"cquirke (MVP Win9x)" wrote in message
I like this sig of yours - You can't necessarily rely on an untrusted
system to tell you that everything's okay.
That's the truth, yes... specifically, once the malware's running, it
can be dangerous to pick a fight with it - it may quietly hide, if it
can, or it may respond punitively, which is easier to do.
I think we've become used to commercial malware; even today's
traditional malware has a commercial bent (e.g. serve as spam relays,
harvest product keys and other sellable stuff, etc.) and there's the
risk we'll forget how wontonly destructive it can be.
I think brevity gets in the way of the key here - it's not so much anything
to do with the AV software being "Windows-based", it's to do with the
scanner running under a system that is already posited to be infected.
Yep. That Windows has to boot off HD, and (like a toddler) puts
things in its mouth to see what they taste like, makes it a poor
choice of OS even on a drop-in-to-host basis.
Mounting the drive in a box whose OS (Windows or ... dare I say, other?)
hasn't been subverted, and scanning from there (with appropriate protections
to avoid accidentally executing it) is more reliable.
It is; that's what I refer to as "hosted". The catch is:
If the OS is well-compatible (as the same OS version would be) then
there's the risk of it infecting itself
If the OS is not native, then it's unlikely to auto-run the malware,
but it's also unlikely to reach and scan every part of the file system
That's just the problems that apply to detecting malware. When it
comes to cleaning, you have all the "which registry is it anyway?"
issues. Sure, as a human NT user, you can attach twigs from the HD's
registry and fiddle witrh those interactively, but an av installed on
the host PC (or running off a CDR) won't have a clue.
Hosted scanning's not only heavy on resources (like we all have spare
PCs lying around, one for each version range of NTFS that's at risk of
being auto-upgraded if we get that wrong) but is also a problem where
one can't get the HD out, for one reason or another - warranty
hassles, laptops, SCSI or other interfaces we don't have, etc.
So the first choice would be a combo of a bootable CDR, plus USB
stick. The stick would hold today's av sigs and other fresh tools,
while the CDR would contain the maintenance OS and av engine.
If this was routine in Win9x, I'd expect XP to match or do better.
http://cquirke.mvps.org/whatmos.htm and related links refer
------------ ----- ---- --- -- - - - -
Our senses are our UI to reality
