Clean them?  You can't, according to this guy.

<http://technet.microsoft.com/en-gb/library/cc512587.aspx>

-- 
(\__/)   
(='.'=)  Bunny says Windows 7 is Vi$ta reloaded.
(")_(")  http://imgs.xkcd.com/comics/windows_7.png

In article , Mike Tomlinson says...
> 
> Clean them?  You can't, according to this guy.
> 
> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>

I agree completely with the comments about not being able to trust 
them.

As said though, if you implement security patches when they come out, 
its far better than not and getting p0wned.

-- 
Conor

I only please one person per day. Today is not your day. Tomorrow isn't 
looking good either. - Scott Adams

On Sun, 5 Jul 2009 18:31:35 +0100
Mike Tomlinson  wrote:

> 
> Clean them?  You can't, according to this guy.
> 
> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
> 
"This list makes patching look not so bad, yes? We may hate patches,
but the alternative is decidedly worse."
Aren't you glad you're running Windows?  :-\
The article is a bit crap - he says you can't trust ant-virus software
to run because you may have been rootkitted, without mentioning rescue
disks or Linux live CDs, or just pulling the disk and sticking it in
another machine.

"Mike Tomlinson"  wrote in message 
news:R4T3qfB3NOUKFwzO@jasper.org.uk...
>
> Clean them?  You can't, according to this guy.
>
> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
>
> -- 
> (\__/)
> (='.'=)  Bunny says sender is a total nob.
> (")_(")  http://nob.com/nob
>
>

The secret is applying security patches and taking precautions.
No point having a lack of knowledge which allows a system to
become infected.

In article <20090705190713.1c2a4b5e@bluemoon>, Rob Morley says...
> 
> On Sun, 5 Jul 2009 18:31:35 +0100
> Mike Tomlinson  wrote:
> 
> > 
> > Clean them?  You can't, according to this guy.
> > 
> > <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
> > 
> "This list makes patching look not so bad, yes? We may hate patches,
> but the alternative is decidedly worse."
> Aren't you glad you're running Windows?  :-\
> The article is a bit crap - he says you can't trust ant-virus software
> to run because you may have been rootkitted, without mentioning rescue
> disks or Linux live CDs, or just pulling the disk and sticking it in
> another machine.

There speaks someone without a clue. What help is a Linux Live CD going 
to be? How is putting it in another computer going to do anything in 
the event of a rootkit?

-- 
Conor

I only please one person per day. Today is not your day. Tomorrow isn't 
looking good either. - Scott Adams

In message <20090705190713.1c2a4b5e@bluemoon>, Rob Morley 
 writes
>On Sun, 5 Jul 2009 18:31:35 +0100
>Mike Tomlinson  wrote:
>
>>
>> Clean them?  You can't, according to this guy.
>>
>> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
>>
>"This list makes patching look not so bad, yes? We may hate patches,
>but the alternative is decidedly worse."
>Aren't you glad you're running Windows?  :-\
>The article is a bit crap - he says you can't trust ant-virus software
>to run because you may have been rootkitted, without mentioning rescue
>disks or Linux live CDs, or just pulling the disk and sticking it in
>another machine.

The article was written in 2004. Some of the details have changed since 
then but the basic advice is sound. If your system is compromised the 
only way to be reasonably certain that you have cleaned it is a 
bare-metal install.



-- 
Bernard Peek

In message , 
Conor  writes


>There speaks someone without a clue. What help is a Linux Live CD going
>to be? How is putting it in another computer going to do anything in
>the event of a rootkit?

Linux live CDs give you the chance to run an AV scanner that an infected 
Windows OS can't fool. Putting the drive into another computer bypasses 
any rootkit on the infected drive, by not booting from it. Again, you 
can use a clean OS to run a virus scan.



-- 
Bernard Peek

In article <rU$BHcOTEPUKFwH0@shrdlu.com>, Bernard Peek says...
> 
> In message , 
> Conor  writes
> 
> 
> >There speaks someone without a clue. What help is a Linux Live CD going
> >to be? How is putting it in another computer going to do anything in
> >the event of a rootkit?
> 
> Linux live CDs give you the chance to run an AV scanner that an infected 
> Windows OS can't fool. 

Perhaps you'd like to show me these Linux based AV solutions that are 
as comprehensive as Windows ones. The ones I've seen only have quite 
basic Windows virus scanning.

> Putting the drive into another computer bypasses 
> any rootkit on the infected drive, by not booting from it. Again, you 
> can use a clean OS to run a virus scan.

However opening the infected file could result in the host being 
infected.



-- 
Conor

I only please one person per day. Today is not your day. Tomorrow isn't 
looking good either. - Scott Adams

In message , 
Conor  writes
>In article <rU$BHcOTEPUKFwH0@shrdlu.com>, Bernard Peek says...
>>
>> In message ,
>> Conor  writes
>>
>>
>> >There speaks someone without a clue. What help is a Linux Live CD going
>> >to be? How is putting it in another computer going to do anything in
>> >the event of a rootkit?
>>
>> Linux live CDs give you the chance to run an AV scanner that an infected
>> Windows OS can't fool.
>
>Perhaps you'd like to show me these Linux based AV solutions that are
>as comprehensive as Windows ones. The ones I've seen only have quite
>basic Windows virus scanning.

There are several around, and only a basic scanner is required.

>
>> Putting the drive into another computer bypasses
>> any rootkit on the infected drive, by not booting from it. Again, you
>> can use a clean OS to run a virus scan.
>
>However opening the infected file could result in the host being
>infected.

That depends on the type of file and the application you use to open it. 
Personally I'd choose an antivirus program, which is a pretty safe 
option.



-- 
Bernard Peek

Bitstring <h2qq55$ap$1@news.albasani.net>, from the wonderful person 
Clive  said
>
>"Mike Tomlinson"  wrote in message
>news:R4T3qfB3NOUKFwzO@jasper.org.uk...
>>
>> Clean them?  You can't, according to this guy.
>>
>> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
>>
>> --
>> (\__/)
>> (='.'=)  Bunny says sender is a total nob.
>> (")_(")  http://nob.com/nob
>>
>>
>
>The secret is applying security patches and taking precautions.
>No point having a lack of knowledge which allows a system to
>become infected.

But of course the problem is that the patches are produced in response 
to a known vulnerability. Often, if not always, someone has already used 
the hole to infect some unknown number of systems .. IIRC 'blaster' got 
to lots of places BEFORE there was a patch for it.

-- 
GSV   Three Minds in a Can
15,016 Km walked. 2,773 Km PROWs surveyed. 50.1% complete.

In article , Bernard Peek says...

> There are several around, and only a basic scanner is required.
> 
Unless it can purge registry keys and hidden files in system folders, 
it's no use.

> >
> >> Putting the drive into another computer bypasses
> >> any rootkit on the infected drive, by not booting from it. Again, you
> >> can use a clean OS to run a virus scan.
> >
> >However opening the infected file could result in the host being
> >infected.
> 
> That depends on the type of file and the application you use to open it. 
> Personally I'd choose an antivirus program, which is a pretty safe 
> option.

Ho-hum....


-- 
Conor

I only please one person per day. Today is not your day. Tomorrow isn't 
looking good either. - Scott Adams

On Sun, 5 Jul 2009 19:56:27 +0100
Conor  wrote:

> In article <rU$BHcOTEPUKFwH0@shrdlu.com>, Bernard Peek says...
> > 
> > In message , 
> > Conor  writes
> > 
> > 
> > >There speaks someone without a clue. What help is a Linux Live CD going
> > >to be? How is putting it in another computer going to do anything in
> > >the event of a rootkit?
> > 
> > Linux live CDs give you the chance to run an AV scanner that an infected 
> > Windows OS can't fool. 
> 
> Perhaps you'd like to show me these Linux based AV solutions that are 
> as comprehensive as Windows ones. The ones I've seen only have quite 
> basic Windows virus scanning.

There are more AV products available for Linux than I realised,
including F-PROT, which AFAICT uses the same heuristics and definitions
as the Windows version. I just picked on F-PROT because FWIH it's one of
the best (for Windows).

> > Putting the drive into another computer bypasses 
> > any rootkit on the infected drive, by not booting from it. Again, you 
> > can use a clean OS to run a virus scan.
> 
> However opening the infected file could result in the host being 
> infected.

In that case, presuming you haven't been stupid enough to put a known
infected drive in a system without trying to secure it first, then
patching the first infected system wouldn't have helped either.

-- 
TH * http://www.realh.co.uk

On Sun, 5 Jul 2009 21:26:20 +0100
Conor  wrote:

> In article , Bernard Peek says...
> 
> > There are several around, and only a basic scanner is required.
> > 
> Unless it can purge registry keys and hidden files in system folders, 
> it's no use.

Why wouldn't they be able to find the latter? The hidden/system
properties are just attributes aren't they, not some clever trick that
inherently makes them inaccessible from other systems?

-- 
TH * http://www.realh.co.uk

In message <B$Ug9MD2vQUKFAh5@from.is.invalid>, GSV Three Minds in a Can 
 writes


>But of course the problem is that the patches are produced in response 
>to a known vulnerability. Often, if not always, someone has already 
>used the hole to infect some unknown number of systems .. IIRC 
>'blaster' got to lots of places BEFORE there was a patch for it.

It does happen but it's not common. The more common sequence is that MS 
patch a vulnerability then someone reverse-engineers the patch. That 
usually takes 2-3 days so the really dangerous time is a few days after 
patch-Tuesday.

IMHO If you don't have the expertise to test patches in the first few 
days after they are released the safe option is to set your systems to 
install security patches automatically. There's a risk that a patch will 
bring your systems down but there is no unconditionally safe course of 
action.



-- 
Bernard Peek

In message , Tony Houghton 
 writes
>On Sun, 5 Jul 2009 21:26:20 +0100
>Conor  wrote:
>
>> In article , Bernard Peek says...
>>
>> > There are several around, and only a basic scanner is required.
>> >
>> Unless it can purge registry keys and hidden files in system folders,
>> it's no use.
>
>Why wouldn't they be able to find the latter? The hidden/system
>properties are just attributes aren't they, not some clever trick that
>inherently makes them inaccessible from other systems?

Antivirus programs under Linux or Windows are able to edit the registry 
and to read hidden and system files.

Neither will be able to do anything with encrypted files or partitions. 
If you have those then you can't read any of the files on another 
system, under Windows or Linux. For these the only option is to nuke the 
encrypted data then restore from a clean backup. If you don't have a 
clean backup then you are screwed.



-- 
Bernard Peek

Mike Tomlinson wrote:
> Clean them?  You can't, according to this guy.
>
> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>


Well maybe MS policy of encouraging companies to not supply restore media 
makes a format and reinstall as a standard course of action pretty 
difficult.

Gaz

Bernard Peek wrote:

>
> Neither will be able to do anything with encrypted files or
> partitions. If you have those then you can't read any of the files on
> another system, under Windows or Linux. For these the only option is
> to nuke the encrypted data then restore from a clean backup. If you
> don't have a clean backup then you are screwed.

And, 0.3% of home users have a clean backup.....

Gaz

In message , gaz  
writes
>Bernard Peek wrote:
>
>>
>> Neither will be able to do anything with encrypted files or
>> partitions. If you have those then you can't read any of the files on
>> another system, under Windows or Linux. For these the only option is
>> to nuke the encrypted data then restore from a clean backup. If you
>> don't have a clean backup then you are screwed.
>
>And, 0.3% of home users have a clean backup.....

Lots of business users don't have a clean backup. Some of them will 
discover this fact the hard way.

Most companies should be using encrypted partitions for their laptops.


-- 
Bernard Peek

In article <h2qq55$ap$1@news.albasani.net>, Clive 
writes

>The secret is applying security patches and taking precautions.

Never heard of 0-day exploits, eh, Clive, oops, I mean Rob, the Tiscali
idiot?  Isn't it time for you to morph again?

>No point having a lack of knowledge which allows a system to
>become infected.

My, you really are a stupid twat aren't you?

-- 
(\__/)   
(='.'=)  Bunny says Windows 7 is Vi$ta reloaded.
(")_(")  http://imgs.xkcd.com/comics/windows_7.png

Bernard Peek wrote:
>
> Neither will be able to do anything with encrypted files or
> partitions. If you have those then you can't read any of the files on
> another system, under Windows or Linux.

If your system is still working to some extent, could you not just copy all 
the data onto a non-encrypted partition? Of course, you could not tell for 
sure whether the data had been altered, but you could get an idea by 
comparing even an oldish backup with the data on the new partition on a 
file-by-file basis.

"Mike Tomlinson"  wrote in message 
news:70+95YCBWiUKFwX8@jasper.org.uk...
> In article <h2qq55$ap$1@news.albasani.net>, Clive 
> writes
>
>>The secret is applying security patches and taking precautions.
>
> Never heard of 0-day exploits, eh, Clive, oops, I mean Rob, the Tiscali
> idiot?  Isn't it time for you to morph again?
>
>>No point having a lack of knowledge which allows a system to
>>become infected.
>
> My, you really are a stupid twat aren't you?

You're giving him far too much credit.

-- 
  Unlock Your Phone's Potential
        www.UselessInfo.org.uk
   www.ThePhoneLocker.co.uk
     www.GSM-Solutions.co.uk

Mike Tomlinson wrote:
>
>> The secret is applying security patches and taking precautions.
>
> Never heard of 0-day exploits, eh, Clive, oops, I mean Rob, the
> Tiscali idiot?

Isn't that why you also 'take precautions'? I really don't see what the 
ordinary computer user can do except apply patches speedily and avoid dodgy 
emails and websites.

In article <4a523d2c$0$24001$db0fefd9@news.zen.co.uk>, GB
 writes

>Isn't that why you also 'take precautions'? I really don't see what the 
>ordinary computer user can do except apply patches speedily and avoid dodgy 
>emails and websites. 

You've missed the point.  Patches are by definition issued _after_ 0-day
exploits become known, by which time it's too late.

Microsoft can only issue patches for vulns they know about.

Most savvy users will be aware of the risks and take suitable
precautions, but the vast majority of PC users neither know nor care.

-- 
(\__/)   
(='.'=)  Bunny says Windows 7 is Vi$ta reloaded.
(")_(")  http://imgs.xkcd.com/comics/windows_7.png

In article <h2qq55$ap$1@news.albasani.net>, Clive 
writes

>The secret is applying security patches and taking precautions.
>No point having a lack of knowledge which allows a system to
>become infected.

How about this then, "Clive"?

http://www.theregister.co.uk/2009/07/06/new_microsoft_exploit_in_wild/

"Today's Microsoft advisory offers a workaround users can take to
safeguard against the vulnerability until a patch is released. It
involves making changes to the Windows registry, a risky undertaking for
those who aren't sure what they're doing." 

Note the phrase '_until_ a patch is released'

-- 
(\__/)   
(='.'=)  Bunny says Windows 7 is Vi$ta reloaded.
(")_(")  http://imgs.xkcd.com/comics/windows_7.png

Rob Morley wrote:

> On Sun, 5 Jul 2009 18:31:35 +0100
> Mike Tomlinson  wrote:
> 
>> 
>> Clean them?  You can't, according to this guy.
>> 
>> <http://technet.microsoft.com/en-gb/library/cc512587.aspx>
>> 
> "This list makes patching look not so bad, yes? We may hate patches,
> but the alternative is decidedly worse."
> Aren't you glad you're running Windows?  :-\

It's hardly just a Windows problem. The advice to re-install rather than attempt
to fix (after duplicating the disk for forensic purposes) has been around since
before Windows even got a TCP/IP stack as standard.

> The article is a bit crap - he says you can't trust ant-virus software
> to run because you may have been rootkitted,

Well, you can't. If you have been rootkitted then the AV software will be about
as much use as a chocolate teapot. The system can have been compromised in ways
which no AV software could possibly be expected to detect or fix.

> without mentioning rescue 
> disks or Linux live CDs, 

Given that the article was written in 2004 for Microsoft as general advice for
Windows users they are hardly likely to mention Linux Live CDs (just how many
Linux distros had live versions back in 2004 anyway).

> or just pulling the disk and sticking it in 
> another machine.

and thereby potentially infecting a second machine. If you really know what you
are doing then this might be ok, but for the general public, who have already
got their machine infected, it is not a good idea. Given that you don't know
what the infection vector was (it's already defeated the AV and firewall) how
can you be sure it won't be able to infect your other disk? And one simple
slip, like forgetting to check the boot sequence in your BIOS, and the system
starts to boot from the infected disk - then all bets are off (don't forget
this advice is likely to be used by clueless numpties who've already infected
their machines). 

-- 
Nigel Wade

On Tue, 07 Jul 2009 10:47:23 +0100
Nigel Wade  wrote:

> Rob Morley wrote:

> > Aren't you glad you're running Windows?  :-\
> 
> It's hardly just a Windows problem. The advice to re-install rather
> than attempt to fix (after duplicating the disk for forensic
> purposes) has been around since before Windows even got a TCP/IP
> stack as standard.

But Windows is such a big juicy target - all those home and small
business users who expect it to just work without knowing anything
about it ...
> 
> > The article is a bit crap - he says you can't trust ant-virus
> > software to run because you may have been rootkitted,
> 
> Well, you can't. If you have been rootkitted then the AV software
> will be about as much use as a chocolate teapot. The system can have
> been compromised in ways which no AV software could possibly be
> expected to detect or fix.

Which is why I went on to mention a couple of ways around the problem:
> 
> > without mentioning rescue 
> > disks or Linux live CDs, 
> 
> Given that the article was written in 2004 for Microsoft as general
> advice for Windows users they are hardly likely to mention Linux Live
> CDs

He was happy to mention Linux vulnerabilities.  :-)

> (just how many Linux distros had live versions back in 2004
> anyway).

Knoppix was released in 2003.  When you're using it as a rescue tool
you don't really care what window manager or package manager it uses ...
> 
> > or just pulling the disk and sticking it in 
> > another machine.
> 
> and thereby potentially infecting a second machine. If you really
> know what you are doing then this might be ok, but for the general
> public, who have already got their machine infected, it is not a good
> idea. Given that you don't know what the infection vector was (it's
> already defeated the AV and firewall)

Given that the focus of the article is patch management, I'm guessing
the vector is detailed in a recent MS security bulletin.  :-)

> how can you be sure it won't be
> able to infect your other disk? And one simple slip, like forgetting
> to check the boot sequence in your BIOS, and the system starts to
> boot from the infected disk - then all bets are off (don't forget
> this advice is likely to be used by clueless numpties who've already
> infected their machines). 
> 
The article was a aimed at system administrators.