On 2008-03-19 Mike Moratz-Coppins wrote: > Ansgar -59cobalt- Wiechers wrote: >> On 2008-03-18 Mike Moratz-Coppins wrote: >>> I should point out one factor which I think makes a large difference >>> in the approach that one might take in encountering a security issue - >>> the vast majority of my customers are home users who just casually use >>> their machine. >> >> You do realize that significant amounts of spam are deployed through >> zombified computers of exactly these "home users who just casually use >> their machine", don't you? > > Yes, I am aware of that. > >> [...] >>>> 2) Jon's point about reliability here is very key to the >>>> discussion. It is COMPLETELY irresponsible to warrant to a customer >>>> that you can certify a system safe after it has been infected with >>>> any manner of control-compromising code that has gone >>>> undetected/untreated for a period of time. >>> >>> Do you see this as applying in a joe average home user scenario? >> >> Even if he doesn't, I do. Unless you can determine without any doubt >> when and how the machine was compromised, and what exactly was >> altered afterwards, the only resonable and responsible way to deal >> with the problem is to backup the data and reinstall the machine. >> Period. > > Well, I guess we'll just agree to disagree then. I can't see how one > can make the distinction between "just a simple virus" and "a system > security compromise"
Then you failed either to read or to understand what I wrote above. You can make the distinction if you are able to determine when and how the infection occurred, and what was altered afterwards. If you are not able to determine all of the above, you cannot make the distinction, and thus MUST assume the worst case. That's common sense, and I fail to see what so hard for you to understand about this. > considering if "just a simple virus" is allowed to infect a system, > then it may as well be a system security compromise, Ummm... yes? > and that (going by the logic that some people on this list are > employing), just removing "a simple virus" cannot possibly reassure > one that there isn't something more sinister lurking around the > system, then as soon as any form of malware is found, then the logic > of a lot of people on this list dictates that the computer must be > wiped and clean-installed. Unless you are able to determine what infected the system, when the infection occurred, and what was tampered with after the infection. Like I've said before. > I don't think (as far as the usual scenarios that my works takes me > to) that a wipe and new install is the appropriate thing to do most of > the time. Most of my reasons are practical-reality reasons, not "100% > security" reasons: > > 1 - Many customers have computers that it would be difficult to > perform an on-site reinstall on. For example, they might not have > any/all discs for the machine, they only have one machine, etc. And that makes leaving the machine a potential spam-bot acceptable how? > 2 - Many customers have families (or 'need' the machine on a > day-to-day basis) e.g. with the school kids doing their homework on > the machine, and so the machine disappearing for a few days for me to > do the installation with all the resources I have available at home > would be highly inconvenient for them. And that makes leaving the machine a potential spam-bot acceptable how? > 3 - Many customers have pirated copies of software that they're using > (e.g. MS Office), and as I have a policy of not installing pirated > software for customers, I'm then inconvencing them by wipe-installing > their machine and they don't have the CD for MSO anymore, for example. > Some customers might also have bought software online and not have the > product keys anymore because they deleted the e-mails containing those > product keys. And that makes leaving the machine a potential spam-bot acceptable how? > 4 - Some customers aren't so well off as other customers, and the cost > of doing a reinstall is somewhat more than my average bill for removing > malware. And that makes leaving the machine a potential spam-bot acceptable how? Fixing a car costs money, too. Do you actually believe that it's okay for people to drive around with malfunctioning brakes, just because they can't afford to get them fixed? > I'm sure that some of you will answer these scenarios along the lines > of "aww, diddums" to the customer and still insist that the need for > "100% security" overrides the needs of my customers, which is why I've > said that we should agree to disagree about this. Well, some of us just don't consider botnets acceptable. Apparently you have a different opinion on that. > At the end of the day, if a customer asks me to remove malware, I will > investigate manually (e.g. in the registry) for it, use virus/spyware > scans to help pin it down and any remaining traces of it, and check in > other ways (such as monitoring TCP/IP connections with netstat and > tcpview, filemon, regmon, spybot and rootkitrevealer, and even > watching the network activity light on the machine/router). I finish > the appointment when I am confident that the problem has been solved. And you actually believe that going through that whole procedure will cost you less time than reinstalling the box? Don't make me laugh. BTDT, and it takes considerable amounts of time to do it right. And even then you can't be sure you didn't miss something, because it's pretty hard, if not impossible, to prove the absence of something. > While there is a possibility that there could be "undetectable > malware" on the machine, I believe that, as a general policy, assuming > there is without any trace of evidence whatsoever is pure paranoia. *sigh* The evidence is there. The system was demonstrably infected, and unless you can prove that nothing else had been modified/installed/etc. you cannot rule out that possibility and thus MUST assume the worst case. That's not paranoia, but common sense. > There are situations where I have wipe-installed a machine because of > malware, but they're rare. There are also scenarios where I would act > differently from just trying to remove the malware - such as, if there > was evidence of a targeted attack on that particular machine/server/ > whatever then I might go for the wipe-install strategy as "the only > way to be sure", or say if I wasn't confident that I had removed the > problem completely, then I would suggest to the customer that a > wipe-install would be best. > > I also think if you resort to the wipe-install strategy as your > general answer to malware, then there is so much that you haven't > learnt about how malware tends to work on Windows, how it hides > itself, how it stops the admin from trying to remove it, and also > quite a few quirks of Windows. I'm not suggesting that I've learnt > all there is to learn on this topic either, but I have learnt quite a > few strategies in the time that I've been in business, and it can be > quite mentally stimulating work. I'd say most people who advised you to re-install the box have shown far deeper knowledge of Windows internals and computer security in general in their responses than you have. Apparently you don't even realize that a rootkit may very well render any of the tools you mentioned above useless (yes, including RootkitRevealer and the likes). You don't even seem to have understood why you should run a virus scan not from the live system, but from a system that's booted from some other medium (preferrably in a way that didn't involve even so much as touching the MBR and boot sectors of the potentially infected drive). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
