I agree with Mike. While it's true that you can never be absolutely certain that a system is safe once it has been compromised by malware, if you're able to identify the infection or at least the attack vector, chances are pretty good that you can eliminate the problem and secure your system without a total re-wipe.
I use antivirus software, a software firewall, Windows Defender and my router to protect my home network, but occasionally my kids download a questionable toolbar from a game site. If I Google for a script to get rid of it, I feel quite confident that the malware ended there. If the antivirus, antispyware, firewalls and logs don't turn up anything, the 100% undetectable rootkit the malware installed doesn't concern me very much, and if you're worried about a 100% undetectable rootkit you should probably be worried about the 100% undetectable 0-day attack vector it's already used to install itself on your computer. Maybe that's leaving my computers as potential spam-bots, but what are the chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs. the cost of rebuilding from scratch? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Moratz-Coppins Sent: Wednesday, March 19, 2008 4:13 PM To: [email protected] Subject: Re: More along the lines of malware disinfection Ansgar -59cobalt- Wiechers wrote: > Well, some of us just don't consider botnets acceptable. Apparently you > have a different opinion on that. Neither do I. I just don't think it is necessary in a lot of cases to wipe everything out in order to get rid of a malware infection. I am perfectly aware that malware with rootkit-style capabilities can render security tools useless, however I don't think I've yet seen a case where every technique/tool I use has come up with negative results when there are still symptoms of an infection. Of course, I haven't yet been called out because a customer hasn't noticed any symptoms of a system infection. I'm perfectly willing to accept the possibility that a "100% undetectable" rootkit has slipped by me at some point, after all, it could be on my system right now. It could have been on that customer's system when all they asked me to do was fix their printer problem. Furthermore, I think if you take your point of view through to its logical conclusion, you should be reinstalling all of your systems (and any system you ever administrate) on an extremely regular basis. Good luck with that. -- Mike Moratz-Coppins [EMAIL PROTECTED] http://www.mikeymike.org.uk/
