Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] [OT] Microsoft's Standalone System Sweeper



I heard Microsoft's Standalone System Sweeper mentioned on the Security
Now podcast sometime last year, and recently when several friends and
relatives, that are still unfortunate enough to be running Windows,
asked me for advice on repairing malware infections, I recommended they
try it. They've all had positive results. Also it is turn-key enough
that non-technical users can employ it themselves. It has saved me from
making on-site visits.

To use Microsoft's Standalone System Sweeper you download an installer
on an uninfected Windows machine, and run it to produce a bootable CDR,
DVD, or USB drive. You then boot the infected system with the media you
created and it scans/repairs the system.

I think it is about time there was a commercial solution for malware
remediation that didn't depend on the infected OS. I always found the
idea of downloading and running repair tools on an infected system to be
tenuous. For the technically inclined, the best option was always to
boot a live CD (Linux or Windows) and run repair tools from that.

Microsoft seems to recommend SS only if other methods have failed, but I
tend to think that if you notice malware symptoms despite running
real-time protection (say Microsoft Security Essentials), then your
first response should be a tool like SS. I plan to recommend to my
friends and clients that they run SS prophylacticly every 6 months.

I would, however, like to know more about what System Sweeper does. For
example, why do they have both a 32-bit and 64-bit version? (The
architecture needs to match the target system that will be
scanned/repaired.) It raises the possibility that they are bundling
repair files onto the CDR to replace commonly damaged files, and that
the CDR only has enough capacity to handle one target type.

Why doesn't Microsoft provide an optional ISO file to download? It would
permit you to use more secure systems (like Linux) to create the media,
and if all you had was an infected system available, probably less risky
to download and burn an ISO than running the installer. Sure, the tool
would need the latest virus signatures, but a scheduled job could
regenerate the ISO file on Microsoft's servers periodically.

What does SS actually do when it scans a system? It seems to both detect
and repair problems. Can it replace corrupt or infected Windows files?
Does it include replacement files, or does it just know how to repair
the on-disk files from specific types of damage? Does it exclusively
scan for virus signatures, or does it also compare the hash of system
files against a database of hashes of known good files? Does it repair
the MBR? How does it determine the MBR is bad, and will it consider
alternate bootloaders, like GRUB or Truecrypt, as infected and replace them?

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org