Entirely possible that during a scan of the drive, the virus exploits a buffer overflow in the AV application. This then causes the AV application to then write something to the boot sector on the USB drive, or do something else to the USB drive. Most likely improbable, given that the virus would need to know about both the AV application, and a vulnerability in the application. But as the RSA break in, Google break in, Stuxnet have shown - if you are protecting a high value client, you need to take more precautions.
I have had a client where we had an email quarantine extraction system. Once the "virus" has bypassed the email gateway system, and reached Exchange. Forefront has quarantined the "virus" - so it's aware of the payload. We then need a non-domain joined machine, with a different AV client, plus a separate VLAN, plus custom FW rules. The extraction machine is used to transfer the "virus" to another machine running a separate OS and then can be sent on for analysis, and the extraction machine is wiped. These are just the precautions for a "known virus" From: Steven Peck [mailto:[email protected]] Sent: Tuesday, 13 September 2011 11:51 PM To: NT System Admin Issues Subject: Re: Anti-virus boot-up disks? You are booting into a completely different OS and not launching any applictions to do this scan. I am not sure I understand the level of paronoia. Steven Peck http://www.blkmtn.org On Tue, Sep 13, 2011 at 8:41 AM, John Cook <[email protected]<mailto:[email protected]>> wrote: My point exactly - a CD/DVD is 100% safe. I can't tell you how many times I've had users call in telling me their wireless isn't working on their laptop only to find out they've accidentally hit the slider on the side of the computer that turns it off. It happens, even to IT people (especially when they are under pressure to fix several high priority things). I'm not against using a USB drive but for safety it's my second choice. And a DVD costs me about $.20, maybe less. John W. Cook System Administrator Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610<tel:%28352%29%20244-1610> Cell (352) 215-6944<tel:%28352%29%20215-6944> MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: James Rankin [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, September 13, 2011 11:31 AM To: NT System Admin Issues Subject: Re: Anti-virus boot-up disks? Well, I guess if it's read-only, a virus would have a hell of a job copying itself to it. But if the virus is already present when you set the switch to read-only, then it will still execute, I should think. On 13 September 2011 16:28, John Aldrich <[email protected]<mailto:[email protected]>> wrote: I have never used a flash drive with a write-protect switch. Does anyone on the list have any experience with those and know whether or not a virus would be able to bypass that? Just curious how effective it would be in keeping viruses at bay. That being said, if you're booting off it, I don't really see a huge issue as you're not going to be running anything off the hard drive, so at least in theory, you shouldn't need to worry about viruses that may be on the hard drive. From: Ken Schaefer [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, September 13, 2011 11:25 AM To: NT System Admin Issues Subject: RE: Anti-virus boot-up disks? Quick check of Amazon.com seems to show: 2GB drive for $10 http://www.amazon.com/Flash-Drive-write-protect-switch/dp/B005KL31E6 8GB drive for $20.99 http://www.amazon.com/RiDATA-Flash-Drive-Slider-Drives/dp/B000RGDA5E/ref=pd_ cp_e_4<http://www.amazon.com/RiDATA-Flash-Drive-Slider-Drives/dp/B000RGDA5E/ref=pd_%0Acp_e_4> 32GB drive for $57.99 http://www.amazon.com/Ritek-Ridata-Twister-Protection-RDEZ32G-TW-LIG0/dp/B00 2G9TWUM<http://www.amazon.com/Ritek-Ridata-Twister-Protection-RDEZ32G-TW-LIG0/dp/B00%0A2G9TWUM> Sure, you can get a DVD for less than a dollar, but for the prices above, I'd just get the flash drive and the ease of use that comes with that. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
