Forget repairing virus infected systems, says MS security manager

[brokencrow]

The latest types of malware are so potent that organisations should forget about trying to cleanse infected systems, a top Microsoft security officer has advised. Mike Danseglio, a program manager in Microsoft's security group, said firms should think about establishing a process for backup and recovering rather than relying on anti-virus tools as a way of recovering from malware infection.

http://www.theregister.com/2006/04/0...ity_mea_culpa/

[preacherman481]

I never had a virus when I ran Windows (that I know of), nor have I had one since running Linux. But if I did, I feel that a new install would be the best option. Otherwise, I would probably always be wondering if I had missed something. When people come to this site and ask for help dealing with such issues, and I read the advice they're given (boot into safe mode, run this, run that, etc) it seems to me that it's more trouble than it's worth. Reinstall, and be done with it. Be more careful next time.

[brokencrow]

I find it a telling admission, preacherman. Microsoft's really dropped the ball when it comes to security. Sheesh, this guy even implies antivirus apps are about useless anymore.

[HTRegz]

Originally posted here by brokencrow
I find it a telling admission, preacherman. Microsoft's really dropped the ball when it comes to security. Sheesh, this guy even implies antivirus apps are about useless anymore.

The more you post... the more I question your knowledge level with computers... Where has Microsoft dropped the ball with security? What they have said is very true and quite correct... It applies to all operating sytems... not just MS ones.

When a virus infects your computer... you CANNOT tell the extent of the damage... AV software doesn't remove everything... Trend Micro provides about the best AV protection you can get and even they don't catch anything... Let's look at this realistically..


Option A:
Set up a weekly back-up of your files... (Quantum's GoVault is a great personal back-up option... and it's brand new on the market... once others make similar products a price drop will be seen on this already reasonably priced product)... or use an external hard drive (5 - 10 minutes to start)
Reinstall when you're infected (60 minutes tops)

Total Time: 1 Hour and 15 minutes (we'll round each of these up to the nearest quarter hour)

Option B:
Take a weekly ghost image ( 5 - 10 minutes to start)
Restore your ghost image (30 minutes... maybe 60 if you include all your applications as well as the base OS... all depends on if it's restored from CD or across the network)

Total Time: 45 Minutes or 1 hour and 15 minutes.

Option C:
Scan with AV Software (At least one Online Variant and One Installable Variant)... (2- 3 hours)
Scan with a couple of types of malware remover (System Cleaner (Trend Micro), Spybot S&D, AdAware (Lavasoft), Defender (Microsoft)... (1 - 2 hours)

There are still plenty of other steps to be taken.... total time (so far) is already 5 hours on the high end... Seems like reinstalling is the right thing.. Especially in an Enterprise environment (which again is where Microsoft's interests lie)...

You cannot be sure that you've removed a virus/worm/trojan/rootkit after it's installed... a rogue registry key, a file in an obscure portion of the operating system...

Maybe it used something like H.D. Moore's Slacker... "Slacker - First ever tool that allows you to hide files within the slack space of the NTFS file system."

They always say if you're system is hacked reinstall... because you don't know what they've left behind... a virus is no different... if you're infected with a virus.... essentially you've been hacked... You don't know what that Virus has done.. has it provided a reverse-shell to the attacker... and they've left something behind...

Any sys admin with the slightest bit of intelligence will tell you that you should reinstall after a hack... and as I've said (and proven above) a virus is no different than a hack... people just don't think of it that way... which is wrong..

Therefore the proper thing to do is restore your system after a virus... it's the safest thing to do... and usually takes the least amount of time..

Peace,
HT

[preacherman481]

I find it a telling admission, preacherman. Microsoft's really dropped the ball when it comes to security. Sheesh, this guy even implies antivirus apps are about useless anymore.

He really isn't admitting that "Microsoft has dropped the ball...." Actually he is questioning the worth of antivirus repair tools (not all antivirus apps).

[brokencrow]

Well, Danseglio obviously falls in the blame-it-on-stupid-users school, that's for sure. I'm ALWAYS leary of outfits that blame their own customers.

Me? I still think M$ pushes some bad product out the door...

[dalek]

However Danseglio laid the blame for the majority of malware infections on human stupidity in the face of social engineering attacks rather than the security shortcomings of Windows, as highlighted by an unpatched Internet Explorer flaw that's become the focus of exploitation by hackers over recent days

That is still the main problem...uneducated user's, or slack IT procedures....I have yet to have to do a reinstall on a production machine (all WinXP Pro's), as long as you limit the potential for damage by the user, the PC's are fine, WinXp is a durable OS for all of it's supposedly flawed holes, who remember Win95 and 98 and always having problems with dll's and the registry,or the first round of popups and adware, now those I had to do a lot of formats and reinstalls.

As for:

He cited the example of an unnamed US government agency that found itself trying to fix 2,000 infected machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden

It's Gov't so they get what they pay for, doesn't surprise me they had over 2,000 infected machines, I would be willing to bet it was more, the "lowest bidder doesn't usually get the job" is well crap, Gov't 's will always go cheap, and not all dept's are able to get the bang for our buck. Also IMO Gov't's are notorious for being behind the learning curve on newer technology, (unless it's got something to do with weapons) and so are slow to implement policies.Consequently things get overlooked.

[brokencrow]

Historically, the gov't has usually paid top-dollar, especially the military. I doubt those 2000 gov't units were military computers. Didn't MS sell the Pentagon a 'secure' version of Windows to the Pentagon? Those boys aren't stupid. Outnumbered maybe, but not stupid.

Why can't they sell a secure version of XP to the public? Secure out of the box.

[Tiger Shark]

Why can't they sell a secure version of XP to the public? Secure out of the box.

Because the public wouldn't accept the restrictions... Just like they don't use Linux because it would mean they have to learn something about their computer rather than just use it....

No brainer really....

[brokencrow]

Folks didn't like seatbelts back in the day either. Caused too many wrinkles in your clothes.