is it better to scan for viruses and such from usb or cd
#1
Posted 19 September 2009 - 03:24 PM
because of virus and such my question is is it better to scan
from cd rescue disk first?
thanks
#2
Posted 19 September 2009 - 04:27 PM
hi i have lots of people bringing in computers to be fixed
because of virus and such my question is is it better to scan
from cd rescue disk first?
thanks
it is BEST to do so .
reasons :
1. virus is not ACTIVE .
2. registry is offline .
3. no windows processes will mess with the virus scan , files will be easy to nuke .
#3
Posted 19 September 2009 - 04:41 PM
it is BEST to do so .
Iam not sure. :
Was the original question meant as:
- What would be the better between scanning from installed OS from internal harddrive as opposed to either CD or USB stick/drive?
- What would be the better between scanning from a boot CD as oppose to a USB stick/drive?
jaclaz
#4
Posted 19 September 2009 - 05:08 PM
bt anyways , if there is option between cd / usb . i 'd say go for usb based approach ( i suppose you have pe /or avira like rescue tool running from usb ) . as it will be lot easier to keep the AV updated on your usb . by just replacing the signature files .
#5
Posted 19 September 2009 - 05:23 PM
Practically, yes.i 'd say go for usb based approach ( i suppose you have pe /or avira like rescue tool running from usb ) . as it will be lot easier to keep the AV updated on your usb . by just replacing the signature files .
Theoretically, debatable.
A "false boot" with a bootsector Virus on internal hard disk and usb device connected and your USB device is not anymore "clean", at least theoretically.
Same with a BIOS Virus/Malware, and not even a "false boot" is needed.
Taking the actual hard disk out of the PC and connecting it to an already booted, surely clean PC through a USB adapter already sounds better, but it won't give you a chance to verify the BIOS of the "affected" machine.
Probably the best compromise is a USB stick with "Read ONLY Lock" switch or a hardware write blocker, as it is used in forensics, though cannot say if the latter would alter the USB booting capabilities.
Another option, but still with a little risk involved, might be a "base" install on the CD-ROM part of a U3 stick (or however two LUN's stick with CD-ROM option) with the update files for the antivirus in the "normal" partion.
jaclaz
#6
Posted 19 September 2009 - 06:05 PM
#7
Posted 19 September 2009 - 06:12 PM
Or a PE boot USB stick/disk, there are no differences in this.A PE boot-cd was the only way to remove it.
jaclaz
#8
Posted 19 September 2009 - 09:43 PM
what about some softs that might need to right to usb stick (i remember Plop's limitation which causes issues even at dos level ) .
if it is for boot sector viruses . a avira rescue disk will be enough for it i guess.
#9
Posted 12 March 2010 - 10:24 PM
Personally, however, I can no longer be be bothered to use discs for this kinda stuff.
True, USB's could get infected, even in "read only" mode.
But I, at least, have not yet encountered any such infection.
There are quite some different ways to get good antivirus software onto your USB stick, nowadays.
Most of the times, you can simply use a 1 or 2GB stick.
Works for netbooks as well, since most of them are not equipped with a CD drive.
Good luck!
#10
Posted 12 March 2010 - 10:52 PM
How is that suppose to work?True, USB's could get infected, even in "read only" mode.
#11
Posted 12 March 2010 - 10:59 PM
Please correct me if I'm wrong.
#12
Posted 12 March 2010 - 11:38 PM
It's becoming rare to find these USB flash disks with a lock switch.How is that suppose to work?
So, if you mishappen to click on a malware infected executable then it might as well scan all other executables available and get them infected as well.
#13
Posted 13 March 2010 - 01:25 AM
#14
Posted 13 March 2010 - 06:01 AM
exactly..then one shouldn't call them 'read only'
#15
Posted 13 March 2010 - 09:57 AM
My priority is to do a scan with antivirus installed in the system because it's faster.
I start with stopping the system restore process. Then I delete the folder system volume information from all partitions
If I found some virus not able to be cleaned or delete
Them I lock where are the infected file:-
If they are on the windows folder especially in system 32, then it's better to do a scan from
Rescue CD or USB
Or on another system just attaching my Hard disk to another computer with updated antivirus program.
Some virus if you clean the files infected wit it mean it will be deleted and that mean you will need to repaired the system
#16
Posted 13 March 2010 - 11:24 AM
Wonko
#17
Posted 13 March 2010 - 11:53 AM
I do recommend going with CD unless either your flash drive can be locked, or you make a backup image of it first in case it gets trashed. If you have a copy of all the files on it, you could also use robocopy with the /mir option on it afterward. That would restore all files on it to the original state and delete any new ones (!) without rewriting the whole drive. You could even do that just as a precaution after you've used it for virus removal.
I've had a flash drive's autorun.inf get hijacked by an infected computer before, so keep in mind that it can definitely happen.
#18
Posted 13 March 2010 - 12:20 PM
Can you explain about the TRUE part?You can always use the Manufacturer Tool (if available) and create a TRUE read only volume.
#19
Posted 13 March 2010 - 01:20 PM
Some (but not all) Manufacturer Tools allow for a READ only partition, something that you simply cannot write to through "normal" DOS/Windows methods.Can you explain about the TRUE part?
Think of it like you would to an U3 drive .iso device.
Usually this kind of partition/volume has it's own separate LUN.
Some details:
http://www.msfn.org/...howtopic=121199
http://www.msfn.org/...o...121199&st=7
Wonko
#20
Posted 13 March 2010 - 02:18 PM
#21
Posted 13 March 2010 - 03:13 PM
There was NO intended juxtaposition against the switch ones.Yes, but why would this be TRUE read only, while the use of a r/w switch is only FALSE read only?
I guess it's your (or Nuno's ) assumption that a "read only" device is not "read only".
However, if you want to know, the switch MAY be misplaced accidentally, the "reserved" partition cannot, unless the Manufacturer Tool is used again.
And yes, before you come out with it, it is perfectly possible to write a malicious tool that can replicate the behaviour of the Manufacturer Tool and make the partition not read only, but it is UNLIKELY.
JFYI, most controllers do have the possibility to connect a switch to make the stick read only, even if the stick manufacturer didn't provide one.
Attached a rigorously faked image of such a hack.
Wonko
Attached Files
#22
Posted 13 March 2010 - 05:05 PM
Oh! Ok.There was NO intended juxtaposition against the switch ones.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users