Ansgar -59cobalt- Wiechers wrote:
On 2008-03-18 Mike Moratz-Coppins wrote:
I should point out one factor which I think makes a large difference
in the approach that one might take in encountering a security issue -
the vast majority of my customers are home users who just casually use
their machine.
You do realize that significant amounts of spam are deployed through
zombified computers of exactly these "home users who just casually use
their machine", don't you?
Yes, I am aware of that.
[...]
2) Jon's point about reliability here is very key to the discussion.
It is COMPLETELY irresponsible to warrant to a customer that you can
certify a system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a
period of time.
Do you see this as applying in a joe average home user scenario?
Even if he doesn't, I do. Unless you can determine without any doubt
when and how the machine was compromised, and what exactly was altered
afterwards, the only resonable and responsible way to deal with the
problem is to backup the data and reinstall the machine. Period.
Well, I guess we'll just agree to disagree then. I can't see how one
can make the distinction between "just a simple virus" and "a system
security compromise" considering if "just a simple virus" is allowed to
infect a system, then it may as well be a system security compromise,
and that (going by the logic that some people on this list are
employing), just removing "a simple virus" cannot possibly reassure one
that there isn't something more sinister lurking around the system, then
as soon as any form of malware is found, then the logic of a lot of
people on this list dictates that the computer must be wiped and
clean-installed.
I don't think (as far as the usual scenarios that my works takes me to)
that a wipe and new install is the appropriate thing to do most of the
time. Most of my reasons are practical-reality reasons, not "100%
security" reasons:
1 - Many customers have computers that it would be difficult to perform
an on-site reinstall on. For example, they might not have any/all discs
for the machine, they only have one machine, etc.
2 - Many customers have families (or 'need' the machine on a day-to-day
basis) e.g. with the school kids doing their homework on the machine,
and so the machine disappearing for a few days for me to do the
installation with all the resources I have available at home would be
highly inconvenient for them.
3 - Many customers have pirated copies of software that they're using
(e.g. MS Office), and as I have a policy of not installing pirated
software for customers, I'm then inconvencing them by wipe-installing
their machine and they don't have the CD for MSO anymore, for example.
Some customers might also have bought software online and not have the
product keys anymore because they deleted the e-mails containing those
product keys.
4 - Some customers aren't so well off as other customers, and the cost
of doing a reinstall is somewhat more than my average bill for removing
malware.
I'm sure that some of you will answer these scenarios along the lines of
"aww, diddums" to the customer and still insist that the need for "100%
security" overrides the needs of my customers, which is why I've said
that we should agree to disagree about this.
At the end of the day, if a customer asks me to remove malware, I will
investigate manually (e.g. in the registry) for it, use virus/spyware
scans to help pin it down and any remaining traces of it, and check in
other ways (such as monitoring TCP/IP connections with netstat and
tcpview, filemon, regmon, spybot and rootkitrevealer, and even watching
the network activity light on the machine/router). I finish the
appointment when I am confident that the problem has been solved.
While there is a possibility that there could be "undetectable malware"
on the machine, I believe that, as a general policy, assuming there is
without any trace of evidence whatsoever is pure paranoia. There are
situations where I have wipe-installed a machine because of malware, but
they're rare. There are also scenarios where I would act differently
from just trying to remove the malware - such as, if there was evidence
of a targeted attack on that particular machine/server/whatever then I
might go for the wipe-install strategy as "the only way to be sure", or
say if I wasn't confident that I had removed the problem completely,
then I would suggest to the customer that a wipe-install would be best.
I also think if you resort to the wipe-install strategy as your general
answer to malware, then there is so much that you haven't learnt about
how malware tends to work on Windows, how it hides itself, how it stops
the admin from trying to remove it, and also quite a few quirks of
Windows. I'm not suggesting that I've learnt all there is to learn on
this topic either, but I have learnt quite a few strategies in the time
that I've been in business, and it can be quite mentally stimulating work.
To throw in an analogy (and I'm known for my sometimes-terrible
analogies), if your house has been burgled, I swear that some of you
would insist on burning it to the ground and building a new one.
--
Mike Moratz-Coppins
[EMAIL PROTECTED]
http://www.mikeymike.org.uk/
