On Sat, 17 Jan 2004 17:39:11 -0500, "David H. Lipman"
You are correct. However you and I know that there are tiers of approaches to disinfection.
Yep, and some are safer than others.
There is no ONE way to disinfect for the 10's of thousands of infectors. Ultimately it is
best to boot outside the infected OS and scan the infected hard disk.
Yep - what I refer to as a "formal virus check". Detection is always
safe in this mode, some malware can confound cleaning (see Jeefo.A).
This could be by removing the infected system hard disk and placing it in an
another PC with AV software th3en using the surrogate's AV software to scan
the infected hard disk
That can be fraught with peril, especially in the case of NTFS...
- risk of infecting the host PC (\Autorun.inf, Desktop.ini...)
- risk of auto-upgrading the dropped-in HD's NTFS version
- merging of magic-CLSID content locations into common namespace
- inability to apply changes to dropped-in HD's registry
- NTFS may block access to "protected" files
- destruction of SR data stores (XP HD in XP system)
- automatic writes to dropped-in HD (if sick file system of HD)
another approach is booting from DOS and using a Command Line Scanner
like FProt or McAfee.
That's what I'd recommend, but NTFS gets in the way bigtime.
Try method A, if it fails, method B, if that fails, method C.
I'd not give malware the wriggle-room; you may not survive method A.
The situation: You are looking for hostile code that is hiding from
you, and that has already penetrated what defences you have. By
definition, you don't know what it is you are looking for, so you can
make no assumptions of the scope it may be restricted to.
Malware exists that is aware of attempts to remove it, and which will
strike back punitively if provoked. So it's a roll of the dice, like
running accross a freeway blindfolded; just because it usually works
out OK doesn't mean you should make a habit of it
Booting in Safe Mode and using the AV package to scan and
clean/delete infectors is one of the first in the tiered approach
to infector eradication. It has proven itself too worthy to be denied.
It's the best hope NTFS victims may have, but that doesn't make it any
safer. I'd prefer to work from the outside in, i.e.:
- isolate the system
- verify hardware is fit to work on
- verify file system is safe to write to
- formally exclude/research/?clean traditional malware
- informally exclude/manage commercial malware (via AdAware etc.)
- eyeball startup axis and other run points
- apply patches and risk management
- reconnect to the outside world
You won't always get a second chance if you pull the short straw.
--------------- ----- ---- --- -- - - -
Dreams are stack dumps of the soul