Jon R. Kibler wrote:
IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.
Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".
Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.
Purely monetarily speaking, I love the idea of reinstalling every
machine that gets a virus. I might have earnt about 4 times more money
than I have to date running my business, however I don't think customers
would appreciate their computer install being nuked every time they have
a malware issue. I would say that so far I've done about 50 installs of
Windows (computer building aside) whereas I have attended about 200
appointments where I have removed some form of malware from a computer.
Sure, you can't be absolutely 100% sure that a machine is 100% clean,
but quite frankly you can't be 100% sure that a cleanly-installed,
patched up-to-date machine hasn't somehow been compromised by a 100%
undetectable rootkit. When I go to an appointment, I check the usual
sources of 'programs being run on startup' registry entries that I'm
aware of, I check the process list, and I investigate further if I
observe any sign of a machine acting not 100% normal.
Computer fixing is rarely about 100% security (or anywhere near that),
as 100% security means "not usable".
--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
