You know, I want to point out to folks on this list that this is NOT an
either/or situation. Much like any time we engage in computer forensics,
there are processes we can institute as security professionals that allow
for the removal of untrusted components via a clean install without complete
loss of data.
1) Recognize that a system is compromised if it is infected with anything
more than an embedded 'exploit'. (E.g. Email comes through that has HTML or
something which is temporarily copied to a local cache when the email loads
in the application. This is easy to fix. Any true "virus" which infects
the host system at deeper than an individual application level is taboo.
Toast.)
2) Jon's point about reliability here is very key to the discussion. It is
COMPLETELY irresponsible to warrant to a customer that you can certify a
system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a period of
time. As an individual consumer, I may choose to take that risk so there is
an important distinction for the environment that you are asking this
question on. On an enterprise level it is hard to imagine a small or medium
business where this risk is acceptable.
3) Institute a process for incident response and correction. Whether you're
a small business, a vendor, whatever, have a process which you use for these
kinds of events.
3A) In my case, I choose to first image a system. Load the drive on
a live system which does not boot from hard drive and instead boots from a
live CD and invokes an imaging application. If you find later that there is
reason to investigate the old drive / old environment, you need to have a
high quality copy of the data to do your investigation on. Don't
investigate on the original source.
3B) Then if you are in a situation where investigation is not
warranted and there is no need for preserving the original environment (no
criminal or civil reporting or case involved), wipe the original hard drive
with, at the very least, a format operation.
3C) Install a clean OS. Use the original media, the original OS if
you need to. Patch the OS. Protect the OS with antivirus or whatever
endpoint measures you/yourcustomer/yourorganization uses.
3D) Use the appropriate application to access the saved disk image
and restore files as necessary to the reconstructed environment, ensuring
that they must each past muster in an antivirus application or other
scanning environment.
Realize that security is the intelligent application of principles and
experience to maintain a balance between confidentiality, integrity, and
accessibility for yourself, your customer, or your organization. Security
doesn't have to be "wipe and restart" OR "remove the malware and continue
using", there are other solutions out there. It is important to recognize
that there are multiple possible approaches and you need to examine the
risks and benefits of your (hopefully standardized) approach to regularly
determine if it can be improved.
-W
Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jon R. Kibler
Sent: Tuesday, March 18, 2008 11:46 AM
To: Mike Moratz-Coppins
Cc: [email protected]
Subject: Re: More along the lines of malware disinfection
Mike Moratz-Coppins wrote:
> When removing malware of one sort or another,
<SNIP>
Hi,
IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.
Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".
Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
m: 843-224-2494
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
