expect to see 10 cm.

The other major problem area is that many "above
average" users, like myself, eventually refuse to wear our their
hard drives running full scans often ... especially when those
scans never detect anything.

Sure; as I say, I scan when I think there may be a problem, and that
isn't very often. But if I do think there's a problem, then I don't
take half measures, and formally scan the whole box.

I might routinely scan the incoming material subtree, sure; in fact,
for old PCs with limited and manageable risk exposure, that stands in
for underfootware av. The idea there is; you get your incoming
material, electively scan it, and then work with it.

My wife uses our Win ME PC, and I'm using Win 98SE.

Those are fine for miss-no-files file-level transfers

With XP, you'd have to image C: (where the OS is); other volumes can
be copied over as files. That's one reason I like a small C:

---------- ----- ---- --- -- - - - -

Gone to bloggery: http://cquirke.blogspot.com