[ale] [OT] Databases of viruses/malware

Ron Frazier atllinuxenthinfo at c3energy.com
Wed Mar 2 22:01:48 EST 2011 

Pat,

A valid question. The best way to fix a virus is never to catch one. 
However, the post JD wrote which I replied to assumed a virus had been 
detected and he was discussing how to get rid of it. I'll give you the 
best answer I can. If I wipe the drive, and reinstall the system and non 
infectable data files, then I would trust the computer. Then, I would do 
routine virus scans, have live on the fly scanning active, and have data 
execution protection on in the OS (if it's Windows) and the browser (if 
it's IE). I would watch for anomalous events such as crashes, non 
requested reboots, error messages, etc. I would watch for reports of odd 
computer behavior from the users, missing or corrupt data, reports like 
"I got this email from IT and clicked the link" or "what was that urgent 
system maintenance thing yesterday (when there was none), etc. If I have 
much probable cause at all, I'll reboot with a few different AV rescue 
CD's and scan independent of the OS. For truly sensitive PC's and users, 
I might wipe the drive and reinstall just based on probable cause alone. 
Of course, I would immediately pursue and try to confirm any reports of 
active viruses by the AV scanner.

To actually answer your question, there is no sure fire way to detect 
these things. Just like organized criminals, the really good ones never 
get caught. There are millions of users with infected computers who 
don't even know it. The virus writers use the compromised PC's to join 
bot nets, silently commit cyber terrorism, and steal confidential data 
which is sold on the black market.

Security professionals feel free to jump in here.

Sincerely,

Ron

On 03/02/2011 09:08 PM, Pat Regan wrote:
> On Wed, 02 Mar 2011 20:58:02 -0500
> Ron Frazier<atllinuxenthinfo at c3energy.com>  wrote:
>
>    
>> The problem is, you may never know if the remedy failed. If the virus
>> returns in a mutated form, or in rootkit form, it may not show any
>> evidence of it's presence until you boot another OS and scan again,
>> which may be weeks or months or never. In my opinion, if a machine is
>> compromised, the only way I can trust it again with confidential
>> data, for sure, is to wipe the drive.
>>      
> How do you know when to stop trusting it again?  If it is hiding that
> well then how did you find it in the first place? :)
>
> Pat
>
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list