From: FromTheRafters on
"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>>
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>>
>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>> anti-virus programme on an already compromised machine is, in all
>>>>> probability, a futile exercise*.
>>>>
>>>> LOL, you would certainly be in the minority if you think I was
>>>> wrong in the advice I provided concerning malware.
>
> [....]
>
>
> What FTR actually said .....
>
> "True, it could be installed and be kept from accessing certain areas
> by a rootkit".
>
> Do you *really* disagree with that?

One thing you are apparently not getting the significance of is that the
"installation software" for the proposed AV that you want to install on
the "compromised" machine likely has its own detection software for
known malware (including some rootkits) *and* rootkit detection software
that alerts to inconsistancies in what is presented through APIs to the
other tools due to filter drivers and the like.

It may be impossible to install such AV programs on a "compromised"
machine, if the preinstallation detection software is aware of, yet not
capable of removing detected malicious activity - it may tell you that
you need to address the other issue before attempting to install that
software (I'm not aware of this actually happening though).

The most likely scenario is that the installation goes off smoothly
without a hitch on *most* compromised machines (removing the compromise
in the process) - which, I believe, is Dustin's point.


From: David H. Lipman on
From: "FromTheRafters" <erratic(a)nomail.afraid.org>

| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:

>>>> Dustin wrote:
>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:

>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>> anti-virus programme on an already compromised machine is, in all
>>>>>> probability, a futile exercise*.

>>>>> LOL, you would certainly be in the minority if you think I was
>>>>> wrong in the advice I provided concerning malware.

>> [....]


>> What FTR actually said .....

>> "True, it could be installed and be kept from accessing certain areas
>> by a rootkit".

>> Do you *really* disagree with that?

| One thing you are apparently not getting the significance of is that the
| "installation software" for the proposed AV that you want to install on
| the "compromised" machine likely has its own detection software for
| known malware (including some rootkits) *and* rootkit detection software
| that alerts to inconsistancies in what is presented through APIs to the
| other tools due to filter drivers and the like.

| It may be impossible to install such AV programs on a "compromised"
| machine, if the preinstallation detection software is aware of, yet not
| capable of removing detected malicious activity - it may tell you that
| you need to address the other issue before attempting to install that
| software (I'm not aware of this actually happening though).

| The most likely scenario is that the installation goes off smoothly
| without a hitch on *most* compromised machines (removing the compromise
| in the process) - which, I believe, is Dustin's point.


That a case of an in situ installation of a fully installed AV soloution.

That's not the case of of the hard disk being removed and placed within a surrogate.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Dustin on
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in
news:i44jam$47j$1(a)news.eternal-september.org:

> "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
> news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>>>
>>>> Dustin wrote:
>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>>>
>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>> all probability, a futile exercise*.
>>>>>
>>>>> LOL, you would certainly be in the minority if you think I was
>>>>> wrong in the advice I provided concerning malware.
>>
>> [....]
>>
>>
>> What FTR actually said .....
>>
>> "True, it could be installed and be kept from accessing certain
>> areas by a rootkit".
>>
>> Do you *really* disagree with that?
>
> One thing you are apparently not getting the significance of is that
> the "installation software" for the proposed AV that you want to
> install on the "compromised" machine likely has its own detection
> software for known malware (including some rootkits) *and* rootkit
> detection software that alerts to inconsistancies in what is
> presented through APIs to the other tools due to filter drivers and
> the like.
>
> It may be impossible to install such AV programs on a "compromised"
> machine, if the preinstallation detection software is aware of, yet
> not capable of removing detected malicious activity - it may tell
> you that you need to address the other issue before attempting to
> install that software (I'm not aware of this actually happening
> though).
>
> The most likely scenario is that the installation goes off smoothly
> without a hitch on *most* compromised machines (removing the
> compromise in the process) - which, I believe, is Dustin's point.
>
>
>

Nicely put, FTR..


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: Dustin on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:i44kh0011hs(a)news2.newsguy.com:

> From: "FromTheRafters" <erratic(a)nomail.afraid.org>
>
>| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>
>>>>> Dustin wrote:
>>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>
>>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>>> all probability, a futile exercise*.
>
>>>>>> LOL, you would certainly be in the minority if you think I was
>>>>>> wrong in the advice I provided concerning malware.
>
>>> [....]
>
>
>>> What FTR actually said .....
>
>>> "True, it could be installed and be kept from accessing certain
>>> areas by a rootkit".
>
>>> Do you *really* disagree with that?
>
>| One thing you are apparently not getting the significance of is
>| that the "installation software" for the proposed AV that you want
>| to install on the "compromised" machine likely has its own
>| detection software for known malware (including some rootkits)
>| *and* rootkit detection software that alerts to inconsistancies in
>| what is presented through APIs to the other tools due to filter
>| drivers and the like.
>
>| It may be impossible to install such AV programs on a "compromised"
>| machine, if the preinstallation detection software is aware of, yet
>| not capable of removing detected malicious activity - it may tell
>| you that you need to address the other issue before attempting to
>| install that software (I'm not aware of this actually happening
>| though).
>
>| The most likely scenario is that the installation goes off smoothly
>| without a hitch on *most* compromised machines (removing the
>| compromise in the process) - which, I believe, is Dustin's point.
>
>
> That a case of an in situ installation of a fully installed AV
> soloution.
>
> That's not the case of of the hard disk being removed and placed
> within a surrogate.

Well, once you remove the host drive and take the suspect bad host out
of the equisation, it does make life easier for hunting malware. :P




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.