You're right that I can't be 100% sure that a clean install is not compromised already -- but the chances are a LOT lower than trying to manually clean a known-compromised machine. By reinstalling, I'm certainly leaving the user in no *worse* position of risk; by not reinstalling, I am.
-- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp Phone: 425.882.1032 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Moratz- > Coppins > Sent: Tuesday, March 18, 2008 11:26 AM > To: focus-ms@securityfocus.com > Subject: Re: More along the lines of malware disinfection > > Jon R. Kibler wrote: > > IMHO, anytime, repeat ANYTIME, you have an infected box, it is < > 0% > > trustworthy. You can remove the malware, but how do you know that > > you found everything? You don't. Especially if the malware is > some > > sort of downloader or spyware. > > > > Infected system? Back up the data, and ONLY the data, then (to > quote > > Microsoft from RSA a couple of years ago) "Nuke it from space!". > > > > Bottom line: It is impossible to give any reasonable assurance > that > > a box that was infected has been cleaned. Best solution: Never > store > > use data on a client system (so you have nothing to back up) and > > simply reimage any suspect system (ZenWorks, Ghost, etc.). I have > > some clients that reimage every desktop every weekend just for > good > > measure. > > Purely monetarily speaking, I love the idea of reinstalling every > machine that gets a virus. I might have earnt about 4 times more > money > than I have to date running my business, however I don't think > customers > would appreciate their computer install being nuked every time they > have > a malware issue. I would say that so far I've done about 50 > installs of > Windows (computer building aside) whereas I have attended about 200 > appointments where I have removed some form of malware from a > computer. > > Sure, you can't be absolutely 100% sure that a machine is 100% > clean, > but quite frankly you can't be 100% sure that a cleanly-installed, > patched up-to-date machine hasn't somehow been compromised by a > 100% > undetectable rootkit. When I go to an appointment, I check the > usual > sources of 'programs being run on startup' registry entries that > I'm > aware of, I check the process list, and I investigate further if I > observe any sign of a machine acting not 100% normal. > > Computer fixing is rarely about 100% security (or anywhere near > that), > as 100% security means "not usable". > > > -- > Mike Moratz-Coppins > [EMAIL PROTECTED] > http://www.mikeymike.org.uk/
