I am working on trying to decipher how combofix does what it does for virus/antimalware. it seems like there isnt any documentation on how it even works, so the task is annoying.
has anyone experimented with seeing how combofix does what it does?
i would like to get a working verision or mod for vistape.
where i work we use vistape on 50+ computers a day, so the more automation the better.
thanks for the help
combofix
Started by
OverFlow636
, Dec 03 2009 10:45 PM
5 replies to this topic
#1
OverFlow636
-
- Members
- 5 posts
- Location:San Marcos, TX
-
United States
Posted 03 December 2009 - 10:45 PM
#2
maanu
-
- Advanced user
-
- 1134 posts
Gold Member
-
Pakistan
Posted 04 December 2009 - 05:16 AM
it is file-based scanner same as SDfix . let me explain ,
1. there are number of file names written in bat file ,which known as malicious files . and they are removed on the run .
2. remove junk
3. reset registry settings to default .
so there is NO point using it inside PE .
BUT it is my one of the most important tools to be used while running actual windows.
1. there are number of file names written in bat file ,which known as malicious files . and they are removed on the run .
2. remove junk
3. reset registry settings to default .
so there is NO point using it inside PE .
BUT it is my one of the most important tools to be used while running actual windows.
#3
OverFlow636
-
- Members
- 5 posts
- Location:San Marcos, TX
-
United States
Posted 04 December 2009 - 06:29 AM
i dont mean run it in vistape on its local x drive, but making it use the local C drive and mounting its registry.
i hope to make running it from vistape as effective as running it from windows.
is that all it does is compare filenames, because when i run it and check out the logs most of the sys files it deletes out of sys32 seem to be random character strings?
i hope to make running it from vistape as effective as running it from windows.
is that all it does is compare filenames, because when i run it and check out the logs most of the sys files it deletes out of sys32 seem to be random character strings?
#4
maanu
-
- Advanced user
-
- 1134 posts
Gold Member
-
Pakistan
Posted 04 December 2009 - 06:34 AM
i have already tried it , it does not even run in pe.
#5
OverFlow636
-
- Members
- 5 posts
- Location:San Marcos, TX
-
United States
Posted 04 December 2009 - 06:45 AM
aww alright, thanks for the info.
do you know which of combofixes bat files that it unpacks hold the known infected filenames?
do you know which of combofixes bat files that it unpacks hold the known infected filenames?
#6
Karl1982
-
- Members
-
- 41 posts
Member
-
United States
Posted 22 May 2010 - 03:21 AM
Combofix is designed to kill active malware running from inside the infected environment. Specifically, it kills core Windows processes during certain phases of its operation, modifies what loads on boot, and involves rebooting the PC at least once. So it can't function from a nonpersistent PE environment, not to mention it would likely destroy the loaded PE and force you to reboot anyway.
You could add it to your PE CD for running when you don't boot from it, but it's better to always get the latest version of combofix if the computer's internet connectivity is still working.
You could add it to your PE CD for running when you don't boot from it, but it's better to always get the latest version of combofix if the computer's internet connectivity is still working.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
