New
#1
So you think your Hard drive is CLEAN
Hi all
Whilst not W7 specific per se this is really important if you think you've found a Virus and are just using the "Infection Processes" supplied by your AV software.
Even a FORMAT of a hard disk doesn't erase or make old data inacessible.
Read this
BBC NEWS | Wales | Missile data found on hard drives
This efectively means a Virus could conceivably "resurrect" itself or "be resurrected" again after being "Cleansed"
(a sub virus ?? could look for the "deleted nasties" and re-activate them).
The normal "Delete" function in an OS just deletes the directory area but doesn't actually delete the DATA itself. This is only deleted or "Overwritten" when the OS decides to re-use that specific area of a disk - which for large TB drives these days could be a long long time into the future.
Most FREE AV software doesn't actually go into the sectors of the infected areas and retrieve the actual physical disk adresses to delete the data. You need to actually make some BIOS calls to "Physically address disk sectors" for data re-writing etc.
Intercepting BIOS calls will show if your AV software works intelligently or whether it just does basic first level "Windows Deletes".
Now Windows itself if it's security is working properly shouldn't allow programs to make BIOS calls directly -- should be done via the API -- so you've got another potential problem here -- your AV program will be blocked by Windows itself from effectively cleansing the disk by directlly calling the BIOS. So if the Virus has attacked the Windows API for Disk I/O you are up that proverbial street without the proverbial.
Until new data is physically re-written in the same actual disk addresses then the old data is actually "recoverable".
I've used a data recovery program like this to recover some pictures I had accidentally deleted after a photo shoot. I had actually even re-formatted the disk but was able to recover the pics.
Whilst "Binning" the disk is not a practical solution for most users you CAN protect against this type of scenario by using utilities which do a "Secure Erase".
These work by writing Binary Zeros on every data area of the disk maybe several times (in "Paranoid level"). They can also clear the MBR.
These still aren't 100% effective but for all practicable purposes where you don't have acees to Militiary grade equipment they will be MORE than sufficient to cleanse your disk.
Here's a decent FREE one from the University of San Diego.
CMRR - Secure Erase
Cheers
jimbo