Any anti-malware software that can scan the registry of a slaved drive?
in [Anti-Virus]
|
Prev: Top 5 Free Single File Online Virus Scan Services
Next: Any anti-malware software that can scan the registry of a slaved drive?
From: FromTheRafters on 5 Dec 2009 22:35 "Virus Guy" <Virus(a)Guy.com> wrote in message news:4B1B00AD.713DC1C7(a)Guy.com... > FromTheRafters wrote: > >> > > Is there any anti-malware software that can properly scan a >> > > slaved drive from another system - specifically, to scan the >> > > registry files contained on the slaved drive? > >> > That's a great question. I often remove an infected drive and >> > put it in an enclosure as a way of bypassing the malware. >> > It would be nice to be able to clean the registry at the >> > same time >> >> Couldn't you load the hive in regedit then export it to a regfile >> and then edit the regfile to your hearts content? >> (I don't know, I'm just asking) > > In a recent situation where I had MBAM operate on an infected system, > I > would not want to manually edit the registry on a slaved drive if I'm > dealing with > 700 registry entries. Yeah, that really *would* be a PITA. >> If you're at a point where slaving to drive is the easy way, >> then the registry is not the worst of your problems. > > If you slave a drive to a host system, an AV/AM scan will never detect > 100% of the mal-files on the slaved drive by simply file-signature > analysis. True, and the registry could still cause the undetected malware to load. The key to detecting malware is...well ..the ability to detect malware. > It's my opinion that the most useful and reliable function that AV/AM > software can perform against an infected system is to analyze (and > manipulate) it's registry, and that most systems are restored to > operational status more because of mal-keys and mal-data removed from > the registry rather than mal-files detected on the file-system. And *that* they do (scan "the registry"), but when the registry data structure's data is stored on disk it is a binary data file requiring manipulation upon boot to build the data structure known as "the registry". I think what you suggest could possibly be done, but at what cost - and for what benefit? It is still only data that undetected malware would have to be leveraging. >> Often it is easy enough to avoid the malware becoming active >> by booting from alternate (read only?) media and scanning >> for malware from there. > > That is just another way to scan the drive without the drive's native > or > installed OS being active. Yes, and it doesn't require another computer at all. > And it still doesn't address the issue that > the registry is not scanned and can still cause re-infection or > mal-operation when the system is re-started. Only if there is a failure to detect the malware using the registry as a start method or as a repository for (possibly hidden) code. This may interest you. http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf
From: Victek on 6 Dec 2009 11:05 > In a recent situation where I had MBAM operate on an infected system, I > would not want to manually edit the registry on a slaved drive if I'm > dealing with > 700 registry entries. > Yes, but it may be enough to just delete the auto-start entries. Then the drive can be booted in the original system and the user can control the OS sufficiently to do the remaining cleanup. In fact I was able to successfully clean a system recently without removing the drive because the malware didn't block access to regedit - I killed the auto-start entries and the rest was easy.
From: FromTheRafters on 6 Dec 2009 15:59 "Victek" <Victek(a)invalid.invalid> wrote in message news:hfgkp5$kj8$1(a)news.eternal-september.org... >> In a recent situation where I had MBAM operate on an infected system, >> I >> would not want to manually edit the registry on a slaved drive if I'm >> dealing with > 700 registry entries. >> > Yes, but it may be enough to just delete the auto-start entries. Then > the drive can be booted in the original system and the user can > control the OS sufficiently to do the remaining cleanup. In fact I > was able to successfully clean a system recently without removing the > drive because the malware didn't block access to regedit - I killed > the auto-start entries and the rest was easy. Also, once you assume that a malware program file is not detected on the drive, that malware program may be invoked by a completely legitimate registry start method. That is to say that "infection" can be used as a startup method by infecting a legitimate registry invocation's target. First and foremost, you must be able to detect and identify malware in order to remove malware. Failing that, registry entry pruning is often pointless.
From: FromTheRafters on 6 Dec 2009 16:19 "Virus Guy" <Virus(a)Guy.com> wrote in message news:4B1AFC55.29FBC6CF(a)Guy.com... > If a malware scan of the slaved drive reveals a list of detected > mal-files, and if a scan of the registry of the slaved drive turns up > references to those mal-files, then those registry keys can be deleted > without needing to understand the full-path to the mal-files as it > appears in the registry. A minor point perhaps, but consider... On Win98 one could place a malware file in system32 (IIRC) and name it rundll32.exe. Finding that malware file on disk would not give you "carte blanche" to remove all registry entries that call it. As I recall, some registry entries explicity called the 'run dll as exe' explicitly (from "system" - no problem there - but others (LoadPowerProfile) didn't and ran the one in "system32" instead (I always just assumed this was because of the "working directory" being system32 rather than "system" but never actually checked it out). Just for kicks, copy "notepad.exe" as "rundll32.exe" in the System32 directory. Eventually, notepad will appear complaining that it can't find "LoadPowerProfile" (notepad thinks that the "LoadPowerProfile" argument is a text file that you want opened). Cleaning all references to "rundll32.exe" from the registry will probably give you less than optimal results.
From: Dustin Cook on 13 Dec 2009 14:28
Virus Guy <Virus(a)Guy.com> wrote in news:4B1BE776.E26B772(a)Guy.com: > Victek wrote: > >> Yes, but it may be enough to just delete the auto-start entries. >> In fact I was able to successfully clean a system recently without >> removing the drive because the malware didn't block access to >> regedit - I killed the auto-start entries and the rest was easy. > > I'm not saying that you can't perform any necessary or useful registry > changes on an infected system when the system (and it's malware) is > still running, regardless if you do it manually with regedit or > automatically with AM software. > > All I'm saying is that it would be nice if there was AM software that > could scan and manipulate the registry on a slaved drive and > remove/repair suspicous registry entries on the slaved drive just as > compentently, easily, automatically and completely as if it was > operating on the host's registry. I can't say for sure what the technicians version does, but this isn't something a typical home user would be doing. > If I went further, I'd say that trying to repair an infected system > while it (and it's malware) is still running is *usually* dicey, > problematic, and leaves you wondering if you actually got all the bad > stuff off the system. That's why the very first thing I do when I > encounter a suspected-infected system is remove the drive and scan it Well, to each his or her own I suppose. I wouldn't risk damaging hardware to initiate a scan when a PE disk would give me full access to the affected system and I could have a good look around. Then again, that is what seperates good technicians from typical hardware guys playing technician from momies basement; skill. Pure, skill... or lack of it, in some cases... :) -- Dustin Cook [Malware Researcher] MalwareBytes - http://www.malwarebytes.org BugHunter - http://bughunter.it-mate.co.uk |