There are so many topics on here posting about security setup and the lowdown on the latest security applications and users seeking advice on what to use on their computers. However, there is a distinct lack of discussion on what is to be done when we found out there's a problem. There are no topics about treating a problem when, let's say for example, a HIPS program find a rouge process. We don't wonder about its origin (rootkit, trojan, etc.) and we certainly don't discuss what the best way to remove the malware. Yet most of us here are using sophisticated anti-malware software.

That's when you should go to a forum that has a resident/s hijackthis expert.
http://forum.piriform.com/index.php?showforum=12

If and when I ever actually encounter a real malware problem on this machine, I do one of two things:

A) Restore from a good image.
b) Reformat

So for me, no discussion is necessary, nor is any software to attempt to clean up or otherwise fix the problem. Simple and no doubts...

True, you don't read much about infections here.
There are a few forums that excel at HiJackThis logs and removal of malware.
Castle Cops security forum has unknown file category and Malware Incident Reporting and Termination.

{QUOTE-> let's say for example, a HIPS program find a rouge process. <-QUOTE}
Kill that process, upload the corresponding file to a multi-engine online scanning service (Jotti/Virustotal/Virus.org) and save it (encrypted) for further analysis. Then, use your reboot-to-restore solution or nuke the HDD and restore a clean image.
Be prepared for a possible data leak/thief

{QUOTE-> If and when I ever actually encounter a real malware problem on this machine, I do one of two things:

A) Restore from a good image.
b) Reformat

So for me, no discussion is necessary, nor is any software to attempt to clean up or otherwise fix the problem. Simple and no doubts... <-QUOTE}
Yep same here. If i encounter anything resembling real malware, its image restore time.

Since Wilders doesn't permit posting HJT logs, you won't find much discussion on Mal / Viri / Spyware removal.

Me thinks that anyone who has spent any length of time on these forums has picked up on recovery solutions. If I get infected I'll just boot to another SnapShot & copy / update or delete the infected one.

I for one, feel bullet proof w/ my security set-up. If it -does fail... FD-ISR to the rescue.

...screamer

Likewise. Before doing anything approaching risky, I update my FDISR snapshot, might even take a new image, and then if really risky, I go into a vm machine.

It's almost funny since right now, I am testing and in shadowmode of ShadowDefend and also sandboxed with sandboxie.

Traditionally there is some discussion in here (http://www.wilderssecurity.com/showthread.php?goto=newpost&t=183406), though it tends to be some famous malware hunter warning the whole world about some dangerous world ending threat he found or some over paranoid kid posting all kinds of strange screenshots from anti-rootkit tools telling everyone that he has a super duper stealthy rootkit. :D


I would like to think that there is little discussion because

A) As a forum Wilders is focused toward security software use. Little things like "wondering about the origin of" infections is not quite as interesting.

B) People here have so many layers (on top of generally being a bit more knowledable than average), very little get through. In fact, I would say most posters here more find something on their scanners are usually having FPs...

Likewise. borrowing a similar method practiced by Peter2150

I employ a perfectly fail-proof method myself from any forced/stealth intrusion which would be designed to "stick" to disk by using an FD-ISR snapshot covered with Power Shadow Master plus shielding with HIPS as in either EQSEcure 3.4 OR SSM (Full), and yet further guarded with Sandboxie 3 along of course coupled with strong firewall protection.

Even should some PC Stealth Long/Short Range Cruise Missile managed to penetrate thru these layers, which IS NOT going to happen anyway unless i do it to myself ;D theres still in reserve .arx FD-ISR Archives to rebuild from and as a final stage of COMPLETE RESTORATION, a couple of full system/partition duplicate images. Also i CLONE an entire "clean" "offline" drive and store that in a controlled temperature compartment.

Building blocks for a perfect Defense & Preservation Strategy.

So far, HIPS + PS + FD-ISR have everything under tight control from invaders of any sort.

RELAXED & FREE 8)

{QUOTE-> Likewise. Before doing anything approaching risky, I update my FDISR snapshot, might even take a new image, and then if really risky, I go into a vm machine.

It's almost funny since right now, I am testing and in shadowmode of ShadowDefend and also sandboxed with sandboxie. <-QUOTE}

So that should make you a virtual shadow? ;)

I do not even care anymore. Even when I om our weakest secured PC (A2 IDS + WinPooch + DefenseWall), I make an image backup (takes 2 minutes with Maxblast and perform a smart data backup to our external harddrive which takes less than a minute). Start fiddling with aps, and roll back before shutdown.