[ale] [OT] Databases of viruses/malware
JD
jdp at algoloma.com
Thu Mar 3 06:10:32 EST 2011
On 03/02/2011 10:01 PM, Ron Frazier wrote:
> Pat,
>
> A valid question. The best way to fix a virus is never to catch one.
> However, the post JD wrote which I replied to assumed a virus had been
> detected and he was discussing how to get rid of it. I'll give you the
> best answer I can. If I wipe the drive, and reinstall the system and non
> infectable data files, then I would trust the computer. Then, I would do
> routine virus scans, have live on the fly scanning active, and have data
> execution protection on in the OS (if it's Windows) and the browser (if
> it's IE). I would watch for anomalous events such as crashes, non
> requested reboots, error messages, etc. I would watch for reports of odd
> computer behavior from the users, missing or corrupt data, reports like
> "I got this email from IT and clicked the link" or "what was that urgent
> system maintenance thing yesterday (when there was none), etc. If I have
> much probable cause at all, I'll reboot with a few different AV rescue
> CD's and scan independent of the OS. For truly sensitive PC's and users,
> I might wipe the drive and reinstall just based on probable cause alone.
> Of course, I would immediately pursue and try to confirm any reports of
> active viruses by the AV scanner.
>
> To actually answer your question, there is no sure fire way to detect
> these things. Just like organized criminals, the really good ones never
> get caught. There are millions of users with infected computers who
> don't even know it. The virus writers use the compromised PC's to join
> bot nets, silently commit cyber terrorism, and steal confidential data
> which is sold on the black market.
>
> Security professionals feel free to jump in here.
For my machines, if I thought I had a virus, I'd format the HDD and load
from an image. For most work desktop systems, like a call center PC, I'd
remove the disk and run a few AV scanners from other booted OSes to
clean it. If it were the CFOs desktop, he would get a formated HDD
every time.
Most people don't know this, but everyone here should, AV tools are
usually 80% effective. Running 3 different AV tools can get the
recognition to almost 90%. That leaves about 10% of viruses as unknown,
not scan-able, not correctable. For me, it is a good reason to not let
MS-Windows see the internet.
Mac and Linux systems can also get malware and viruses, it is much less
likely, but still possible.
More information about the Ale
mailing list