security-tools installed on OS / boot-cd

Discussion in 'malware problems & news' started by gambla, Jul 9, 2009.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hello,
    a very basic question:

    As there are a lot of viruses/trojans etc. that can hide when booting your OS, do scanners/"removers" that are installed and run on your OS make any sense at all ? I'm not an expert but it seems to me that you can always catch only maybe 95% of the threats. But to get theses hiding 5 % you need to scan from e.g. BartPE anyway ?

    thank you + kind regards :)
     
  2. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Nobody ? Is my english too bad ? :(
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It's a always good idea to scan your system from the outside, as in with live CDs, as you mentioned. This, because they (malware) can conceal them selves from installed anti-malware tools.
     
  4. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Nothing wrong with your English. :) It's just that the answer to the question is somewhat obvious, and you already seem to know it. ;)

    Do scanners that are installed on a potentially infected OS make sense? Sure, a little. Generally the AV scanner is installed to prevent infections in the first place, but as we've seen, that often fails. When the system is already infected, the scanner becomes even less effective, since malwares may try all kinds of attacks against them, from simple forced termination to attempting to hide its files with rootkit techniques. Sometimes the scanner can deal with this, often it can't.

    Now, if you boot from a clean boot cd such as BartPE based and run scanners from there, that'll work somewhat better in many cases, since the malware isn't active and can't attempt to mess with the scanners. Many antivirus companies have bootable discs to run their scanners, like
    - DrWeb AV live CD http://www.freedrweb.com/livecd/
    - F-Secure Rescue CD http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/rescue-cd/index.html

    But the most important thing to keep in mind is that no matter where you run your AV scanner from - infected OS, clean boot disc, whatever - it still will never catch all malware. It's a game of chance: am I infected with something my scanner can detect, or am I infected with something it can't detect?

    With that out of the way, booting from a clean media is an excellent way to examine a system for possible infections and then destroy such infections. For example, back in the days when a lot of people were hyping the Rustock family of rootkits to be some kind of unstoppable doomsday device, detecting one of those things was painfully easy just by booting up from a clean cd and looking at the file system a little. Some early versions were so ridiculous they just saved themselves in an alternative data stream attached to one of the Windows folder subfolders like System32. Detecting those was as simple as checking for any ADS streams - any streams that were found that had a size larger than a couple of lines were bad. Inside an infected OS, those streams would be hidden by the rootkit, but booted from a clean media, the rootkit wasn't active and couldn't do anything.

    So, yes, the ability to do security checks from a clean media like a boot cd is great. Infinitely more reliable than checking anything from within an infected system, which you can't trust.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    You pretty much answered yourself. Live CD allows you to clean the OS calmly, easily, no questions asked.
    Mrk
     
  6. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Thank you all. And you're right that i maybe answered it myself in the first place, but i'm still a beginner with those questions. The question that remains for me is how to setup the most effective security setup, e.g.:

    1) running OS:

    live-monitoring by av/malware-scanners - most important: heuristic / behaviour based tools

    2) boot-cd :

    av/malware-tools regular scanning entire OS-drive - signatur based
    (sure it's a bit uncomfortable creating the media, booting from it etc.)

    >> So if i was right, and as simple as it sounds, the standard procedure should be running regular virus-scans / virus-removal from non-OS boot-media ?
     
Loading...
Thread Status:
Not open for further replies.