Assuring Clean System Before Taking Image?

[(PeteCresswell)]

While trying to fix up somebody's aging laptop, it has finally
dawned on me that a virus scanner running under XP cannot always
find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
and so-on-and-so-forth.

I routinely image a build with an eye to restoring said image
if/when things go South.... but, of course, it's important that
the image be of a good, uninfected system.....

To that end, here's what I come up with as a procedure for
maximizing the chances of a good image, using Avast as the
anti-virus utility:

---------------------------------------------------------------
1) Tell Avast to write a log of scan results
(the log seems to default to
C:\Documents and Settings\All Users\Application Data\Alwil
Software\Avast5\Report\aswboot.txt).

2) Run an Avast Boot-time scan.

3) Inspect the resulting log, just for good measure.

4) If infections are found/supposedly remedied, run
the boot scan again, looking for a clean log.

5) Run a disk disc check to make sure there are no
bad sectors (I use "HdTune").

6) Run ChkDsk C: just for good measure.

7) Image the supposedly-clean system

 

[Zaphod Beeblebrox]

While trying to fix up somebody's aging laptop, it has finally
dawned on me that a virus scanner running under XP cannot always
find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
and so-on-and-so-forth.

I routinely image a build with an eye to restoring said image
if/when things go South.... but, of course, it's important that
the image be of a good, uninfected system.....

To that end, here's what I come up with as a procedure for
maximizing the chances of a good image, using Avast as the
anti-virus utility:

---------------------------------------------------------------
1) Tell Avast to write a log of scan results
(the log seems to default to
C:\Documents and Settings\All Users\Application Data\Alwil
Software\Avast5\Report\aswboot.txt).

2) Run an Avast Boot-time scan.

3) Inspect the resulting log, just for good measure.

4) If infections are found/supposedly remedied, run
the boot scan again, looking for a clean log.

5) Run a disk disc check to make sure there are no
bad sectors (I use "HdTune").

6) Run ChkDsk C: just for good measure.

7) Image the supposedly-clean system
---------------------------------------------------------------


Am I missing anything? For starters, I am assuming that the
boot-time scan will catch everything that the under-XP scan will.

I don't know how Avast's boot-time scan works, but since Alureon and
others can place code in the MBR to hide their shenanigans, it might
be that booting to the recovery console (or a PE boot CD) and running
fixmbr would be a good step to take. Probably after scheduling the
Avast Boot-time san but before booting back to Windows for the scan to
take place.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's
something big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.

 

[Tim Meddick]

I would also run the Window's Disk Defragmenter on the drive before copying
the "image", as a very last thing to do.

==

Cheers, Tim Meddick, Peckham, London.

 

[glee]

While trying to fix up somebody's aging laptop, it has finally
dawned on me that a virus scanner running under XP cannot always
find all malware. Root kits, Alureon.... Cybot-BC... Bamital-AU
and so-on-and-so-forth.

I routinely image a build with an eye to restoring said image
if/when things go South.... but, of course, it's important that
the image be of a good, uninfected system.....

To that end, here's what I come up with as a procedure for
maximizing the chances of a good image, using Avast as the
anti-virus utility:

---------------------------------------------------------------
1) Tell Avast to write a log of scan results
(the log seems to default to
C:\Documents and Settings\All Users\Application Data\Alwil
Software\Avast5\Report\aswboot.txt).

2) Run an Avast Boot-time scan.

3) Inspect the resulting log, just for good measure.

4) If infections are found/supposedly remedied, run
the boot scan again, looking for a clean log.

5) Run a disk disc check to make sure there are no
bad sectors (I use "HdTune").

6) Run ChkDsk C: just for good measure.

7) Image the supposedly-clean system
---------------------------------------------------------------


Am I missing anything? For starters, I am assuming that the
boot-time scan will catch everything that the under-XP scan will.

A boot scan may catch more than a scan from within Windows, but you are
still booting from the hard drive, so it is not as good as a scan from a
CD boot. Avast is also not the best when it comes to detection rate.

To scan the system from a CD boot, create and use a Rescue CD from
either Kaspersky or BitDefender.

Kaspersky Rescue Disk 10
http://support.kaspersky.com/viruses/rescuedisk?level=2

BitDefender Rescue CD
http://download.bitdefender.com/rescue_cd/

Using The BitDefender Rescue Cd -
http://forum.bitdefender.com/index.php?s=b4c46f52a01a945d6e873890a87c6085&showtopic=16602


Finally, if a root kit is detected on a system, I would recommend wiping
the hard drive, NOT cleaning it and imaging it. Once the system has a
root kit, you are beyond the point where an image that can be trusted
should be made.

Help: I Got Hacked. Now What Do I Do?
http://technet.microsoft.com/en-us/library/cc512587.aspx

Help: I Got Hacked. Now What Do I Do? Part II
http://technet.microsoft.com/en-us/library/cc512595.aspx

Invasion of the Computer Snatchers
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342_pf.html