Re: Recommend a good free anti-virus utility



cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Thu, 26 May 2005 12:57:53 GMT, spam@spamcop.com (Bob) wrote:
>On Thu, 26 May 2005 11:00:48 +0200, "cquirke (MVP Windows shell/user)"

(extended to microsoft.public.security.virus as I wish those eyeballs
to see this discussion too, if that's OK with everyone)

>>>| Speaking of backup, I just installed an Enermax 352 RAID-1/Backup unit
>>>| with 2 drive bays. I am going to use it exclusively in the Backup mode.

Oops, I missed that second sentence :-)

>>>| The entire operation is done in H/W automatically - no boot to
>>>| DOS, no UNBOOTABLE DEVICE errors, no incremental nightmares, no
>>>| missing files not backed up. The entire disk is copied once every day
>>>| automatically

>>An extra 2 x HDs purely for backup is quite a hefty outlay, mind, so
>>this solution isn't for everyone.

>I can get the WD 80GB 8MBCache SE drive for $60.

HDs are prolly cheapest cost-per-Meg at those capacity levels, which
is why I have a pile of 200G floating around. S-ATA makes it easier
(and safer, at the hardware level) to swap them around, but right now
the OS doesn't have a clue - it still thinks every newly-discovered HD
is "part of the system" and starts drooling SR on it, etc.

>>The backup HD removable, I take it?

>Yes. The Enermax 352 has two removable trays. They are hot swappable
>too.

Nice.

>>>| I will backup each morning at 4:00 am, after I have scanned the disk
>>>| with eTrust at 3:15 (I have auto updates set for every hour).

>>Ah, there's a weak spot - relying on a provocative system scan from
>>within the infected installation. If you're actively infected, the av
>>failed, and is likely to continue to do so even if subsequently
>>updated (assumes the active malware allows it to update itself and to
>>run the scan). If the malware responds punitively, you'd have to fall
>>back a day. That's assuming you are not backing up over yesterday's
>>backup, which is in itself bad backup practice.

>Elsewhere I pointed out that I am going to keep one of the 3 disks as
>a disaster recovery archive. Each week I will rotate the 3 -disk set
>putting the boot disk on the shelf and moving the daily backup disk to
>boot position and moving the weekly backup disk to daily backup

Ah, that's nice - gives a bit of temporal depth. Assumes any
infection will come to light within 7 days, though... the other
approach is to retain cast-in-stone system backups made after
significant code changes, onto which a pure data backup is restored.

Once again, the need to scope out data from code arises, in both
directions, and MS OS design is only weakly dabbling with this (SR,
FAST). Without a hard data vs. code distinction, and an awareness
that incoming material should be handled with fire tongs, we can only
get so far with this approach.

As it is, your current backup philosophy relies on time as your scope.
Backup precedes the disaster, and an insidious disaster such as silent
malware ownership is hedged by throwing in a bigger time delta.
There's only so far that approach can take you.

A question to ask when planning backups is: What scenarios am I
hedging against? That determines how you scope.

>I will do that on Sunday when I have time to do other things like a
>complete AV scan, disk cleanup, CHKDSK, defrag, Registry clean

The order that you do things in will be important, i.e. I'd backup
before a "registry clean" myself.

You need better tools than ChkDsk too, and you don't have them unless
you are prepared to chuck out NTFS. Else you have a problem - should
you backup before ChkDsk "fixes" detectable damaged files into
undetectable damaged files, or after, or both?


If you do chuck out NTFS, and your HDs are < 137G, you can operate
from DOS Mode as a maintenance OS. That means you can do an
interactive Scandisk and base the decision on whether to backup pre-
or post-repair on what Scandisk finds, backing out if it is about to
do something stupid ("The C:\WINDOWS directory is invalid, and will be
repaired by truncating it at the first invalid entry" etc.).

That also means you can use one of a few full-breadth DOS-based
antivirus scanners to scan for malware while the infected system is
not runningm, and thus while the malware is unable to defend itself.


In NTFS, you'd use Bart's PE as your maintenance OS. You're still
stuck with ChkDsk, but at least you can run it without the /F ("F me,
I trust you!") parameter and believe the results; as the OS isn't
running from C:, you won't get spurious errors from files in use.

Then you'd have to find something approaching a full-breadth av
scanner. You might pay hundereds of dollars for a year of Avast on
Bart, or you'd have to settle for weak-breadth scanners such as McAfee
Stinger, Trend SysClean and similar killers of subsets of available
malware from Avast, AVG etc. Of these, SysClean is the broadest, but
it is slow, doesn't show results as it goes, and reporting is hell.


If it's NTFS and you have to do everything twice (ChkDsk to evaluate,
ChkDsk /F if safe; multiple partial-breadth av scans) then a single
day may not be enough clock time. If on FATxx, it's faster.

>I am of the belief that virus/trojan prevention depends on not letting
>anything in to begin with.

Sure, but "security in depth" means you never assume your defences
will hold up and plan what to do next when these fail. This clue is
still conspicuously absent in XP, where the assumption is that because
XP on NTFS is "so secure" and "so stable", that the need to regain
ownership from malware or recover data from a barfed file system will
never arise. If that were true, the only scenario you'd have to
backup against would be hardware (failure, destruction or theft).

>I have a NAT router plus Kerio firewall plus CA AV plus Ad-Aware
>plus 3 different Registry scanners. Not much is going to get in to
>my machine to begin with, and if something does sneak by me, I
>will find it - assuming these programs are any good.

Yes, there's a lot of optimism in there, and I'd expect those measures
to cut down the mean time between infection to once in X years, rather
than (worst-case, i.e. pre-SP2 XP duhfault install) 10 minutes to
Lovesan. But the mean thing about "mean time" is that it's
indeterminate; the average may be 5 years, but your particular
experiential sample may be two weeks.

The main optimism is that tools running from within the infected
installation can taxi off the runway and get airborne while active
malware sits up there in the clouds and allows this to happen.

The other optimism is that you won't get a new malware within the Day
Zero period, before mugshot-recognition scanners (av, AdAware etc.)
have got a sample, analysed it, ensured it's not a legitimate program,
created a detection for it, tested that, deployed it to their update
servers, and your system obtains and integrates the defence.

During Day Zero, no tools see the threat, and no-one has any clue as
to what is going on or what should be done to fix things. All you
have is core malware theory to fall back on, and if you get that
wrong, you can not only lose your "live" installation and data but
taint your backups too.

Day Zero is why I take this stuff seriously, because it can create an
unmanageable bulge in the demand for tech services that make it
impossible to maintain promised service levels (unless you have one
tech dedicated to each client site).

Day Zero can escalate rapidly - Sapphire (Slammer) went global in 10
minutes. That's a big-bang start; if defences take the nominal "day"
to chase after the galloping horse to lead it back to the stables,
it's going to be one hell of a day.

>>>| I rotate the 3-disk set every Sunday - the 3rd disk will go on the
>>>| shelf away from the computer. That way I am no worse off than a few
>>>| hours if something happens, and if the entire unit craps out, I am no
>>>| worse off than 1 week.

>>In addition to the above, I'd maintain a few generations of pure-data
>>backup via more conventional means, applying hygiene to maintain data
>>purity (no infectable code, no incoming material, no sealed-box .ZIP
>>etc.) to hedge against malware attack. A malware that goes active and
>>evades your av will pervade all your backups within a week.

>I am considering that. I have a standard removable bay that I can use
>a disk cloner to backup to. But that means I have to buy a 4th disk or
>use the 3rd disk for that instead of rotating it thru the Enermax 352.

What I do is the following:
- choose safe edge apps that don't run data as code
- choose safe edge apps that don't mix incoming code with data
- locate data, and only data, in a particular subtree off C:
- locate incoming material in a different subtree off C:
- create a 2am Task to archive data set to another HD volume
- that archive process retains the last 5 backups on FIFO basis
- create a read-only LAN share of the backup location
- create a 4am Tak to pull most recent backups from these shares
- manually do the "last mile" of collated backups to writable disk

Reading the above makes it obvious there's no Outlook Express, much
less Outlook, in use. Outlook is the worst; not only is it dumb
enough to be exploitable from email "message text", and merges
incoming attachments with data you want to keep, it stores all of this
in a single unscannable .PST file and can be scripted to expose email
and address book data, automate malware transmission, etc.

Outlook is trying to be less easy to exploit in such ways, but the
same inherently dumb design remains. It takes more than 50 coats of
weatherproof paint over soggy cardboard to build a lighthouse.

>However, no matter what I do, I still have to create this long-term
>backup, and it is just as possible for it to become contaminated by
>the same reasoning applied to the weekly and daily backup.

Yep.

>That's why it is crucial to prevent malware to get on your system to
>begin with.

Sure, but that is a goal you can approach, but can never be sure you
have attained. Perhaps our perspectives differ; as a user, you'd do
what you can and call in tech assistance when things go wrong. My
perspective is from that of the tech you might call in, and with
current OS design, much of my cupboard is bare.

"NTFS? Sorry mate, you're ^&%$ed"

XP is simply not built with data recovery of the regaining of
ownership from malware in mind - no-one has thought that far.



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -

Bob
07-09-2005, 11:48 PM
On Fri, 27 May 2005 09:18:35 +0200, "cquirke (MVP Windows shell/user)"
<cquirkenews@nospam.mvps.org> wrote:

>You need better tools than ChkDsk too, and you don't have them unless
>you are prepared to chuck out NTFS. Else you have a problem - should
>you backup before ChkDsk "fixes" detectable damaged files into
>undetectable damaged files, or after, or both?

I had a corrupt disk that would not make a hardware backup so I ran
CHKDSK on it. It claimed to fix some things including bad clusters in
the pagefile, etc. But it was still corrupt. Although I had an earlier
backup, I preferred to use the system on the corrupt disk. I ended up
making a clone disk with it using Acronis True Disk 8 - apparently the
cloning process cleaned up the corruption because the new clone worked
just fine.


>Then you'd have to find something approaching a full-breadth av
>scanner. You might pay hundereds of dollars for a year of Avast on
>Bart, or you'd have to settle for weak-breadth scanners such as McAfee
>Stinger, Trend SysClean and similar killers of subsets of available
>malware from Avast, AVG etc. Of these, SysClean is the broadest, but
>it is slow, doesn't show results as it goes, and reporting is hell.

Since I subscribe to RoadRunner cable service, I am using Computer
Associates eTrust AV. I have no way to know how effective it is other
than believe the recommendations of others.

>If it's NTFS and you have to do everything twice (ChkDsk to evaluate,
>ChkDsk /F if safe; multiple partial-breadth av scans) then a single
>day may not be enough clock time. If on FATxx, it's faster.

I am upgrading my removable hard disk bay from the old ATA66 unit I
bought years ago to a new ATA133 unit by Kingwin (KF-23). My son uses
one with his 250 GB HD and he has had no problems. He leaves the drive
in all the time and the SMART-reported temperature is 36C, which is
cool enough (WD claims an operating range of 5 - 55C). Once I get that
installed I can talk to the new faster drives in which case I will
make clones of the boot disk for long term storage. Right after I make
such a clone I will run NTBackup in incremental mode to clear all the
archive bits. Then I will run it every night in differential mode. I
will lay the backup off onto a small removable HD in the tray.

Therefore I have two backups - one in hardware and one in software.

>Yes, there's a lot of optimism in there, and I'd expect those measures
>to cut down the mean time between infection to once in X years, rather
>than (worst-case, i.e. pre-SP2 XP duhfault install) 10 minutes to
>Lovesan. But the mean thing about "mean time" is that it's
>indeterminate; the average may be 5 years, but your particular
>experiential sample may be two weeks.

I have never had a virus infection. I have had a couple adverts like
Aureate, but Kerio blocked them. I even have the official aureate
remover from the people who make aureate.

>The main optimism is that tools running from within the infected
>installation can taxi off the runway and get airborne while active
>malware sits up there in the clouds and allows this to happen.
Kerio monitors every application that attempts to set up a network
socket. If I haven't pre-approved, Kerio fusses.

>call in tech assistance when things go wrong.

I AM the tech assistance.

>XP is simply not built with data recovery of the regaining of
>ownership from malware in mind - no-one has thought that far.

I run Win2K.

--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

If you can read this, thank a teacher.
If you are reading it in English, thank an American soldier.

cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Fri, 27 May 2005 10:43:21 GMT, spam@spamcop.com (Bob) wrote:
>On Fri, 27 May 2005 09:18:35 +0200, "cquirke"

>>You need better tools than ChkDsk too, and you don't have them unless
>>you are prepared to chuck out NTFS. Else you have a problem - should
>>you backup before ChkDsk "fixes" detectable damaged files into
>>undetectable damaged files, or after, or both?

>I had a corrupt disk that would not make a hardware backup so I ran
>CHKDSK on it. It claimed to fix some things including bad clusters in
>the pagefile, etc. But it was still corrupt.

Well, there's a case in point. Bad clusters = Bad HD, unless they are
the result of imaging a bad HD to a good one in such a way that the
bad cluster markers are carried over verbatim.

>I preferred to use the system on the corrupt disk. I ended up making
>a clone disk with it using Acronis True Disk 8 - apparently the cloning
>process cleaned up the corruption because the clone worked fine.

Well, it's like throwing blood clots up the arterial tree. If they
wind up in the middle of the thigh muscles, you'd prolly not notice.
If they wind up under the finger nails, you might think "that's odd"
and a meatware tech might say "sheeiit you better get that checked
out!". If they wind up killing off the cubic centimeter of brain that
keeps you breathing, you'll stop breathing.

I've done the same thing for the same reasons and had the same
mileage, but I still advise cherry-picking data first...

http://cquirke.mvps.org/pccrisis.htm

....in case the HD dies during attempts to image it.

The gruesome bit is that ChkDsk will have already "fixed" file system
errors on that failing HD before finding the bad clusters, and without
prompting you for what to do first. That's why you need a better
tool; so you get asked first, and can say no.

>>Then you'd have to find something approaching a full-breadth av
>>scanner. You might pay hundereds of dollars for a year of Avast on
>>Bart, or you'd have to settle for weak-breadth scanners such as McAfee
>>Stinger, Trend SysClean and similar killers of subsets of available
>>malware from Avast, AVG etc. Of these, SysClean is the broadest, but
>>it is slow, doesn't show results as it goes, and reporting is hell.

>Since I subscribe to RoadRunner cable service, I am using Computer
>Associates eTrust AV. I have no way to know how effective it is other
>than believe the recommendations of others.

That's OK when it comes to stopping malware from going active. If
that fails and malware *is* active, then it's less dependable because
it can only run from within the infected OS. Like most Windows-based
av, it's a nice, friendly, strict doorman. But if the baddies get
inside, you need a SWAT team, not a nice, friendly doorman.

>>The main optimism is that tools running from within the infected
>>installation can taxi off the runway and get airborne while active
>>malware sits up there in the clouds and allows this to happen.

>Kerio monitors every application that attempts to set up a network
>socket. If I haven't pre-approved, Kerio fusses.

That's like watching for smoke as a screening method for water
pollution. Not all malware tries to call home, or send out material
in ways that a firewall can detect. Plus, an active malware can
clobber both av and firewall and leave stuffed effiges sitting up in
the UI, so that you may not notice the difference.

>>call in tech assistance when things go wrong.

>I AM the tech assistance.

Then you know whereof I speak :-)

>>XP is simply not built with data recovery of the regaining of
>>ownership from malware in mind - no-one has thought that far.

>I run Win2K.

That is equally afflicted.



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -

Bob
07-09-2005, 11:48 PM
On Sat, 28 May 2005 19:09:25 +0200, "cquirke (MVP Windows shell/user)"
<cquirkenews@nospam.mvps.org> wrote:

>>I had a corrupt disk that would not make a hardware backup so I ran
>>CHKDSK on it. It claimed to fix some things including bad clusters in
>>the pagefile, etc. But it was still corrupt.

>Well, there's a case in point. Bad clusters = Bad HD, unless they are
>the result of imaging a bad HD to a good one in such a way that the
>bad cluster markers are carried over verbatim.

In my case I believe the problem was caused by telling the Enermax
Backup utility to use FAST copy mode. In the past when I used that
speed, I would get a hardware error. But I suspect that this time the
error was not detected. I am now using NORMAL speed, which has not
caused any problems.

The Enermax backup utility suspends its copying when it detects any
kind of activity. I know because when I leave the machine alone it
takes less time to do the same size backup than when I am working
while it backs up. Apparently it can't handle that when doing a FAST
backup. It is a new product and I am willing to evaluate it so I have
to expect glitches like this. Actually it is amazing the damn thing
works at all. Every other disk cloner I have seen boots into either a
DOS or a DVM shell to do the copying.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

If you can read this, thank a teacher.
If you are reading it in English, thank an American soldier.


Re: Recommend a good free anti-virus utility