Larry Dignan's antivirus nightmare

Over at ZDNet, the site's Editor in Chief, Larry Dignan, just blogged about his experiences trying to remove a malware infection from his Windows XP computer. 

As a story from the trenches, I loved it, especially his experience calling McAfee on the phone for help.

But I was surprised at his approach to dealing with the problem. 

Malicious software has been infecting Windows computers for ages, yet his only line of defense was a single antivirus product. That's simply insufficient.

One obviously missing defensive tactic is running as a limited user, or, at the very least, using DropMyRights to run Internet facing applications with reduced rights. This isn't perfect, malware can still execute, but at least it can't permanently install itself, so it won't autorun at the next boot. 

Perhaps most surprising, coming from someone I assume is a techie, was this statement "... once Antivirus Pro is installed you’re screwed." Non-techies may be screwed, but nerds know to make disk image backups.

Perhaps my focus on Defensive Computing slants my perspective, but there is no excuse for not making image backups. Imaging software can be had for free, or very little money, and not only does an image backup protect you from any and all software problems, it also offers protection from hardware problems.

From the effort Dignan put into dealing with his malware infection, it seems the computer was important to him, making the lack of an image backup to fall back on all the more surprising.

And his malware removal efforts were all but doomed to fail.

For one thing, he fought the enemy on their territory. Once a Windows computer has been infected, it's no longer your computer. Bad guys do a great job of protecting their turf and the infected operating system is now their turf.

The best way to remove malware is from outside the infected system and the best way to do this is to boot the computer using the Ultimate Boot CD for Windows (UBCD4WIN).

Running an operating system off a CD treats the infected C disk as a data disk and thus prevents the malware from running.

Dignan wrote that he "... needed to manually remove the files. The problem: I couldn’t find them ..." Chances are that an operating system running off a CD would see the files he couldn't from within the infected system.

Booting to a Linux Live CD is great for this and for copying important files off the infected machine. But UBCD4WIN lets you run a whole host of anti-malware software directly from the CD. It can even self-update many of the programs from the Internet before using them to scan the infected drive.

If your favorite antimalware programs are not available from within UBCD4WIN, then you can simply use it to share the infected drive over a LAN and scan the infected C disk from a clean machine elsewhere on the network.

I wrote a trio of articles at eSecurityPlanet on this approach:

Still, there are limits to what can be done from the outside, because the infected registry is not mounted and scanned as a registry.

Thus, after scanning from the outside, you need to boot the suspect OS and run anti-malware software from within the system. The more products you run the better. If it was me, I'd run a half dozen applications, starting with Mark Russinovich and Bryce Cogswell's Autoruns (it's both free and portable).

This, however, raises the question of whether you can trust a machine at all after its been infected. Can you be sure the malware has been totally removed? I don't think you can.  

Which leads right back to my main point: image backups. Dogs may be mans best friend, but image backups are a nerds best friend.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon