On Tue, 2008-18-03 at 12:46 -0500, Jon R. Kibler wrote:
> Mike Moratz-Coppins wrote:
> > When removing malware of one sort or another,
>
> <SNIP>
>
> Hi,
>
> IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
> trustworthy. You can remove the malware, but how do you know that
> you found everything? You don't. Especially if the malware is some
> sort of downloader or spyware.

Why is this? How can I trust my anti-<insert noun here) security
product;

A) Discovered and Diagnosed the problem accurately? I can't.
B) Determine the exact nature of the discovery? I can't.
C) Find a method of removing the infection? I can't.

So, I have to rely on:

1) Knowledge of the OS.
2) Knowledge of the filesystem.
3) Knowledge that everything comes from a file, and if the source is
determined, then 'everything else it does, even if it morphs..' can be
discovered and repaired.

Period.

If all these so called 'security' companies would publish more
information about malware, then I'd refute your argument 100%. But they
do not, hence much information is misclassified, misdiagnosed, and
simply not available.

This is the REAL problem, not whether or not you can repair a system or
'trust' a PC. Anyone who plugs a PC into the net and 'trusts' it is a
fool. You have to protect your PC and be aware of what problems mean.
For instance 'anytime' a system crashes, this should be taken seriously
but thanks to vendors like Microsoft we laugh and joke about it and
forget about it. However many crashes are results of bugs, and many
bugs are the exploits for malware.

See how this comes full circle?

>
> Infected system? Back up the data, and ONLY the data, then (to quote
> Microsoft from RSA a couple of years ago) "Nuke it from space!".

You go nukey boy...I for one would not agree. Today's malware is
capable (heck more likely) to be infecting your data, or better hiding
DORMANT in your data. Come on, you telling me the stegography has been
lost to malware developers? I don't think so.

Today I'm reading about cold-boot infections. Wow, imagine a co-worker
infecting PC's. It happens. but we don't stop folks from using PC's.

>
> Bottom line: It is impossible to give any reasonable assurance that
> a box that was infected has been cleaned. Best solution: Never store
> use data on a client system (so you have nothing to back up) and
> simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
> some clients that reimage every desktop every weekend just for good
> measure.

Bottom Line: It is impossible to not be reinfected again. By reimaging
you could be perpetuating dormant malware for years to come.

[ reply ]