Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Page Index Toggle Pages: 1
Send Topic Print
Virus Scanning from Bootable CD (Read 14049 times)
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Virus Scanning from Bootable CD
Apr 11th, 2009 at 9:15am
 
I was reading about malware (viruses, trojans, rootkits, spyware, etc) and learned that some of these pesky critters have the ability to take control of Windows and prevent a virus scanner from detecting them, or hiding themselves until the scanning is complete.

If this be the case, wouldn't the only sure-fire way to detect malware on your system be from a bootable CD? (while Windows is asleep, and the malware unable to operate and hide themselves or control Windows)

I admit I'm no expert in this area, but here in Radland, we're familiar with the concept of using bootable CDs in order to accomplish tasks (such as imaging/coming) while Windows is not running .. because it can interfere with the things we're trying to accomplish.

Yet I've never heard of scanning for malware from a bootable CD. If this is possible, it's certainly not common.
 
WWW  
IP Logged
 

ckcc
Technoluster
***
Offline



Posts: 161
South Carolina, USA


Back to top
Re: Virus Scanning from Bootable CD
Reply #1 - Apr 11th, 2009 at 2:46pm
 
Rad
It is getting to be very common for techs that deal with malware removal on a daily basis. Yes it is very effective running removal from an alternate operating system. My favorite is UBCD4win using Barts PE Builder with many apps added targeted for diagnosis, repair and data recovery.

http://www.ubcd4win.com/

There are already several anti-virus and anti-spyware programs included and you can also add others that you have a license for. They can even be updated before building the disc or later after booting to it with network support. See the list of tools...

http://www.ubcd4win.com/contents.htm

There is also a utility included for enabling UBCD4win to boot from USB thumbdrives and HDD's. There is also a multiboot menu with DOS and Linux tools to which you can add some of your own also. I have added my Ghost boot CD and Spinrite and others to mine.

Whenever I get a heavily infected system to work on I boot UBCD4win and run several scans from there first then finish up from the installed windows. It's also handy for fixing many other problems especially if the system is running very slow or not booting at all. Did I mention you can also get online or access network shares while booted from the CD as well as having wireless network support also (which I have not used yet).

Check it out. It's not hard to build the basic CD if you follow the provided instructions. Customizing your build is a little more complicated but there is an excellent forum where all the project development team and others are willing to help.

I have every tool I need on a bootable 2gig thumbdrive for diagnosing, reparing and data recovery which I can carry in my pocket anywhere I go. It's great.
 

If anything can go wrong, it already did, and you just now noticed it.
 
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Virus Scanning from Bootable CD
Reply #2 - Apr 11th, 2009 at 9:28pm
 
Yeah, I've built several BartPE disks specifically for the purpose of scanning for malware.  A few anti-malware programs have plugins for BartPE.  Adaware and McAfee both come to mind.  The annoying part is building a new CD every time you want to update the virus definitions, but that could be solved by using a USB drive now that they are so cheap.

I think Norton Antivirus has been installing a root-kit for the last few years specifically to try to beat malware that attempts to block/interfere with antivirus programs.  I haven't kept up with how effective it is.

I've seen discussions that anti-malware software is becoming obsolete because there is just too much malware and it evolves too fast to create definitions fast enough.  I certainly agree that a new tactic is long overdue.  Even heuristics are often fairly rule-based.  Some companies are working to make their detection behavior-based, but I don't know of anyone who is there yet.

I haven't used any anti-virus on my computers in a few years.  I got tired of paying for licenses, keeping definitions up to date, and giving up my computer to an hour long scan of the disk.  I focus on preventing things from getting onto my computer in the first place, and I've been pretty successful at it.  An ounce of prevention...

It's not really as hard as 'the industry' would have you believe.  Prevention mostly means making sure you have the latest browser and staying away from questionable sites.  If you need to do questionable things, use a virtual machine.  In fact, a few of the latest browsers were supposed to allow you to designate one of the tabs in your browser a 'secure zone', which would turn the environment for that tab into a sort of virtual machine with no access to your real hardware.  I know it was discussed for IE8.  I'm not sure if it made it into the final build.

Besides the web, people pick up more malware through P2P file sharing than anything else.    Downloading cracked programs through P2P file sharing is a sure way to get the creepy crawlies.  There are plenty of legal music streaming services now.  Netflix is really steaming ahead with streaming movies.  For applications, there is usually a free/lite/trial edition or an equivalent open source program.  Or you could spend money on the actual program if you really need it that bad.  Software is often overpriced, but if you are going to pirate it you can't complain when you get malware on your computer in the process.

That's really the only place the nasties should come from these days.  Everyone knows to use a firewall (or it is automatically turned on for them.)  Spam filters have gotten pretty good, and most users are better educated about not opening attachments from people they don't know.  Infected floppies used to be big, but I haven't even touched a floppy in years.  The only other big worry then is things like the PDF vulnerability that went around the last few weeks.  Most people don't think to keep a watch out for infected PDF's so things like that could cause a 'prevention loophole' while the vendor prepares a patch.

At any rate, a good browser and good habits eliminate 99% of the problem, which is more effective than most of the anti-malware software.  I like prevention better anyway.  Even if an antivirus program can detect and clean an infection, I always wonder what might have been missed or what the infection could have damaged.  I feel much better just re-imaging or re-installing if I know there is an infection.
 
WWW  
IP Logged
 
ckcc
Technoluster
***
Offline



Posts: 161
South Carolina, USA


Back to top
Re: Virus Scanning from Bootable CD
Reply #3 - Apr 11th, 2009 at 10:51pm
 
MrMagoo wrote on Apr 11th, 2009 at 9:28pm:
I focus on preventing things from getting onto my computer in the first place, and I've been pretty successful at it.An ounce of prevention...


I agree. But many people don't do the things they should to protect their systems or even make backups. Most all infected systems I get in have P2P apps installed and/or no or outdated protection and updates. For already infected systems a live CD can be invaluable for removing many of the nasties hiding there. Many of these systems are so messed up they are not even capable of scanning or installing a scanner, and many will not boot at all. I just can't see how people can let their puter get this bad before they even realise they have a problem.
 

If anything can go wrong, it already did, and you just now noticed it.
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Virus Scanning from Bootable CD
Reply #4 - Apr 12th, 2009 at 10:44pm
 
Okay. Thanks. Interesting.

Downloading that CD now.

MrMagoo wrote on Apr 11th, 2009 at 9:28pm:
I haven't used any anti-virus on my computers in a few years.

But you are Linux-only, right?
 
WWW  
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Virus Scanning from Bootable CD
Reply #5 - Apr 13th, 2009 at 11:57am
 
Quote:
I was reading about malware (viruses, trojans, rootkits, spyware, etc) and learned that some of these pesky critters have the ability to take control of Windows and prevent a virus scanner from detecting them, or hiding themselves until the scanning is complete.

Rad, to enhance the certainty that my PC contains no malware, I simply run two well-respected tools:  Norton Internet Security 2009 as a primary defense, and Webroot’s Spy Sweeper in an “on-demand” (not real-time) secondary capacity.  If there are two independent confirmations of the absence of malware, then I feel quite confident that the system is, in fact, clean.

Additionally, another tactic to consider is this:  mount a backup image of your system, and run a scan against that virtual volume. Since the volume is static and read-only, there should (?) be no opportunity for a live virus to “hide” itself from the scan.  Of course, in theory anything is possible….

For some really scary news, consider that researchers have demonstrated the possibility of “persistent rootkits that can survive even a hard-disk wipe.”  See Researchers aim low to root hardware for more details.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 

Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Virus Scanning from Bootable CD
Reply #6 - Apr 13th, 2009 at 1:55pm
 
Rad, this may answer your question:  Norton Internet Security 2009 provides a Norton Recovery CD.

Quote:
The Norton Recovery Disk (NRD) is based on the Microsoft Windows Preinstall Environment, commonly known as WinPE.

WinPE is a scaled down version of Windows that starts up and runs from a CD or a USB key, and is typically used to deploy Windows installations, or to perform recovery operations on Windows.

By running the Norton scanner from WinPE, and booting WinPE from a CD or USB key, we know the OS is clean and fully functional. This allows the scanner to safely scan all of the drives connected to the system, including the normal XP or Vista operating system drives, without the malware on those drives interfering with the scan.
Source:  Manually Updating the Norton Recovery Toolkit

I have not tested this myself, but it seems quite doable.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Virus Scanning from Bootable CD
Reply #7 - Apr 13th, 2009 at 7:11pm
 
I tested the Norton Recovery Tool, and it works well.

Boot with the CD disc, enter the Norton Internet Security product key, and the tool automatically downloads the most recent virus definitions.  I was pleased to note that the tool recognized my SAS hard disk drives, without the need to load any device drivers.

The approach of performing a virus scan from a CD disc has the disadvantage that encrypted partitions or virtual disks are not scanned (because they are not visible to Norton Internet Security).  When these circumstances are applicable, the scan is less thorough than one performed from within Windows.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Virus Scanning from Bootable CD
Reply #8 - Apr 13th, 2009 at 10:33pm
 
Rad wrote on Apr 12th, 2009 at 10:44pm:
But you are Linux-only, right?  

Not entirely.  Linux is my primary desktop.  I dual-boot with Windows (XP) to play some games that don't run well under Wine.  My wife also primarily uses XP with only preventative security.

I'm not going to say I recommend it for everyone (especially business users,) but I've found focusing on prevention to be more effective for my needs and less hassle.
 
WWW  
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Virus Scanning from Bootable CD
Reply #9 - Apr 16th, 2009 at 7:48pm
 
Found an article today that reminded me of this discussion.  Apparently there is a small bot-net made entirely of Macs.  The researchers think the Macs got infected by pirated copies of iWork09 and Photoshop CS4.

http://blogs.zdnet.com/security/?p=3157

The article notes that it looks like the malware author left himself as much flexibility to adapt his software as he could - so the researchers expect to see more like it.
 
WWW  
IP Logged
 
Page Index Toggle Pages: 1
Send Topic Print