Hi there ByTe,
That has got me thinking mate! :D..................... looking at it from a reciprocal viewpoint: "What can Symantec see that I cannot, using conventional tools?"Quote:
If Symantec is showing them up while scanning but they are not on the system I wonder what’s going on.
The ones that spring to mind are:
1. RAM
2. The page file
I don't know about alternate data streams and "slack space" or "cluster tips"? If it can't detect something in the latter it isn't much good, I would have thought?
I am not yet sure where I would go from here :confused:
On my desktop machines I usually set the Registry value to have Windows overwrite the page file on shutdown. That isn't realistic with a server which is on 24/7 :(
At this point I would set the page file to minimum size. Because this is used by Windows for mini-dumps, I guess malware would not be able to access it.
I would then run "Eraser" [link below] to wipe "free space" as this would get what what was in the former page file and it also wipes alternate data streams and cluster tips.
That then leaves you with the question of how this is happening? It really has to be something that they are not scanning? Possibly:
1. Portable storage media
2. Portable devices
3. Printer Servers
4. Mail Servers.............sure the e-mails are scanned, but what about the server itself?
5. "Orphan" clients (PCs in conference & training rooms, libraries, reception areas etc.) These are sometimes overlooked when nobody has direct responsibility for them?
Good Luck!
EDIT:
http://eraser.heidi.ie/
EDIT 2:Quote:
Works with Windows 98, ME, NT, 2000, XP, Vista, Windows Server 2003 and Server 2008. Eraser is Free software and its source code is released under GNU General Public License.
Sorry ByTe, you did title your post "examining" so here you go:
http://www.jsware.net/jsware/sviewer.php5
A tool for examining ADS and deleting nasty stuff. Sorry, but it only works with NT4.0, 2000, XP and 2003 Server.
This one will work with Vista and Win 7, but you have to pay $11 for the commercial version that lets you delete stuff. I think it is called "ADS Scanner Engine".
http://www.freesoftwaretoolbox.com/repository/
Whilst you are on that site you might like to scroll down and get "Hidden File Scanner". It is the same deal as the one above...."Look for free, pay to touch" :D
I am sorry, but I don't know of a utility to examine cluster tips. I guess I would use a Hex Editor or Disk Investigator.Quote:
Hidden File Scanner also does a quick scan at start up to detect the appearance of autorun.inf files on all devices including removable medias. If such an autorun.inf file is found, a dialog box will pop up where you can either delete, unhide or inspect the content of the autorun.inf. This tool will automatically rate the autorun.inf files as normal, hidden, suspicious or dangerous file.
http://www.theabsolute.net/sware/dskinv.html
It works with 2000 and XP but I don't know about 2003 Server.