Full Disclosure mailing list archives

Re: antivirus and spyware scanning

From: Kevin Ponds <kponds () gmail com>
Date: Tue, 15 Jun 2004 13:08:17 -0500

Logically speaking, all of a viruses kinetic countermeasures to
detection can be negated by scanning for the virus whilst the drive is
not mounted.

I think the original poster wanted to take more of a forensic approach
to virus removal, in this way the antivirus software cannot be
hijacked itself.

A good implementation would either download the definitions from the
internet right after the CD boots (this could be a problem because of
oddball NICs and linux drivers), or alternatively from a
floppy/USB-key.

The only problems that I see with it are that "at rest" detection
methodology does not work for certain viral stealth manuvers, such as
polymorphic engines and (in the near future) cryptovirology*.  
Run-time analysis is needed for viruses that obfuscate their stored
code.

*however, we have to get our users to stop downloading attachments and
to start patching before the virus writers have any incentive to be
innovative and use things like polymorphic engines and cryptovirology.


ponds 

On Tue, 15 Jun 2004 09:43:08 -0700 (PDT), Harlan Carvey
<keydet89 () yahoo com> wrote:

I think it is very useful to scan a windows machine
from viruses while having that machine booted to
linux.  This pretty much ensures that you will find
all the virii on that system.


Not necessarily.  You'll have to update the virus
signatures on your CD distribution prior to scanning,
and that doesn't guarantee complete coverage, either.

Does anyone know of a spyware scanner that can also
work from within Linux?  I dis-like the idea of
having to boot to windows just to scan the box for
spyware.  One could argue that the harddrive could
be put into another machine and scanned there, but
what if your in an environment where that is just
not possible (making housecalls, no unused machine,
etc)?

Also, if you know of a better solution that this, I
am always interested.


Better solution than what?  I'm not really clear on
what you're trying to do...you seem to have Windows
machines that you're interested in scanning for
viruses and spyware...why not simply use Windows apps?
That way, you wouldn't have to boot to another os, or
remove the hard drive at all...



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

antivirus and spyware scanning Lee Leahu (Jun 15)
- Re: antivirus and spyware scanning Dave King (Jun 15)
- Re: antivirus and spyware scanning Harlan Carvey (Jun 15)
  - Re: antivirus and spyware scanning Kevin Ponds (Jun 15)
  - Re: antivirus and spyware scanning randall (Jun 15)