21 replies to this topic

[flyhigh427]

hi i have lots of people bringing in computers to be fixed
because of virus and such my question is is it better to scan
from cd rescue disk first?
thanks

[maanu]

hi i have lots of people bringing in computers to be fixed
because of virus and such my question is is it better to scan
from cd rescue disk first?
thanks

it is BEST to do so .

reasons :

1. virus is not ACTIVE .
2. registry is offline .
3. no windows processes will mess with the virus scan , files will be easy to nuke .

[was_jaclaz]

it is BEST to do so .

Iam not sure. :

Was the original question meant as:

• What would be the better between scanning from installed OS from internal harddrive as opposed to either CD or USB stick/drive?

OR:

• What would be the better between scanning from a boot CD as oppose to a USB stick/drive?

jaclaz

[maanu]

there is contradiction between his topic title and the details in 1st post . i thought he is asking from cd rescue disk only .

bt anyways , if there is option between cd / usb . i 'd say go for usb based approach ( i suppose you have pe /or avira like rescue tool running from usb ) . as it will be lot easier to keep the AV updated on your usb . by just replacing the signature files .

[was_jaclaz]

i 'd say go for usb based approach ( i suppose you have pe /or avira like rescue tool running from usb ) . as it will be lot easier to keep the AV updated on your usb . by just replacing the signature files .

Practically, yes.

Theoretically, debatable.

A "false boot" with a bootsector Virus on internal hard disk and usb device connected and your USB device is not anymore "clean", at least theoretically.

Same with a BIOS Virus/Malware, and not even a "false boot" is needed.

Taking the actual hard disk out of the PC and connecting it to an already booted, surely clean PC through a USB adapter already sounds better, but it won't give you a chance to verify the BIOS of the "affected" machine.

Probably the best compromise is a USB stick with "Read ONLY Lock" switch or a hardware write blocker, as it is used in forensics, though cannot say if the latter would alter the USB booting capabilities.

Another option, but still with a little risk involved, might be a "base" install on the CD-ROM part of a U3 stick (or however two LUN's stick with CD-ROM option) with the update files for the antivirus in the "normal" partion.



jaclaz

[billonious]

Once a time, a virus was hidden in "system volume information" folder. The running antivirus couldn't access it under winxp. A PE boot-cd was the only way to remove it.

[was_jaclaz]

A PE boot-cd was the only way to remove it.

Or a PE boot USB stick/disk, there are no differences in this.

jaclaz

[maanu]

read only lock >?

what about some softs that might need to right to usb stick (i remember Plop's limitation which causes issues even at dos level ) .

if it is for boot sector viruses . a avira rescue disk will be enough for it i guess.

[nevel]

I guess antivirus scanners from disc would be the most sensible way, because of the CD's read only nature.
Personally, however, I can no longer be be bothered to use discs for this kinda stuff.

True, USB's could get infected, even in "read only" mode.
But I, at least, have not yet encountered any such infection.

There are quite some different ways to get good antivirus software onto your USB stick, nowadays.
Most of the times, you can simply use a 1 or 2GB stick.
Works for netbooks as well, since most of them are not equipped with a CD drive.

Good luck!

[MedEvil]

True, USB's could get infected, even in "read only" mode.

How is that suppose to work?

[nevel]

I'm not sure, but I am sure I've read about this over here @ bootland.
Please correct me if I'm wrong.

[Brito]

How is that suppose to work?

It's becoming rare to find these USB flash disks with a lock switch.

So, if you mishappen to click on a malware infected executable then it might as well scan all other executables available and get them infected as well.

[MedEvil]

So 'read only' sticks get infected by being 'not read only'. imo then one shouldn't call them 'read only'.

[Brito]

then one shouldn't call them 'read only'

exactly..

[mohammed gebril]

Both of them are correct.
My priority is to do a scan with antivirus installed in the system because it's faster.
I start with stopping the system restore process. Then I delete the folder system volume information from all partitions
If I found some virus not able to be cleaned or delete
Them I lock where are the infected file:-
If they are on the windows folder especially in system 32, then it's better to do a scan from
Rescue CD or USB
Or on another system just attaching my Hard disk to another computer with updated antivirus program.

Some virus if you clean the files infected wit it mean it will be deleted and that mean you will need to repaired the system

[Wonko the Sane]

You can always use the Manufacturer Tool (if available) and create a TRUE read only volume.



Wonko

[Karl1982]

If you're trying to scan from external media on a system known to have a virus, then it's really best to scan from read-only media. I have an old USB 1.1 128MB flash drive with a read-only switch. Unfortunately none of my newer flash drives have one.

I do recommend going with CD unless either your flash drive can be locked, or you make a backup image of it first in case it gets trashed. If you have a copy of all the files on it, you could also use robocopy with the /mir option on it afterward. That would restore all files on it to the original state and delete any new ones (!) without rewriting the whole drive. You could even do that just as a precaution after you've used it for virus removal.

I've had a flash drive's autorun.inf get hijacked by an infected computer before, so keep in mind that it can definitely happen.

[MedEvil]

You can always use the Manufacturer Tool (if available) and create a TRUE read only volume.

Can you explain about the TRUE part?

[Wonko the Sane]

Can you explain about the TRUE part?

Some (but not all) Manufacturer Tools allow for a READ only partition, something that you simply cannot write to through "normal" DOS/Windows methods.

Think of it like you would to an U3 drive .iso device.

Usually this kind of partition/volume has it's own separate LUN.

Some details:
http://www.msfn.org/...howtopic=121199
http://www.msfn.org/...o...121199&st=7



Wonko

[MedEvil]

Yes, but why would this be TRUE read only, while the use of a r/w switch is only FALSE read only?

[Wonko the Sane]

Yes, but why would this be TRUE read only, while the use of a r/w switch is only FALSE read only?

There was NO intended juxtaposition against the switch ones.

I guess it's your (or Nuno's ) assumption that a "read only" device is not "read only".

However, if you want to know, the switch MAY be misplaced accidentally, the "reserved" partition cannot, unless the Manufacturer Tool is used again.

And yes, before you come out with it, it is perfectly possible to write a malicious tool that can replicate the behaviour of the Manufacturer Tool and make the partition not read only, but it is UNLIKELY.

JFYI, most controllers do have the possibility to connect a switch to make the stick read only, even if the stick manufacturer didn't provide one.

Attached a rigorously faked image of such a hack.




Wonko

Attached Files

•  USB_with_switch.jpg   70.3KB   7 downloads

[MedEvil]

There was NO intended juxtaposition against the switch ones.

Oh! Ok.