OT: Windows virus removal

[tmetro-blu-5a1Jt6qxUNc at public.gmane.org (Tom Metro)]

Scott Ehrlich wrote:
> ...I just don't trust _any_ Windows system, from the first sector to
> the last, once it has been infected.

Generally good advice. Despite that, this past weekend, I did attempt to 
do some virus cleanup on a client's machine as a favor. It's been a 
while since I attempted such a thing.


I see some of the commercial anti-virus vendors are adopting one of my 
favorite cleanup practices - using a Linux boot CD to scan and clean up. 
See for example:

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

   Avira AntiVir Rescue System is a Linux-based application that allows
   accessing computers that cannot be booted anymore.

(Unfortunately it is distributed as a Windows executable with an 
embedded CD recording tool. I'm not sure if they do this purely for ease 
of use, or if they download live signature updates and merge them into 
the ISO before burning.)

Above it says to use this tool if your machine can't boot, but I don't 
see why this approach hasn't long since been standard practice when 
responding any any virus presence. It is far safer and more reliable 
than attempting to remove malware from a system actively running 
malware. (Attempts at using "safe mode" are rather pointless, as I'm 
sure most malware authors have figured out how to keep their code 
running in safe mode.)


The limitation of this technique is that the majority of the 
anti-malware tools are written to run on Windows, not Linux. (Of course 
there are a few commercial options on Linux, including the above Avira 
AntiVir, and there's always ClamAV. Alternatively, you can use a Windows 
Live CD, but they're a pain to build and slow to boot.)

I tried a variation of the above technique - mounting the infected drive 
via USB onto a clean Windows system (and making sure auto-play didn't 
get invoked, and that the drive was powered off during boots). This 
works moderately well, though I ran into the permission problems I 
posted about in the other thread.

I also found several of the commercial tools either handled scanning an 
external drive poorly (they don't quite get the concept that virus found 
on E: drive should be quarantined on E: drive, and not copied to some 
place on C:) or were simply buggy and scanned the wrong locations (Avira 
AntiVir scanned parts of E:, then went off on a tangent scanning a 
network share, for no apparent reason, despite being told specifically 
to scan E:; apparently a bug according to posts in their forum). 
Operationally, ClamAV actually proved to be the most consistent. Whether 
its signatures are on par with the commercial tools, I don't know.


They have their important data backed up in the cloud, so if the cleanup 
looks iffy, plan B will be to wipe the drive and reload the image taken 
after the machine was first deployed. Still, that's a slow process to 
reload the drive and update all the apps.

Oh well. On the next computer upgrade I'll recommend this client switch 
to Ubuntu, and run their accounting package in a Windows VM. They've 
already been migrated to Firefox and Thunderbird, and have one desktop 
running Ubuntu.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/