You're right that I can't be 100% sure that a clean install is not compromised already -- but the chances are a LOT lower than trying to manually clean a known-compromised machine. By reinstalling, I'm certainly leaving the user in no *worse* position of risk; by not reinstalling, I am.

--
Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Mike Moratz-
> Coppins
> Sent: Tuesday, March 18, 2008 11:26 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: More along the lines of malware disinfection
>
> Jon R. Kibler wrote:
> > IMHO, anytime, repeat ANYTIME, you have an infected box, it is <
> 0%
> > trustworthy. You can remove the malware, but how do you know that
> > you found everything? You don't. Especially if the malware is
> some
> > sort of downloader or spyware.
> >
> > Infected system? Back up the data, and ONLY the data, then (to
> quote
> > Microsoft from RSA a couple of years ago) "Nuke it from space!".
> >
> > Bottom line: It is impossible to give any reasonable assurance
> that
> > a box that was infected has been cleaned. Best solution: Never
> store
> > use data on a client system (so you have nothing to back up) and
> > simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
> > some clients that reimage every desktop every weekend just for
> good
> > measure.
>
> Purely monetarily speaking, I love the idea of reinstalling every
> machine that gets a virus. I might have earnt about 4 times more
> money
> than I have to date running my business, however I don't think
> customers
> would appreciate their computer install being nuked every time they
> have
> a malware issue. I would say that so far I've done about 50
> installs of
> Windows (computer building aside) whereas I have attended about 200
> appointments where I have removed some form of malware from a
> computer.
>
> Sure, you can't be absolutely 100% sure that a machine is 100%
> clean,
> but quite frankly you can't be 100% sure that a cleanly-installed,
> patched up-to-date machine hasn't somehow been compromised by a
> 100%
> undetectable rootkit. When I go to an appointment, I check the
> usual
> sources of 'programs being run on startup' registry entries that
> I'm
> aware of, I check the process list, and I investigate further if I
> observe any sign of a machine acting not 100% normal.
>
> Computer fixing is rarely about 100% security (or anywhere near
> that),
> as 100% security means "not usable".
>
>
> --
> Mike Moratz-Coppins
> mike (at) mikeymike.org (dot) uk [email concealed]
> http://www.mikeymike.org.uk/

[ reply ]