Re: viruses that have been cleaned or quarantined

["Belford, Jason C. (jcb3zr)" <jason.belford () VIRGINIA EDU>]

Sounds like we are revisiting this 2013 ShmooCon presentation (still relevant):



https://www.youtube.com/watch?v=lb1XDMbQOiM&ab_channel=Christiaan008



It shows where stuff can hide that cannot be detected that can later be used to re-infect the machine.  File hashes nor 
traditional AV are not going to help you.    Just wipe the drive!



--J



—

Jason C. Belford, CISSP

Chief Information Security Officer

E jason.belford () virginia edu

P 434.924.4165



University of Virginia

www.virginia.edu



On 6/21/17, 5:02 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ken Connelly" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of ken.connelly () UNI EDU> wrote:



    On 6/21/17 3:52 PM, Kevin Wilcox wrote:

    > On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:

    >

    >> If your virus scanner has cleaned or quarantined a virus/malware/etc., do

    >> you do any additional scanning or followup on the endpoint? I know virus

    >> definitions, though up to date, may potentially just be catching a virus

    >> that have lived on the machine for several months and had only been recently

    >> identified. Do you trust that "cleaned" means it took care of any damage

    >> that had been done, if any?

    > Chelsie -

    >

    > I see no difference between AV and IDS. The idea that AV can "clean" a

    > system is one that I'd like to see eradicated.

    >

    > That's not to say that it's impossible - just that it takes known-good

    > cryptographic hash values for every file on the system, a trusted

    > off-system scanning agent and good alerting when something changes.

    > That's before having the same thing in place for registry hives, the

    > ability to detect/audit ADSs, etc.

    >

    > If AV alerts on anything, and I can't otherwise determine it's a false

    > positive, it's a re-image of the system. Again, AV alerts are treated

    > the same as IDS alerts. There are some exceptions where it's profile

    > removal/recreation but generally speaking that's insufficient for most

    > of our environment.

    >

    > One massive hole to that approach - we backup data, re-image and

    > restore. If something is hiding in one of the backed-up files, it

    > comes back on the newly-built system.

    >

    > It's certainly not perfect and needs some work but I've done too many

    > forensic examinations of systems to trust that AV can do anything

    > beyond alerting on 25% of the stuff that's out there.

    >

    > kmw



    25% is being overly kind and generous.  Otherwise, I'm with Kevin on

    this one.  "Cleaning" is not an option.  Wipe, reformat, and

    reinstall/reimage is the only way to go.  That might seem like overkill,

    but it saves time, headache, and gnashing of teeth in the long run.



    -ken



    --

    - Ken

    =================================================================

    Ken Connelly                       Director, Information Security

    Information Security Officer          University of Northern Iowa

    email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373



    Any request to divulge your UNI password via e-mail is fraudulent!