What a M$ security manager has to say about infected Windows PCs

Clean them? You can't, according to this guy.

<http://technet.microsoft.com/en-gb/library/cc512587.aspx>

 

I agree completely with the comments about not being able to trust
them.

As said though, if you implement security patches when they come out,
its far better than not and getting p0wned.

 

"This list makes patching look not so bad, yes? We may hate patches,
but the alternative is decidedly worse."
Aren't you glad you're running Windows? :-\
The article is a bit crap - he says you can't trust ant-virus software
to run because you may have been rootkitted, without mentioning rescue
disks or Linux live CDs, or just pulling the disk and sticking it in
another machine.

 

The secret is applying security patches and taking precautions.
No point having a lack of knowledge which allows a system to
become infected.

 

There speaks someone without a clue. What help is a Linux Live CD going
to be? How is putting it in another computer going to do anything in
the event of a rootkit?

 

The article was written in 2004. Some of the details have changed since
then but the basic advice is sound. If your system is compromised the
only way to be reasonably certain that you have cleaned it is a
bare-metal install.

 

In message <-september.org>,

Linux live CDs give you the chance to run an AV scanner that an infected
Windows OS can't fool. Putting the drive into another computer bypasses
any rootkit on the infected drive, by not booting from it. Again, you
can use a clean OS to run a virus scan.

 

Perhaps you'd like to show me these Linux based AV solutions that are
as comprehensive as Windows ones. The ones I've seen only have quite
basic Windows virus scanning.

However opening the infected file could result in the host being
infected.

 

There are several around, and only a basic scanner is required.

That depends on the type of file and the application you use to open it.
Personally I'd choose an antivirus program, which is a pretty safe
option.

 

But of course the problem is that the patches are produced in response
to a known vulnerability. Often, if not always, someone has already used
the hole to infect some unknown number of systems .. IIRC 'blaster' got
to lots of places BEFORE there was a patch for it.

 

Unless it can purge registry keys and hidden files in system folders,
it's no use.

Ho-hum....

 

There are more AV products available for Linux than I realised,
including F-PROT, which AFAICT uses the same heuristics and definitions
as the Windows version. I just picked on F-PROT because FWIH it's one of
the best (for Windows).

In that case, presuming you haven't been stupid enough to put a known
infected drive in a system without trying to secure it first, then
patching the first infected system wouldn't have helped either.

 

Why wouldn't they be able to find the latter? The hidden/system
properties are just attributes aren't they, not some clever trick that
inherently makes them inaccessible from other systems?

 

In message <B$>, GSV Three Minds in a Can

It does happen but it's not common. The more common sequence is that MS
patch a vulnerability then someone reverse-engineers the patch. That
usually takes 2-3 days so the really dangerous time is a few days after
patch-Tuesday.

IMHO If you don't have the expertise to test patches in the first few
days after they are released the safe option is to set your systems to
install security patches automatically. There's a risk that a patch will
bring your systems down but there is no unconditionally safe course of
action.

 

Antivirus programs under Linux or Windows are able to edit the registry
and to read hidden and system files.

Neither will be able to do anything with encrypted files or partitions.
If you have those then you can't read any of the files on another
system, under Windows or Linux. For these the only option is to nuke the
encrypted data then restore from a clean backup. If you don't have a
clean backup then you are screwed.

 

Well maybe MS policy of encouraging companies to not supply restore media
makes a format and reinstall as a standard course of action pretty
difficult.

Gaz

 

And, 0.3% of home users have a clean backup.....

Gaz

 

And, 0.3% of home users have a clean backup.....[/QUOTE]

Lots of business users don't have a clean backup. Some of them will
discover this fact the hard way.

Most companies should be using encrypted partitions for their laptops.

 

Never heard of 0-day exploits, eh, Clive, oops, I mean Rob, the Tiscali
idiot? Isn't it time for you to morph again?

My, you really are a stupid twat aren't you?

 

If your system is still working to some extent, could you not just copy all
the data onto a non-encrypted partition? Of course, you could not tell for
sure whether the data had been altered, but you could get an idea by
comparing even an oldish backup with the data on the new partition on a
file-by-file basis.