Which drives and partitions to scan?

[The Central Scrutinizer]

Yes "Which of the 100's of thousands ?" is the exact problem. How is the
normal
person supposed to know when you are OK doing the manual knife and scalpel
fix versus reimage?

Right. So this is so well understood that IMHO the best course of action in
the
event of compromise is reimage. And just because some kick ass ultimate NG
hero can fix it does not mean the average user looking for help here can
deal
with the manual fix. For example, how many registry entries is too many to
manually ensure are fixed? I had one guy come up to me with a manual fix
from Symantec for some virus. It had dozens of manual registry entries that
needed to be addressed. We did not go that route.

 

[FromTheRafters]

Yes "Which of the 100's of thousands ?" is the exact
problem. How is the normal person supposed to know
when you are OK doing the manual knife and scalpel
fix versus reimage?

I'm with you there...

What people should do is have a recent good image there, so as to make a
reimaging task the easiest route as well as the one that gives the most
confidence in return.

Otherwise, it is often easier to recover than it is to restore.

 

[Dustin Cook]

In general, if the virus or malware compromises the system areas, it
is a wipe
and reinstall. I do not care what you experts say. You cannot be 100%
certain
you know everything the virus did via the compromise.

I have a word for people who are quick to wipe and reload; can you guess
what it probably is? yes, the word is incompetent.

In many cases, the big bad virus and/or malware can be removed without
further harm to the system. Exceptions do exist and will require a
reload, but that's not the general norm. If you really wipe and reload a
system to remove.. say, antivirusxp2010; you shouldn't be anywhere near
computers. It's a non replicating trojan...


In many cases, what the virus or malware program did can be well
documented and studied on test systems; so yes, one can learn what the
malware in question did AND how to undo it.

 

[The Central Scrutinizer]

And in a corporate environment where you do not have time to manually remove
the big bad virus or malware? Then what?

 

[David H. Lipman]

From: "The Central Scrutinizer" <[email protected]>

| And in a corporate environment where you do not have time to manually remove
| the big bad virus or malware? Then what?

In a corporate environment that follows a strict IA compliance it would be a complete wipe
and re-image.

However note "re-image". Something that most enterprises practice while most individuals
do not.

 

[Dustin Cook]

And in a corporate environment where you do not have time to manually
remove the big bad virus or malware? Then what?

That depends on the situation. I'd be asking myself in the corporate
environment how this machine was compromised in the first place and take
steps to prevent that from happening again. Being as it is a corporate
computer and shouldn't have user personal data or anything on it, I'd
resort to a known clean image. I should have one readily available if it's
a corp machine.

In any event, before wiping and reloading; I'd want to know how the machine
was compromised, it's important.


IMO, taking a wipe and reload approach to all situations is akin to using a
shotgun for target shooting.

 

[The Central Scrutinizer]

OK. I am mainly talking about the corp environment not the home environment.



Home-wise, I manually fix problems when they arise because it is in my best
interest to
try to do so.

 

[The Central Scrutinizer]

Hey we completely agree! I like the shotgun analogy ;-) I guess I need to
explain
myself better. Sorry.

 

[FromTheRafters]

Having a good recent image to load makes the 'flatten and rebuild'
scenario the 'easy way' as well as the 'best way'. Many places will just
remove the affected harddrive and replace it with a harddrive loaded
with a new image - saving the old drive (and any remote logs) for any
forensic investigation.

 

[(PeteCresswell)]

Per David H. Lipman:

In a corporate environment that follows a strict IA compliance it would be a complete wipe
and re-image.

However note "re-image". Something that most enterprises practice while most individuals
do not.

As a home user I think re-imaging is highly under-rated for
people like myself.

Having had a teenager pounding on my boxes for a number of years,
I will re-image in a heartbeat - and have done it many, many
times.

Once one figures out how to keep from saving data to the system
partition, re-imaging becomes pretty much trivial: no
uncertainty, no decisions... and takes maybe 20-30 minutes,
depending on what one has installed since the last image.... as
opposed to virus removal - which I suspect would take at least
that long to research the proper removal tool/technique and still
not be 100% sure of success.

 

[The Central Scrutinizer]

Yes your point on virus removal is 100% spot on.

Per David H. Lipman:

As a home user I think re-imaging is highly under-rated for
people like myself.

Having had a teenager pounding on my boxes for a number of years,
I will re-image in a heartbeat - and have done it many, many
times.

Once one figures out how to keep from saving data to the system
partition, re-imaging becomes pretty much trivial: no
uncertainty, no decisions... and takes maybe 20-30 minutes,
depending on what one has installed since the last image.... as
opposed to virus removal - which I suspect would take at least
that long to research the proper removal tool/technique and still
not be 100% sure of success.