AV Users cleansing computers - You are being ILLOGICAL

jimbo45

New member
Guru
Gold Member
VIP
Local time
2:27 AM
Messages
5,941
Location
Hafnarfjörður IS
Hi all
I read over and over again in this Forum that NO AV product is ever 100% effective - although one should of course use protection to make it much harder for your computer to get infected.

However people then conveniently forget THE OTHER SIDE OF THE COIN -- you can't ensure either that a Virus will be 100% removed using standard tools either - since the AV software can't gurantee 100% protection why should notification of 100% removal be any better either.

IMO if you are unlucky enough to have a computer infection the ONLY PROPER and SAFE way to get rid of it is as follows.

1) Re-initialise ALL HDD's on that machine -- this means writing X'00's (binary zero) on EVERY SECTOR at least 4 times including SECTOR 0 and the Master Boot Record (MBR).

2) Re-install your OS and applications from a KNOWN CLEAN SOURCE.

IMO No other method can be guaranteed as 100% safe.

With decent imaging software etc your re-installation shouldn't take too long anyway. Re initialising the disks is probably the lengthiest part of the process.

Note - if you restore a safe image only the data part of the disk is restored -- it's not a sector by sector restore -- that's why programs like acronis etc are FAST. Thats also why I recommend initialising the WHOLE DISK before restoring.

Here is a link to some secure erase programs

Free Secure File / Disk Deletion Tools: Destructively delete or wipe data in files / hard disks (thefreecountry.com)


Note I am NOT saying DON'T use AV software -- what I am saying is that if you get a computer infection then the only 100% way to clean it is to secure erase everything and re-install from a SAFE copy.

I certainly would NEVER trust a computer again which had been infected and "cleansed" unless it was done following my method above.

Cheers
jimbo
 

My Computer My Computer

At a glance

Linux CENTOS 7 / various Windows OS'es and se...Intel i7 Intel i58GB, 16GBOn Motherboard
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built, several laptops HP/ASUS
OS
Linux CENTOS 7 / various Windows OS'es and servers
CPU
Intel i7 Intel i5
Memory
8GB, 16GB
Graphics Card(s)
On Motherboard
Sound Card
Realtek HD audio
Monitor(s) Displays
Apple Cinema display, Samsung LCD
Screen Resolution
1920 X 1080
Hard Drives
4 X 1TB SATA
Mouse
Toshiba wireless laser
Internet Speed
> 20MB up
Jim, I think a format is enough to cleanse the dirt under the "carpet", right? There's no need to deep delete... Anything that isn't recorded by the file system is considered free space, I don't think it'll do any harm...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
You make some really good points Jimbo...that's pretty much the most effective way to do it. However, I wouldn't go as far as to say that it will work 100% of the time. There will always be that one little nasty virus that hangs on with everything it's got. If it's not out there yet, it will be.

Reminds me of the attached picture.
 

Attachments

  • Abstinence.jpg
    Abstinence.jpg
    42.3 KB · Views: 2

My Computer My Computer

At a glance

Windows 10 Tech Preview 9926 x64AMD FX-835016GB DDR3 1333Asus R9 290 DirectCU II OC, Gigabyte Windforc...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
SuperBeast
OS
Windows 10 Tech Preview 9926 x64
CPU
AMD FX-8350
Motherboard
Gigabyte GA-990FXA-UD3
Memory
16GB DDR3 1333
Graphics Card(s)
Asus R9 290 DirectCU II OC, Gigabyte Windforce R9 290 OC
Sound Card
Integrated w/ Creative A250 2.1 speakers
Monitor(s) Displays
Main: Asus VN289H 28" Secondary: Acer G246HL 24"
Screen Resolution
1920x1080
Hard Drives
128 GB SanDisk Ultra Plus (Windows drive)

240 GB Crucial M500 SSD (Games drive)

1 TB WDC WD10EACS 7200RPM HDD (Data drive)

2 TB Seagate Expansion Desktop external HDD (Backup drive)
PSU
900w Antec HCG-900
Case
Raidmax Agusta Full ATX
Cooling
Corsair H80
Keyboard
Cooler Master Devastator MB24
Mouse
Cooler Master Devastator MS2K 1000/1600/2000 DPI
Internet Speed
100Mbps cable
Antivirus
Avast!
Browser
Chrome
Jim, I think a format is enough to cleanse the dirt under the "carpet", right? There's no need to deep delete... Anything that isn't recorded by the file system is considered free space, I don't think it'll do any harm...

zzz2496


Hi there

Deep delete is actually necessary since some of the nastier worms etc get into the "control" sectors of the disk which aren't normally seen by the file system which is why they are hard to detect.

A Format is not sufficient -- all that does is clear out the DIRECTORY (or the Table of Contents) -- the data and hence the Virus is still on the HDD drive. It's relatively simple to recover data from a Disk that has been formatted -- even the old DOS UNFORMAT command was quite good in the past.


I'd recommend the deep format any day -- it's about the best you can do without buying new HDD's.

Hi Blackrose --- agree -- a picture is worth 1000's of words.

Cheers
jimbo
 

My Computer My Computer

At a glance

Linux CENTOS 7 / various Windows OS'es and se...Intel i7 Intel i58GB, 16GBOn Motherboard
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built, several laptops HP/ASUS
OS
Linux CENTOS 7 / various Windows OS'es and servers
CPU
Intel i7 Intel i5
Memory
8GB, 16GB
Graphics Card(s)
On Motherboard
Sound Card
Realtek HD audio
Monitor(s) Displays
Apple Cinema display, Samsung LCD
Screen Resolution
1920 X 1080
Hard Drives
4 X 1TB SATA
Mouse
Toshiba wireless laser
Internet Speed
> 20MB up
Jim, I think a format is enough to cleanse the dirt under the "carpet", right? There's no need to deep delete... Anything that isn't recorded by the file system is considered free space, I don't think it'll do any harm...

zzz2496


Hi there

Deep delete is actually necessary since some of the nastier worms etc get into the "control" sectors of the disk which aren't normally seen by the file system which is why they are hard to detect.

A Format is not sufficient -- all that does is clear out the DIRECTORY (or the Table of Contents) -- the data and hence the Virus is still on the HDD drive. It's relatively simple to recover data from a Disk that has been formatted -- even the old DOS UNFORMAT command was quite good in the past.


I'd recommend the deep format any day -- it's about the best you can do without buying new HDD's.

Hi Blackrose --- agree -- a picture is worth 1000's of words.

Cheers
jimbo
I understand about the deal about deleting things won't entirely delete the data off the disk (thus undelete products works). But I mean, the virus/malware is there, there's no doubt about it... but if it's not registered by the FS, the OS can't execute it, right? I mean, our Operating System can only see files that is indexedby the file system, if it's recorded/indexed by the fs, the OS can execute it, be it a virus, a malware, a word processor, anything. It's the same concept as memory pointers and heap memory.

Btw, what do you mean by "control" sectors? File system in Windows literally is the MFT file (and it's accompanied files). A binary file that can hide it self from the OS yet can still run it self, you mean a rootkit? Rootkits are wiped off the disk when you format it. Most of rootkits will load it self at OS start, loading it self to the memory, or at least the "start-up" part to the memory, and that small program will read the disk by LBA address to load the "main program". I know, I tried that once in my test system (a VM). If I load the VM disk and have a program to analyze the content, the rootkit is still there, yet when I reinstall the OS, the rootkit doesn't "reload" it self... Deep delete is a bit over the top IMHO...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Hi there
Don't forget that ANY hardware can be controlled by TWO different mechanisms -

1) Via the OS API - for example say you want to write to File X then the OS itself will perform the actual call to The I/O device either via a BIOS call or via a kernel module. This is how programs SHOULD be written -- go via the OS interface.

2) Particularly Gaming and Video -- programs often make DIRECT CALLS to the HARDWARE itself bypassing the BIOS calls etc and not dependent on the underlying file system - this is often done where very high speed and throughput are needed.

Anybody with a slight nous of Intel (or AMD) assembler / machine language can do a READ SECTOR disk read -- probably can be done in C++ too -- although I'm not a C++ programmer.

Now if we take a DISK there's a large buffer area built in to each HDD that isn't directly accessible by the file system in the OS. A rogue program only needs to initiate a direct call to the DISK and you can do anything.

Just consider how your OS Bootstrap works

When you press the START key on the computer (or power on switch) the BIOS is set to read and execute ONE instruction located at a specific address (Bootstrap1).

This tells the computer to now read sector XXXX of the disk into memory and start executing the block of code read in. (Bootstrap 2)

This block of code now loads the rest of the OS and Windows can start. -- It's not so simple but you should get the idea -- this code is executed WITHOUT any undelying file system or OS.

If this has been tampered with neither Windows nor your AV program will know anything about it until its TOO LATE.

There's all sorts of pieces a computer has where rogue code can get executed without the OS knowing anything about it until its too late.

Whether wiping Disks is over the top or not -- I'd rather take the extra time on KNOWING I have a reliable computer before doing any BANKING or similar transactions on it.

I wouldn't EVER trust a "merely cleaned" computer with any secure data -- OK YMMV but time is easily regained -- it's not so simple to regain your cash if its been whizzed off into cyberspace.

Better safe than sorry -- and if getting infected is a regular occurrence then perhaps one should look at what they are really doing on their machines.


Cheers
jimbo
 

My Computer My Computer

At a glance

Linux CENTOS 7 / various Windows OS'es and se...Intel i7 Intel i58GB, 16GBOn Motherboard
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built, several laptops HP/ASUS
OS
Linux CENTOS 7 / various Windows OS'es and servers
CPU
Intel i7 Intel i5
Memory
8GB, 16GB
Graphics Card(s)
On Motherboard
Sound Card
Realtek HD audio
Monitor(s) Displays
Apple Cinema display, Samsung LCD
Screen Resolution
1920 X 1080
Hard Drives
4 X 1TB SATA
Mouse
Toshiba wireless laser
Internet Speed
> 20MB up
Hi there
Don't forget that ANY hardware can be controlled by TWO different mechanisms -

1) Via the OS API - for example say you want to write to File X then the OS itself will perform the actual call to The I/O device either via a BIOS call or via a kernel module. This is how programs SHOULD be written -- go via the OS interface.

2) Particularly Gaming and Video -- programs often make DIRECT CALLS to the HARDWARE itself bypassing the BIOS calls etc and not dependent on the underlying file system - this is often done where very high speed and throughput are needed.

Anybody with a slight nous of Intel (or AMD) assembler / machine language can do a READ SECTOR disk read -- probably can be done in C++ too -- although I'm not a C++ programmer.

Now if we take a DISK there's a large buffer area built in to each HDD that isn't directly accessible by the file system in the OS. A rogue program only needs to initiate a direct call to the DISK and you can do anything.

Just consider how your OS Bootstrap works

When you press the START key on the computer (or power on switch) the BIOS is set to read and execute ONE instruction located at a specific address (Bootstrap1).

This tells the computer to now read sector XXXX of the disk into memory and start executing the block of code read in. (Bootstrap 2)

This block of code now loads the rest of the OS and Windows can start. -- It's not so simple but you should get the idea -- this code is executed WITHOUT any undelying file system or OS.

If this has been tampered with neither Windows nor your AV program will know anything about it until its TOO LATE.

There's all sorts of pieces a computer has where rogue code can get executed without the OS knowing anything about it until its too late.

Whether wiping Disks is over the top or not -- I'd rather take the extra time on KNOWING I have a reliable computer before doing any BANKING or similar transactions on it.

I wouldn't EVER trust a "merely cleaned" computer with any secure data -- OK YMMV but time is easily regained -- it's not so simple to regain your cash if its been whizzed off into cyberspace.

Better safe than sorry -- and if getting infected is a regular occurrence then perhaps one should look at what they are really doing on their machines.


Cheers
jimbo
I see. Here's the thing, an OS kernel is running in "Ring 0" in system security hierarchy. Everything that goes to any hardware must go through kernel. For a kernel to be able to understand what the hardware under it's governance is through the use of "device drivers". That is the kernel interface to the lower layers (hardware). The kernel also have interfaces to the upper layers, OS API (Direct X, Storage APIs, File management, etc), The user space it self, User space utilities, and many others. As you said, a device that needs a high throughput/low latency data transfers usually bypasses OS's API and use it's own custom interface directly to the kernel it self, most of the time can interface directly to the device drivers.

For a rootkit to be able to hide it self from "Windows", is practically easy business, because Windows have many user space processes that interfaces directly to the kernel. Display drivers are one of the bad example, user space driver installer is another one... A user space process can directly access the graphic driver to do something. From a performance point of view, this is GREAT, the result is MANY GAMES thrived in Windows because developers can tap directly into device driver from a user space initiated process. *nix like OS can't, because the kernel is isolated from user space view, thus it's harder to hid a rootkit in *nix. Not that it's impossible, it's possible, but MUCH HARDER.

Back to the high performance business, games can call to the device drivers directly, the app can't use a hardware directly, everything must go through the OS's kernel, which contains device driver. Let's say you want to tell the disk to do a write, 4KB data, write to storage LBA 11566. This can't be done if the kernel doesn't have a device driver that enumerates and reports that there's a disk at X point that has 1589787667 LBA addresses (just an example).

All this is the fault of 32bit transition and the lack of technology that can replace BIOS. Back then in the DOS days, you don't need a device driver, everything is handled by BIOS. If you need to access a sound card, you make a request to IRQ 7, DMA channel 5, and just go a head, put your instructions to the stream, that's your sound card right there. Everything is controlled by BIOS. These days, hardware became much more complicated and a PC can contain A LOT MORE compared to back in DOS days, it needs an abstraction layer. BIOS is a 20+ years legacy, it has limited capacity of devices it can enumerate, it has limited address space to enumerate (BIOS is mostly 16 bit software, written in Assembler language). BIOS can't enumerate harddisk more than 504MB capacity, it needs an abstraction layer to be able to access more. It called Logical Block Address table, or LBA. Why do we have LBA? Because BIOS is too stupid to understand...

As for cache in harddisks, those small speedy memory is not accessible at all, it's being controlled by the harddisk's firmware. For boot up process, you are right, there is a special place in harddisk's location, it's called MBR, or INT 13 in BIOS lingo. It's a special place in first few sectors in a sector-based storage system that contains a bootstrap instructions. This is most of the time is the OS's main kernel image (in Windows, it's the NTKRNL.EXE, in Linux, it's the vmlinuz.bin). Once the kernel is loaded, it will start it's initialization process, loading modules and device drivers. Once everything is loaded, it will start re-enumerating everything, from hardware components to filesystems connected to the computer. Once everything is done, it will start the user space process, user profile manager is called, wininit, etc. I understand the process (I've tried compiling my own Linux kernel with my device drivers compiled into the kernel it self and watch the kernel load up back in the day, it's amazing).

Now, this little bootloader, can be overwritten by a virus (it can, back in DOS days) to load a modified version of OS kernel image. In DOS this is doable because MSDOS.SYS is so small and very simple, you can hack away and nothing will go wrong (remember, every device is controlled directly by BIOS). But these days, no one can modify the kernel image and hope that the computer will keep on working... 32bits kernel is one intricate piece of software, one false instruction - everything will stop working, not even a BSOD is generated. Most of the time, rootkits will install a small part of it self directly to the kernel, just like a device driver (but not a device driver). Windows's OS API works on the upper layers of system hierarchy, it can't know what is on the kernel it self, thus the "invisibility". You can't use the OS API to scan the disk and find the rootkit, because it can read what storage driver's reports and it can manipulate the output, let's say if it reads LBA 1156, always report that that LBA is occupied by a system file so that the AV alarm is not triggered.
There's all sorts of pieces a computer has where rogue code can get executed without the OS knowing anything about it until its too late.
True, but first it has to make a "reservation" in the kernel to do it's work, a cleanly formatted system doesn't have such "reservation". Disk wiping is over the top IMHO. If you want to destroy traces of important information hidden in your disks, a deep delete is the only way because the forensics will do EVERYTHING to get ANYTHING back off any disk it got it's hands on, this is human working with objective of getting something by ANY MEANS, you need a deep delete to hide/destroy anything. A rootkit is not human, it's not programmed to do the same like those forensics experts to find it's code buried deep in your disk, it's not that smart... But deep delete is safer from a security stand point, although I'd still say it's not needed. A deleted record is considered non existent by the system. You need a special software that can read data streams and understand a file layout (file header, file content, eof marker, etc), then reports back to the user that it found a file header at LBA xyz, sized 1564366 bytes, probably named "something.doc", then it'll probably asked you with "do you want to restore it?"-kind of question... And you pushed the "OK" button...

From a systemic standpoint, it's not necessary to do a deep delete to wipe a virus/malware/rootkit infection. You just need to make sure that ANY DATA that's being put back doesn't have the "dangerous payload", and make sure that any other computers on the network is also clean from this virus/malware/rootkit infection... But then again, it's your computer, if you want to deep delete - that's your decision, it's not necessary, but still your call :)

zzz2496

Ps. There's 2 kind of OS kernel, a Macro Kernel and a Micro kernel. A Macro kernel is a kernel that has device drivers compiled into it self. Macro kernel is large, has very limited flexibility on adding more hardware (adding hardware = recompiling the kernel), but VERY FAST and VERY EFFICIENT. A Micro kernel is a very small, modular kernel that has interfaces for device drivers to "attach" to. Windows and modern Linux use Micro kernel. Old UNIX use Macro kernel.
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Hi there
Nicely written and a good read -- BUT and here's the But -- until the kernel is properly loaded and running there isn't a "Ring 0" to start with.

The 2nd part of the bootstrap is just loading a CHUNK OF CODE from a Disk sector pointed to from the initial ist part of the bootstrap into memory and then starts executing the loaded code at the memory address the code was loaded in to.

Until the device drivers and Kernel have been fully loaded and initialised there isn't ANY Kernel protection -- it's just code being executed.

Now this code can do ANYTHING it likes at ANY privilege level it wants so it's very difficult if not impossible for the OS to ascertain whether anything untoward has been loaded or even executed before the kernel is fully operational.

For example the code could alter files on your disk so it would infect applications that the OS won't know anything about etc etc.

Remember at this point the "Bootstrap" has access to all physical sectors on every disk so it's only a matter of reading and patching the disk sectors-- you would need to understand something about the "File system" to do this -- but this isn't exactly Programming 101 stuff.

It's not a trivial matter to design these types of programs but they DO exist.

If people think deep erasing a disk is over the top that's just fine -- but since I can restore an entire W7 image within 10 Mins after wiping a disk then I'm quite happy to fully wipe an infected disk before even THINKING of using it again.

Anyway I enjoyed the discussion.

(Although we've drifted a bit - the essence of the discussion was was that if no Virus detection program is 100% accurate then no Virus eradicator program is 100% accurate or complete either).

Cheers
jimbo
 

My Computer My Computer

At a glance

Linux CENTOS 7 / various Windows OS'es and se...Intel i7 Intel i58GB, 16GBOn Motherboard
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built, several laptops HP/ASUS
OS
Linux CENTOS 7 / various Windows OS'es and servers
CPU
Intel i7 Intel i5
Memory
8GB, 16GB
Graphics Card(s)
On Motherboard
Sound Card
Realtek HD audio
Monitor(s) Displays
Apple Cinema display, Samsung LCD
Screen Resolution
1920 X 1080
Hard Drives
4 X 1TB SATA
Mouse
Toshiba wireless laser
Internet Speed
> 20MB up
I've always assumed a rewrite of a partition from an Image was good enough ..
But now you have me concerned.
Is there anyway to clean just one partition on a Hard Drive ??
 

My Computer My Computer

At a glance

XP MCE .... XP Pro 64 .... W7 U x64E6750, 2.67GHz C2D4GB, PC2 6400GeForce 9400GT
Computer Manufacturer/Model Number
HP d4996t (upgraded)
OS
XP MCE .... XP Pro 64 .... W7 U x64
CPU
E6750, 2.67GHz C2D
Memory
4GB, PC2 6400
Graphics Card(s)
GeForce 9400GT
Monitor(s) Displays
Twin Samsung 2443BWT
Screen Resolution
1920x1200
Hard Drives
Many .. 3 Installed
PSU
460W
Internet Speed
Cable
Another thing to consider is now that most people have home networks, the only really safe way to be sure is to do this to every machine on the network. At work we still have a virus pop every once in a while that is stored in someones email or file server, and it's that MonkeyB virus from 10 years ago, keeps bouncing around the network, always gets caught by AV, but still the point remains.
 

My Computer My Computer

At a glance

Windows 7i5-7504GB DDR3 1600GT220
OS
Windows 7
CPU
i5-750
Motherboard
Asus
Memory
4GB DDR3 1600
Graphics Card(s)
GT220
I have a neighbor who is a security Guru ..
(used to be his job in a room that could self destruct)

I'm going to ask him about this ...
The problem will be that I can only understand about 1% of what he tells me.

One day, I watched his Laptop hack into a typically secured wireless network in under 3 minutes.
Luckily .. He can be trusted :D

He said the only really secure network was a Sneaker Net .. (think tennis shoe)

Anyway ..
He was telling me that the next problem will be rootkits that can embed themselves into the BIOS.
I hope Ya'll aren't paranoid.
 

My Computer My Computer

At a glance

XP MCE .... XP Pro 64 .... W7 U x64E6750, 2.67GHz C2D4GB, PC2 6400GeForce 9400GT
Computer Manufacturer/Model Number
HP d4996t (upgraded)
OS
XP MCE .... XP Pro 64 .... W7 U x64
CPU
E6750, 2.67GHz C2D
Memory
4GB, PC2 6400
Graphics Card(s)
GeForce 9400GT
Monitor(s) Displays
Twin Samsung 2443BWT
Screen Resolution
1920x1200
Hard Drives
Many .. 3 Installed
PSU
460W
Internet Speed
Cable
So, if I get infected, I will have to write 0/1's on all 14 of my hard drives?
 

My Computer My Computer

At a glance

Windows 7 Ultimate 64bitIntel i7 3770K16GB DDR3 1333 Corsair XMS3XFX HD6950 2GB EyeFinity
Computer Manufacturer/Model Number
HAL-9000
OS
Windows 7 Ultimate 64bit
CPU
Intel i7 3770K
Motherboard
Asus Sabertooth Z77
Memory
16GB DDR3 1333 Corsair XMS3
Graphics Card(s)
XFX HD6950 2GB EyeFinity
Sound Card
Logitech G35 & Sennheiser PC135 & VIA HD
Monitor(s) Displays
23" HP 2310e, 23" Samsung B2230, 21.5" Viewsonic
Screen Resolution
5760x1080
Hard Drives
16TB of Storage
128GB & 256GB Crucial M4 SSD's, 2X 1TB WD Black, 3x 2TB WD, 3x 2TB Samsung F4, 1.5TB Seagate, WD 500GB,
PSU
Antec True Power New 650watt
Case
Cooler Master HAF-932
Cooling
Corsair H60 Hydro Cooler, 3x 230mm Fans, 2x120mm Fan
Keyboard
Logitech G15 and G13
Mouse
Logitech G700 Gaming Mouse
Internet Speed
50/10 Mbit
Other Info
Speakers : Alesis M1 Active Mk2 Studio Monitors , APC RS 1200 UPS, HP 4500DN Color Laser, HP P1006 mono Laser, Kodak 8500 Dye-Sub, Epson 1280 inkjet, Epson Worforce 610 MFC
Hi there
Nicely written and a good read -- BUT and here's the But -- until the kernel is properly loaded and running there isn't a "Ring 0" to start with.

The 2nd part of the bootstrap is just loading a CHUNK OF CODE from a Disk sector pointed to from the initial ist part of the bootstrap into memory and then starts executing the loaded code at the memory address the code was loaded in to.

Until the device drivers and Kernel have been fully loaded and initialised there isn't ANY Kernel protection -- it's just code being executed.

Now this code can do ANYTHING it likes at ANY privilege level it wants so it's very difficult if not impossible for the OS to ascertain whether anything untoward has been loaded or even executed before the kernel is fully operational.

For example the code could alter files on your disk so it would infect applications that the OS won't know anything about etc etc.

Remember at this point the "Bootstrap" has access to all physical sectors on every disk so it's only a matter of reading and patching the disk sectors-- you would need to understand something about the "File system" to do this -- but this isn't exactly Programming 101 stuff.

It's not a trivial matter to design these types of programs but they DO exist.

If people think deep erasing a disk is over the top that's just fine -- but since I can restore an entire W7 image within 10 Mins after wiping a disk then I'm quite happy to fully wipe an infected disk before even THINKING of using it again.

Anyway I enjoyed the discussion.

(Although we've drifted a bit - the essence of the discussion was was that if no Virus detection program is 100% accurate then no Virus eradicator program is 100% accurate or complete either).

Cheers
jimbo
Hi jim,

Very true, before the kernel properly loaded, there is no "Ring 0". Here's the thing, you forgot about "Real mode" and the "handing off" process to "Protected mode". BIOS works in "Real mode", it can only access the first 504MB of ANY disk. Any virus/whatever can't load BEFORE the kernel loads. It simply can't access the disk. Before moving to "Protected mode", the disk is just a jumble of nonsense (if it can access it - it can't), not to mention - you need a "kernel" that at least have the proper device driver that understand the LBA structure before continuing the "wreak havoc" process. LBA = logical block address table, it's a "translation table" for BIOS so that it can roughly estimates the disk's size.
Remember at this point the "Bootstrap" has access to all physical sectors on every disk so it's only a matter of reading and patching the disk sectors-- you would need to understand something about the "File system" to do this -- but this isn't exactly Programming 101 stuff.
No, the bootstrap can't access everything at this time - it only have access to the MBR. When BIOS is still in charge, the whole system is running in 16 bit "Real mode", a very limited runtime mode, it's like back in the DOS days. It can only read the first 504MB disk space. Once it moves to at least 16 bit "Protected mode" and load the proper drivers, the it got more disk spaces to access.

And yes, there is no 100% virus protection (yeah, we drifted a bit. Sorry...). In my book, it's too much to do a deep delete just to cleanse an infected machine, the logic is just isn't there IMHO.

Btw, I really enjoy this discussion very much, it's fun to have a friend to pick brains with :D

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
So, if I get infected, I will have to write 0/1's on all 14 of my hard drives?
Zepher, writing 0's all over means destroying EVERYTHING you have... I do hope you understand that part... :o

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Back
Top