AV Users cleansing computers - You are being ILLOGICAL

Page 2 of 2 FirstFirst 12

  1. Posts : 1,040
    XP MCE .... XP Pro 64 .... W7 U x64
       #11

    I have a neighbor who is a security Guru ..
    (used to be his job in a room that could self destruct)

    I'm going to ask him about this ...
    The problem will be that I can only understand about 1% of what he tells me.

    One day, I watched his Laptop hack into a typically secured wireless network in under 3 minutes.
    Luckily .. He can be trusted

    He said the only really secure network was a Sneaker Net .. (think tennis shoe)

    Anyway ..
    He was telling me that the next problem will be rootkits that can embed themselves into the BIOS.
    I hope Ya'll aren't paranoid.
      My Computer


  2. Posts : 2,164
    Windows 7 Ultimate 64bit
       #12

    So, if I get infected, I will have to write 0/1's on all 14 of my hard drives?
      My Computer


  3. Posts : 1,325
    Windows7 Ultimate 64bit
       #13

    jimbo45 said:
    Hi there
    Nicely written and a good read -- BUT and here's the But -- until the kernel is properly loaded and running there isn't a "Ring 0" to start with.

    The 2nd part of the bootstrap is just loading a CHUNK OF CODE from a Disk sector pointed to from the initial ist part of the bootstrap into memory and then starts executing the loaded code at the memory address the code was loaded in to.

    Until the device drivers and Kernel have been fully loaded and initialised there isn't ANY Kernel protection -- it's just code being executed.

    Now this code can do ANYTHING it likes at ANY privilege level it wants so it's very difficult if not impossible for the OS to ascertain whether anything untoward has been loaded or even executed before the kernel is fully operational.

    For example the code could alter files on your disk so it would infect applications that the OS won't know anything about etc etc.

    Remember at this point the "Bootstrap" has access to all physical sectors on every disk so it's only a matter of reading and patching the disk sectors-- you would need to understand something about the "File system" to do this -- but this isn't exactly Programming 101 stuff.

    It's not a trivial matter to design these types of programs but they DO exist.

    If people think deep erasing a disk is over the top that's just fine -- but since I can restore an entire W7 image within 10 Mins after wiping a disk then I'm quite happy to fully wipe an infected disk before even THINKING of using it again.

    Anyway I enjoyed the discussion.

    (Although we've drifted a bit - the essence of the discussion was was that if no Virus detection program is 100% accurate then no Virus eradicator program is 100% accurate or complete either).

    Cheers
    jimbo
    Hi jim,

    Very true, before the kernel properly loaded, there is no "Ring 0". Here's the thing, you forgot about "Real mode" and the "handing off" process to "Protected mode". BIOS works in "Real mode", it can only access the first 504MB of ANY disk. Any virus/whatever can't load BEFORE the kernel loads. It simply can't access the disk. Before moving to "Protected mode", the disk is just a jumble of nonsense (if it can access it - it can't), not to mention - you need a "kernel" that at least have the proper device driver that understand the LBA structure before continuing the "wreak havoc" process. LBA = logical block address table, it's a "translation table" for BIOS so that it can roughly estimates the disk's size.
    Remember at this point the "Bootstrap" has access to all physical sectors on every disk so it's only a matter of reading and patching the disk sectors-- you would need to understand something about the "File system" to do this -- but this isn't exactly Programming 101 stuff.
    No, the bootstrap can't access everything at this time - it only have access to the MBR. When BIOS is still in charge, the whole system is running in 16 bit "Real mode", a very limited runtime mode, it's like back in the DOS days. It can only read the first 504MB disk space. Once it moves to at least 16 bit "Protected mode" and load the proper drivers, the it got more disk spaces to access.

    And yes, there is no 100% virus protection (yeah, we drifted a bit. Sorry...). In my book, it's too much to do a deep delete just to cleanse an infected machine, the logic is just isn't there IMHO.

    Btw, I really enjoy this discussion very much, it's fun to have a friend to pick brains with

    zzz2496
      My Computer


  4. Posts : 1,325
    Windows7 Ultimate 64bit
       #14

    Zepher said:
    So, if I get infected, I will have to write 0/1's on all 14 of my hard drives?
    Zepher, writing 0's all over means destroying EVERYTHING you have... I do hope you understand that part...

    zzz2496
      My Computer


 
Page 2 of 2 FirstFirst 12

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:00.
Find Us