You've got half of the answer. But even if it had a payload, having not
been opened with the exploitable program or delivered through a series
steps would mean it's payload is not executed and MAY be detectable.
In some cases the simple act of how the file 1st delivered to the PC is
the starting domino and that goes away when remove the resulting
infection by reformatting, restore only the data & scan it.
Remember people it's not just the payloads that are an issue here, it's
the chain of events from delivery to infection. That chain can be broken
making opening the file the only way to restart the chain of events.
Christopher Fisk wrote:
On Fri, 10 Feb 2006, Thane Sherrington (S) wrote:
At 04:00 PM 10/02/2006, Christopher Fisk wrote:
In a business environment, yeah, removal is fine, but as a favor for
someone, go the full reinstall route IMO, it's more sure thing, less
gambling on how long it's going to take, and you leave knowing they
at least have a backup from that day in case there is a disaster
after that. Plus, you can sit down and watch TV while the thing is
running the reinstall.
But if you agree that the removal route isn't safe, then how can you
guarantee the data?
Because data is data, it's not executed, it's not stored in registry,
it's much easier to verify with virus scanning software.
When was the last time you saw a tiff file with a virus?
Christopher Fisk
