Focus on Microsoft
More along the lines of malware disinfection Mar 18 2008 01:33PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 06:08PM
Express Web Systems, Inc. (mailinglist expresshosting net) (1 replies)
Re: More along the lines of malware disinfection Mar 18 2008 06:28PM
Mike Moratz-Coppins (mike mikeymike org uk) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:46AM
Murda Mcloud (murdamcloud bigpond com)
RE: More along the lines of malware disinfection Mar 18 2008 05:46PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 05:46PM
Jon R. Kibler (Jon Kibler aset com) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 07:57PM
Wayne S. Anderson (wfrazee wynweb net) (2 replies)
You know, I want to point out to folks on this list that this is NOT an
either/or situation. Much like any time we engage in computer forensics,
there are processes we can institute as security professionals that allow
for the removal of untrusted components via a clean install without complete
loss of data.

1) Recognize that a system is compromised if it is infected with anything
more than an embedded 'exploit'. (E.g. Email comes through that has HTML or
something which is temporarily copied to a local cache when the email loads
in the application. This is easy to fix. Any true "virus" which infects
the host system at deeper than an individual application level is taboo.
Toast.)

2) Jon's point about reliability here is very key to the discussion. It is
COMPLETELY irresponsible to warrant to a customer that you can certify a
system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a period of
time. As an individual consumer, I may choose to take that risk so there is
an important distinction for the environment that you are asking this
question on. On an enterprise level it is hard to imagine a small or medium
business where this risk is acceptable.

3) Institute a process for incident response and correction. Whether you're
a small business, a vendor, whatever, have a process which you use for these
kinds of events.

3A) In my case, I choose to first image a system. Load the drive on
a live system which does not boot from hard drive and instead boots from a
live CD and invokes an imaging application. If you find later that there is
reason to investigate the old drive / old environment, you need to have a
high quality copy of the data to do your investigation on. Don't
investigate on the original source.

3B) Then if you are in a situation where investigation is not
warranted and there is no need for preserving the original environment (no
criminal or civil reporting or case involved), wipe the original hard drive
with, at the very least, a format operation.

3C) Install a clean OS. Use the original media, the original OS if
you need to. Patch the OS. Protect the OS with antivirus or whatever
endpoint measures you/yourcustomer/yourorganization uses.

3D) Use the appropriate application to access the saved disk image
and restore files as necessary to the reconstructed environment, ensuring
that they must each past muster in an antivirus application or other
scanning environment.

Realize that security is the intelligent application of principles and
experience to maintain a balance between confidentiality, integrity, and
accessibility for yourself, your customer, or your organization. Security
doesn't have to be "wipe and restart" OR "remove the malware and continue
using", there are other solutions out there. It is important to recognize
that there are multiple possible approaches and you need to examine the
risks and benefits of your (hopefully standardized) approach to regularly
determine if it can be improved.

-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Jon R. Kibler
Sent: Tuesday, March 18, 2008 11:46 AM
To: Mike Moratz-Coppins
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: More along the lines of malware disinfection

Mike Moratz-Coppins wrote:
> When removing malware of one sort or another,

<SNIP>

Hi,

IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.

Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".

Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
m: 843-224-2494

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

[ reply ]
RE: More along the lines of malware disinfection Mar 18 2008 09:07PM
Monahan, Jim (MONAHAJ ccf org)
Re: More along the lines of malware disinfection Mar 18 2008 08:56PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 19 2008 04:03PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 19 2008 05:31PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
Re: More along the lines of malware disinfection Mar 20 2008 09:21AM
Vincent Archer (archer tms frmug org)
Re: More along the lines of malware disinfection Mar 19 2008 08:33PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 11:21PM
Mark Brunner (mark_brunner hotmail com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 02:22AM
Murda Mcloud (murdamcloud bigpond com)
Re: More along the lines of malware disinfection Mar 19 2008 09:12PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 23 2008 01:06AM
pinowudi (pinowudi gmail com)
RE: More along the lines of malware disinfection Mar 20 2008 08:34AM
John Lightfoot (jlightfoot gmail com) (1 replies)
Re: More along the lines of malware disinfection Mar 20 2008 04:54PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 23 2008 04:26AM
pinowudi (pinowudi gmail com)
Re: More along the lines of malware disinfection Mar 20 2008 12:41AM
Geekwench (geekwench hotmail com)
RE: More along the lines of malware disinfection Mar 18 2008 11:55PM
Devin Ganger (DevinG 3sharp com)
RE: More along the lines of malware disinfection Mar 18 2008 11:31PM
Wayne S. Anderson (wfrazee wynweb net)
Re: More along the lines of malware disinfection Mar 18 2008 07:26PM
M Lists (m-lists lucretia ca)
Re: More along the lines of malware disinfection Mar 18 2008 06:26PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 01:39PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 09:51PM
Colin Copley (colin 75 btinternet com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:55AM
Murda Mcloud (murdamcloud bigpond com)


 

Privacy Statement
Copyright 2010, SecurityFocus