Discussion:
Best to boot from external drive to remove malware?
(too old to reply)
walterbyrd
2010-11-06 19:02:34 UTC
Permalink
There are ways to boot windows from a USB drive. Would that be the
best way to remove malware from an infected PC?

My reasoning is: once an infected computer has booted, the malware is
already running. That malware may prevent the installation of anti-
malware software. Or, it may prevent anti-malware software from
updating, or otherwise running correctly.

On the other hand, if the malware has disguised itself as legitimate
windows system files, then if you from an external drive, the software
on that external drive may not recognize the disguised malware.
Thor Kottelin
2010-11-07 15:46:59 UTC
Permalink
Post by walterbyrd
There are ways to boot windows from a USB drive. Would that be the
best way to remove malware from an infected PC?
The only kind of malware removal that can be generally recommended is the
kind that reinstalls the operating system from scratch and, unless the
administrator knows exactly what he or she is doing, formats the disk as
well.
--
Thor Kottelin
walterbyrd
2010-11-07 18:21:33 UTC
Permalink
Post by Thor Kottelin
The only kind of malware removal that can be generally recommended is the
kind that reinstalls the operating system from scratch and, unless the
administrator knows exactly what he or she is doing, formats the disk as
well.
Assuming that time is not a factor, and assuming that the PC's owner
has all the needed legal CDs, and assuming that the PC's owner knows
where all of his/her data resides: that is not a bad idea.

But, what about the cases where those assumptions do not apply?
Thor Kottelin
2010-11-07 19:14:12 UTC
Permalink
Post by walterbyrd
Post by Thor Kottelin
The only kind of malware removal that can be generally recommended is the
kind that reinstalls the operating system from scratch and, unless the
administrator knows exactly what he or she is doing, formats the disk as
well.
Assuming that time is not a factor, and assuming that the PC's owner
has all the needed legal CDs, and assuming that the PC's owner knows
where all of his/her data resides: that is not a bad idea.
But, what about the cases where those assumptions do not apply?
Meticulous analysis and cleaning of a cracked system usually takes longer
than a reinstall.

As for the other assumptions you mention, they should be fulfilled as a
matter of course. If an administrator does not have access to installation
media and/or does not know where the data is stored, he or she would do
well to address those basic deficiencies instead of digging himself or
herself a deeper hole.
--
Thor Kottelin
http://www.anta.net/
Char Jackson
2010-11-07 21:06:07 UTC
Permalink
On Sat, 6 Nov 2010 12:02:34 -0700 (PDT), walterbyrd
Post by walterbyrd
There are ways to boot windows from a USB drive. Would that be the
best way to remove malware from an infected PC?
My reasoning is: once an infected computer has booted, the malware is
already running. That malware may prevent the installation of anti-
malware software. Or, it may prevent anti-malware software from
updating, or otherwise running correctly.
On the other hand, if the malware has disguised itself as legitimate
windows system files, then if you from an external drive, the software
on that external drive may not recognize the disguised malware.
Yes, that's normally how I do it for my customers, for the reasons you
stated. While some will suggest reformatting and rebuilding from
scratch, I very rarely need to do that and consider it the very last
resort. You can get away with doing some things in Safe mode or even
after a normal start, but booting from a USB thumb drive normally
works a treat.
Regis
2010-11-08 20:33:52 UTC
Permalink
Post by walterbyrd
There are ways to boot windows from a USB drive. Would that be the
best way to remove malware from an infected PC?
Yes. With the caveats that the gold standard method is to flatten and
rebuild the box from a known clean image on read only media.
Post by walterbyrd
My reasoning is: once an infected computer has booted, the malware is
already running. That malware may prevent the installation of anti-
malware software. Or, it may prevent anti-malware software from
updating, or otherwise running correctly.
On the other hand, if the malware has disguised itself as legitimate
windows system files, then if you from an external drive, the software
on that external drive may not recognize the disguised malware.
That's also true. Against modern threats, depending on whose numbes
you believe, AV is only 38% effective these days at detecting real
threats. It's pretty horrendous.

As such, in my shop, we have a fairly hair trigger to flattening and
rebuilding.

Continue reading on narkive:
Loading...