Infecting an XPE system

  • Thread starter Thread starter Doug G
  • Start date Start date
D

Doug G

Is there any way that an XPE system using EWF could get infected by a known
worm or virus such that a reboot wouldn't clear it? Our customer claimed
that there was evidence of a particular worm on their XPE system that we
provided that makes use of disk-based EWF. However, due to some of their
ongoing lab testing and evaluation work, he knows how to use the command
line to disable EWF or commit changes. So I pretty much told him that the
worm got on there due to EWF being disabled or changes being committed.
Nothing like this has happened in the field on production systems, so I
think I was on target in telling him this.

Doug Gordon
 
Doug,

Potentially, a virus can damage some things in the system even with EWF
running.
It can have an acesss to raw disk data if running under account with enough
priviledges (admin, e.g.).
Or it could be a virus that modifies MBR, then EWF is out of the picture
again.
Also, don't forget, virus writters are easy learning programmers. There may
be a virus already that knows how to deal with EWF (e.g., commit/disable EWF
cache, etc.).

KM
 
Hi Doug,

RAM Based EWF is stateless. So after reboot and without commit all data is lost.
Disk Based EWF is different story since it will remember data across reboot, but you can delete whole overlay level manually.

Since EWF protects only partitions and not disk in whole if virus could gain access to admin or system account he could then do what
ever he is written to do. (It must be specifically designed virus).

Best regards,
Slobodan
 
Having used a RAM based WF for years, I have never seen a virus that
can get around it. This does not mean it is not possible, just that I
have not seen it yet. A disk based EWF is different and could
potentially cause an issue with persistent data storage over reboots.

What I have seen is viruses that have saturated a network environment
to the point where they infect a newly booted box so fast that it
appears that the virus is resisdent locally. The proof for this is
just to boot the box in a known clean environment and see if the virus
symptoms persist. I have seen many mixed environments (both PC's with
full OS running and embedded devices on same LAN) where the PC's will
infect the embedded devices this fast and make the embedded devices
appear to be locally infected.

Bob
 
Back
Top