Any anti-malware software that can scan the registry of a slaved drive?
in [Anti-Virus]
|
Prev: Any anti-malware software that can scan the registry of a slaved drive?
Next: McAfee scans my entire system every day with scheduled scansdisabled
From: David H. Lipman on 5 Dec 2009 13:16 From: "Virus Guy" <Virus(a)Guy.com> | "David H. Lipman" wrote: >> All anti malware scanners presume that they are installed on the >> OS that is affected. | I fully undertand that - although your "all" proviso leaves no doubt | about it, and so far nobody else has suggested that there is even one | scanner that can do what I'm asking about. | But your statement does not answer the question: || Are hive structures either so proprietary or so complex to make || that task impossible? >> I mention the above because many presume placing an affected >> drive in a surrogate PC is one of the best ways to deal with >> removing malware that may be loaded at run-time. However, if >> you do, when you run the Anti malware software it will not >> correct the registry of the OS of the affected drive and may >> leave the OS of the affected drive impotent. | Hence my question as to whether or not the "next frontier" of AM | (anti-malware) software would be to have the ability to scan and correct | the registry present on a slaved drive. Can't speak to to future developments. >> I am NOT saying placing an affected drive in a surrogate PC is >> not a good | methodology. I am saying that it can have drawbacks >> and you must be prepared for | them. | Would it not be possible to run a system in safe mode and therefor not | | experience the BSOD in your example? mple? No. >> An advantage of placing an affected drive in a surrogate PC >> is that if there is a | RootKit | In my case, it seems that the malware in question was preventing me from | | (re)installing and running NAV (and even the task manager) but not | MBAM. We know that | it's fairly common for malware to have an in-built | list of file names and processes to | interfere with and prevent proper | operation. | To your knowledge, is MBAM on such lists? such lists? Definitely ! Example; TDSS/TDL3 >> If you place an affected drive in a surrogate PC expect >> it ONLY to work at the file | level disk level and not >> affect the Registry. | That is already a given, and was | presumed in my first post in this | thread. | I'm asking if there are technical reasons | why "external" registry files | could not accessed and manipulated by third-party | software. | I'm suggesting that the functionality of AM software could be enhanced | and their utility and desirability increased by having this ability. I doubt it will EVER exist by major software manuafcturers. If some bright white hat programmer can/will do it in the future ? Maybebut, I ahve my doubts. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Dustin Cook on 13 Dec 2009 14:35 Virus Guy <Virus(a)Guy.com> wrote in news:4B1A99E8.4680C0D4(a)Guy.com: > "David H. Lipman" wrote: > >> All anti malware scanners presume that they are installed on the >> OS that is affected. > > I fully undertand that - although your "all" proviso leaves no doubt > about it, and so far nobody else has suggested that there is even one > scanner that can do what I'm asking about. > > But your statement does not answer the question: > >| Are hive structures either so proprietary or so complex to make >| that task impossible? > >> I mention the above because many presume placing an affected >> drive in a surrogate PC is one of the best ways to deal with >> removing malware that may be loaded at run-time. However, if >> you do, when you run the Anti malware software it will not >> correct the registry of the OS of the affected drive and may >> leave the OS of the affected drive impotent. > > Hence my question as to whether or not the "next frontier" of AM > (anti-malware) software would be to have the ability to scan and correct > the registry present on a slaved drive. > >> I am NOT saying placing an affected drive in a surrogate PC is >> not a good methodology. I am saying that it can have drawbacks >> and you must be prepared for them. > > Would it not be possible to run a system in safe mode and therefor not > experience the BSOD in your example? > >> An advantage of placing an affected drive in a surrogate PC >> is that if there is a RootKit > > In my case, it seems that the malware in question was preventing me from > (re)installing and running NAV (and even the task manager) but not > MBAM. We know that it's fairly common for malware to have an in-built > list of file names and processes to interfere with and prevent proper > operation. > > To your knowledge, is MBAM on such lists? Some malware will kill us dead in our tracks, yes. -- Dustin Cook [Malware Researcher] MalwareBytes - http://www.malwarebytes.org BugHunter - http://bughunter.it-mate.co.uk
From: David H. Lipman on 13 Dec 2009 20:16 From: "Toxic" <staring(a)my_hd.tv> | On Sun, 13 Dec 2009 19:35:14 +0000, Dustin Cook wrote: >> Some malware will kill us dead in our tracks, yes. | Do you think the often repeated endorsements in this forum of MBAM | place it in the category of squeaky wheel, thereby increasing the | likelihood of it being targeted for crippling attacks? Doubtful. More like the success of the software against the Rogues and TDSS. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: FromTheRafters on 13 Dec 2009 20:49 "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9CE094C33E07CHHI2948AJD832(a)69.16.185.247... > Virus Guy <Virus(a)Guy.com> wrote in news:4B1A99E8.4680C0D4(a)Guy.com: > >> "David H. Lipman" wrote: >> >>> All anti malware scanners presume that they are installed on the >>> OS that is affected. >> >> I fully undertand that - although your "all" proviso leaves no doubt >> about it, and so far nobody else has suggested that there is even one >> scanner that can do what I'm asking about. >> >> But your statement does not answer the question: >> >>| Are hive structures either so proprietary or so complex to make >>| that task impossible? >> >>> I mention the above because many presume placing an affected >>> drive in a surrogate PC is one of the best ways to deal with >>> removing malware that may be loaded at run-time. However, if >>> you do, when you run the Anti malware software it will not >>> correct the registry of the OS of the affected drive and may >>> leave the OS of the affected drive impotent. >> >> Hence my question as to whether or not the "next frontier" of AM >> (anti-malware) software would be to have the ability to scan and > correct >> the registry present on a slaved drive. >> >>> I am NOT saying placing an affected drive in a surrogate PC is >>> not a good methodology. I am saying that it can have drawbacks >>> and you must be prepared for them. >> >> Would it not be possible to run a system in safe mode and therefor >> not >> experience the BSOD in your example? >> >>> An advantage of placing an affected drive in a surrogate PC >>> is that if there is a RootKit >> >> In my case, it seems that the malware in question was preventing me > from >> (re)installing and running NAV (and even the task manager) but not >> MBAM. We know that it's fairly common for malware to have an >> in-built >> list of file names and processes to interfere with and prevent proper >> operation. >> >> To your knowledge, is MBAM on such lists? > > Some malware will kill us dead in our tracks, yes. Maybe in the future, antimalware will have to go polymorphic to hide from the malware - not much different on this side of the fence after all, eh? :o)
From: FromTheRafters on 13 Dec 2009 20:54
"Toxic" <staring(a)my_hd.tv> wrote in message news:pan.2009.12.14.00.57.29(a)cdc.gov... > On Sun, 13 Dec 2009 19:35:14 +0000, Dustin Cook wrote: > > >> Some malware will kill us dead in our tracks, yes. > > Do you think the often repeated endorsements in this forum of MBAM > place it in the category of squeaky wheel, thereby increasing the > likelihood of it being targeted for crippling attacks? No, I suspect that it is the results that count. If my malware were discovered, I would investigate what program detected it and work to defeat that detection. There are probably writers right now compiling what programs would be best to attack with appkill routines. |