Software Registry: is "Advanced INF" legit Explorer?
Lately I've been having a lot of adware entering the system, trying to
install the common round of searchbars, popups and the like. There's
been a number of attempts to hijack the Internet Explorer startpage,
and I know at some points the msiexec.exe process has been used for
this ( i haven't modified the browser myself or installed any MS
updates for some time). I try to keep the malware at bay with Norton
Firewall /Antivirus, Adaware and so far I've avoided really grave
attacks.
The other day I had a look at the registry and deleted some keys that
were obvious adware, but registry is a place where you need to know
exactly what you're doing and I'm not a software pro...
Now, next I found dozens of keys under the line HKEY_LOCAL_MACHINE
Software\Microsoft\Advanced INF Setup. Some seemed limited in scope and
not really part of the ordinary Internet Explorer registry. I ran a
registry scan afterwards with Norton and had it delete a few other keys
I was positive was adware. Tonight, when I just checked the registry
again, some of these suspect keys I'd spotted seemed to be gone, others
still there. Although they were stored under Microsoft, this would be
an ordinary spot for any intruding adware, wouldn't it? Is this
(HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup) a default
registry class for matters dealing with integration of Explorer with
different kinds of multimedia, or is it a place primarily "used" to
lodge spyware and adware? And just what does "Advanced INF" mean here?
Hope to get enlightened on this,
/Michelle
Main software specs:
Windows XP Pro + Service Pack 1
Internet Explorer 6
Opera 7 (second browser)
Acrobat 6 Pro & Acrobat Reader
| Lately I've been having a lot of adware entering the system, trying to
| install the common round of searchbars, popups and the like. There's
| been a number of attempts to hijack the Internet Explorer startpage,
| and I know at some points the msiexec.exe process has been used for
| this ( i haven't modified the browser myself or installed any MS
| updates for some time). I try to keep the malware at bay with Norton
| Firewall /Antivirus, Adaware and so far I've avoided really grave
| attacks.
| The other day I had a look at the registry and deleted some keys that
| were obvious adware, but registry is a place where you need to know
| exactly what you're doing and I'm not a software pro...
|
| Now, next I found dozens of keys under the line HKEY_LOCAL_MACHINE
| Software\Microsoft\Advanced INF Setup. Some seemed limited in scope and
| not really part of the ordinary Internet Explorer registry. I ran a
| registry scan afterwards with Norton and had it delete a few other keys
| I was positive was adware. Tonight, when I just checked the registry
| again, some of these suspect keys I'd spotted seemed to be gone, others
| still there. Although they were stored under Microsoft, this would be
| an ordinary spot for any intruding adware, wouldn't it? Is this
| (HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup) a default
| registry class for matters dealing with integration of Explorer with
| different kinds of multimedia, or is it a place primarily "used" to
| lodge spyware and adware? And just what does "Advanced INF" mean here?
|
| Hope to get enlightened on this,
| /Michelle
|
| Main software specs:
|
| Windows XP Pro + Service Pack 1
| Internet Explorer 6
| Opera 7 (second browser)
| Acrobat 6 Pro & Acrobat Reader
Re: Software Registry: is "Advanced INF" legit Explorer?
Michelle <michelle775@hotmail.com> wrote:
> Lately I've been having a lot of adware entering the system, trying to
> install the common round of searchbars, popups and the like. There's
> been a number of attempts to hijack the Internet Explorer startpage,
> and I know at some points the msiexec.exe process has been used for
> this ( i haven't modified the browser myself or installed any MS
> updates for some time).
Don't use Internet Explorer. And keep you software up to date.
> I try to keep the malware at bay with Norton
> Firewall /Antivirus, Adaware and so far I've avoided really grave
> attacks.
Oh my dear.
> The other day I had a look at the registry and deleted some keys that
> were obvious adware
Re: Software Registry: is "Advanced INF" legit Explorer?
"Volker Birk" <bumens@dingens.org> wrote in message
news:434618dd@news.uni-ulm.de...
> Carey Frisch [MVP] <cnfrisch@nospamgmail.com> wrote:
>> Download Ad-aware SE and scan your PC for the presence of sp*yware:
>
> Funny, that one department of Microsoft creates AntiSpyware, while in
> another they're publicizing this:
>
> http://www.microsoft.com/technet/com...mt/sm0504.mspx
>
> I think, the latter is much better. ;-)
Eh. It's all about how certain you wish to be.
Jesper's a little strong on the theoretical side - once one bad piece of
code has run on your system, there's a probability that it let in other bits
of bad code, and removing the first detected piece of bad code could mean
that you left the other bad code in place.
It's a perfectly correct argument, except that the treatment is a
significantly painful one. The user has to lose all of his/her installed
software (some of which may no longer be available to reinstall, or may come
at a significantly greater cost to replace), and possibly even his/her data
(can you completely trust a backup made from an infected machine? No. Can
you guarantee that the backed-up data doesn't contain bad code in itself?
No.)
That's not what most people want to do. Most people are quite comfortable
with the idea that they get back their machine, for the most part, with the
slight possibility that the system is still compromised.
So, Jesper's right, and Microsoft's Anti-Spyware division is right to
provide a cleaner that can never be 100% reliable by Jesper's arguments.
It's a chrono-synclastic infundibulum, if I remember correctly.
Security is about risk management - ergo, security tools are about managing
risk, and that's not a 100% business. If you want 100%, you simply write
your own operating system, never connect it to the Internet, oh and you'd
better have designed the processor yourself, and manufactured it yourself in
your own fab plant, and.... okay, so maybe there's a level at which even
Jesper is willing to go less than 100% on security, too.
Then there's also the key take-away that if you don't know what infected
you, you can't very well say that you are now protected against it, and you
can't say that you'll avoid infecting your newly flattened and rebuilt
system.
Re: Software Registry: is "Advanced INF" legit Explorer?
Alun Jones <alun@texis.invalid> wrote:
> Jesper's a little strong on the theoretical side - once one bad piece of
> code has run on your system, there's a probability that it let in other bits
> of bad code, and removing the first detected piece of bad code could mean
> that you left the other bad code in place.
> It's a perfectly correct argument, except that the treatment is a
> significantly painful one.
Yes. Hard to face. But true.
> That's not what most people want to do.
But it is, what people have to do, if they want to be secure again.
> So, Jesper's right, and Microsoft's Anti-Spyware division is right to
> provide a cleaner that can never be 100% reliable by Jesper's arguments.
I'm trying to explain:
Case 1) User working with administrative rights
Only if spyware or viruses _do_ _not_ include a backdoor for downloading
code or remotely executing code, then spyware and viruses can be removed
safely if a removal tool is correctly implemented, and is _not_ driven on
the same operating system, which is already infected, but booted from a
second media.
So if you can be sure, that the malware is not of this type, it can be
removed with this trick.
Case 2) User not working with administrative rights
a)
If the user was _not_ working with administrative rights but as normal user,
and the configuration of your system is hardened, so that normal users may
not change global settings or files at all, then removing the user profile
does work to remove all malware, this user roped in, which does not use
working privilege elevation attacks to spread into the whole system.
b)
If the user was _not_ working with administrative rights but as normal user,
and the configuration of your system is hardened, so that normal users may
not change global settings or files at all, and the malware is _not_ of a
type which may use privilege elevation to infect the complete system, then
and only then using a removal tool on the same system, but _with_
administrative rights may be used to remove the malware safely, if the
removal tool is correctly implemented.
In any other case you have to flatten and rebuild your system, because
there is no way any more to remove malware safely.
The main problem with all of the Anti-Spyware and Virus-Removal tools I know
is, that they're *not* *implementing* this algorithm.
The manufactorers are just lying to the users - they're telling them
"successfully removed", but in fact cannot guarantee, that this happened
in most of the cases. And they should know that.
And so often after applying such a tool, there is malware left on the PC
where it was applied. And even worse, the user now thinks, that everything
would be fine now.
> It's a chrono-synclastic infundibulum, if I remember correctly.
I tried to lead you to this place above ;-)
> Security is about risk management
Yes. And for making something secure from an event you don't want to happen,
there is a sequence:
a) If you can avoid the event for sure, do so!
b) If you cannot avoid the event for sure, but you can avoid it with such a
high propability, that it will never happen in praxis, do so!
c) If you cannot avoid the event for sure, and you cannot avoid it at least
with such a high propability, that it will never happen in praxis, then
you're fucked up - learn to live with it! For that case, do anything to
avoid it, too, but have a ready made plan to execute, what to do if it
happens!
Only in c) there is a risk to manage. Do it, but if it is not neccessary,
avoid it.
Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.
Re: Software Registry: is "Advanced INF" legit Explorer?
My apologies for top-posting, but your entire argument can be summed up to
point out that you believe it is uniformly preferable to be without malware
than not.
Let's take a hypothetical example:
Let's say I have all the photos of my family on an infected laptop.
I would rather remain running on an infected system than wipe out every
photo of my family.
If I flatten and reinstall, I will likely lose all those photos; past
experience has shown me, however, that if I simply run a virus remover, I
will likely keep all my photos (but have to re-scan in a few months).
I'm not going to flatten and reinstall.
The answer, of course, would be to teach such a person about backups... But
then you run the risk that viruses are often carried in data. How do you
clean the data? You have merely extended the nature of the problem -
"flatten and reinstall, because you can't trust the contents" is all very
well, but when you add the "restore important data from a backup", you may
as well be saying "restore important data and tenacious malware from a
backup".
The only 100% guaranteed(*) method of malware removal, it would seem,
requires the destruction of your data as well as your installation. Okay,
there are some places where that's actually better than the alternative.
But for most users, and again, I'm stressing, most users, it's preferable to
keep the data and the applications, and have a reasonable expectation that
the virus has been cleaned up.
If you're paying any kind of attention at all, you'll note that there are
lots of ways to detect opportunistic infections - infected machines don't
tend to stay infected if someone is trying to clean them up.
"Flatten and reinstall" is only appropriate in an environment (such as an
enterprise) where you have good data retention, analysis and recovery
procedures in place.
You also neglected to address the point that "flatten and reinstall" merely
provides a clean operating system for exactly the same infection to take
hold once again - if you do not close the hole it used (either technological
or human), it, or something like it, will come in through that hole again.
And if you didn't scan your system to detect the malware, how do you know
that you've closed the hole that was used?
Alun.
~~~~
(*) Not even 100%, because you are assuming that the OS didn't come with its
own malware in the first place.
"Volker Birk" <bumens@dingens.org> wrote in message
news:4348b4df@news.uni-ulm.de...
> Alun Jones <alun@texis.invalid> wrote:
>> Jesper's a little strong on the theoretical side - once one bad piece of
>> code has run on your system, there's a probability that it let in other
>> bits
>> of bad code, and removing the first detected piece of bad code could mean
>> that you left the other bad code in place.
>> It's a perfectly correct argument, except that the treatment is a
>> significantly painful one.
>
> Yes. Hard to face. But true.
>
>> That's not what most people want to do.
>
> But it is, what people have to do, if they want to be secure again.
>
>> So, Jesper's right, and Microsoft's Anti-Spyware division is right to
>> provide a cleaner that can never be 100% reliable by Jesper's arguments.
>
> I'm trying to explain:
>
> Case 1) User working with administrative rights
>
> Only if spyware or viruses _do_ _not_ include a backdoor for downloading
> code or remotely executing code, then spyware and viruses can be removed
> safely if a removal tool is correctly implemented, and is _not_ driven on
> the same operating system, which is already infected, but booted from a
> second media.
>
> So if you can be sure, that the malware is not of this type, it can be
> removed with this trick.
>
> Case 2) User not working with administrative rights
>
> a)
>
> If the user was _not_ working with administrative rights but as normal
> user,
> and the configuration of your system is hardened, so that normal users may
> not change global settings or files at all, then removing the user profile
> does work to remove all malware, this user roped in, which does not use
> working privilege elevation attacks to spread into the whole system.
>
> b)
>
> If the user was _not_ working with administrative rights but as normal
> user,
> and the configuration of your system is hardened, so that normal users may
> not change global settings or files at all, and the malware is _not_ of a
> type which may use privilege elevation to infect the complete system, then
> and only then using a removal tool on the same system, but _with_
> administrative rights may be used to remove the malware safely, if the
> removal tool is correctly implemented.
>
> In any other case you have to flatten and rebuild your system, because
> there is no way any more to remove malware safely.
>
> The main problem with all of the Anti-Spyware and Virus-Removal tools I
> know
> is, that they're *not* *implementing* this algorithm.
>
> The manufactorers are just lying to the users - they're telling them
> "successfully removed", but in fact cannot guarantee, that this happened
> in most of the cases. And they should know that.
>
> And so often after applying such a tool, there is malware left on the PC
> where it was applied. And even worse, the user now thinks, that everything
> would be fine now.
>
>> It's a chrono-synclastic infundibulum, if I remember correctly.
>
> I tried to lead you to this place above ;-)
>
>> Security is about risk management
>
> Yes. And for making something secure from an event you don't want to
> happen,
> there is a sequence:
>
> a) If you can avoid the event for sure, do so!
>
> b) If you cannot avoid the event for sure, but you can avoid it with such
> a
> high propability, that it will never happen in praxis, do so!
>
> c) If you cannot avoid the event for sure, and you cannot avoid it at
> least
> with such a high propability, that it will never happen in praxis, then
> you're fucked up - learn to live with it! For that case, do anything to
> avoid it, too, but have a ready made plan to execute, what to do if it
> happens!
>
> Only in c) there is a risk to manage. Do it, but if it is not neccessary,
> avoid it.
>
> Yours,
> VB.
> --
> If class libraries are compared to animals, MFC is the slime-warts toad.
Re: Software Registry: is "Advanced INF" legit Explorer?
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1db36ddf9c898abb98a231@news-server.columbus.rr.com...
> In article <be6dnbn8VOvxPdTeRVn-rQ@comcast.com>, alun@texis.invalid
> says...
>> "Flatten and reinstall" is only appropriate in an environment (such as an
>> enterprise) where you have good data retention, analysis and recovery
>> procedures in place.
>
> Forgive me, but that's a very ignorant statement. Flattening is the only
> sure means to clean a compromised system.
You appear to be arguing a different point. Yes, flattening is the only
sure means to clean a compromised system. I am not arguing against that.
What I am arguing is that it may not necessarily be the appropriate
immediate response.
First, there's the data that's on your system and has been added since the
last backup, if there was ever a backup. That may need recovery, and there
are only two ways to recover it - forensically, or from the middle of the
compromised system. Forensic recovery costs beaucoup dosh, but recovering
the data from inside the compromised system is much cheaper, if a little
less reliable.
Once you have the data back, you may flatten and reinstall. Recovering the
data from inside the compromised system is only possible once you can clean
off enough infection (again, from inside the compromised system) to back the
data up.
Second, there's the problem that your reinstall following the flatten
procedure is going to produce a system pretty much identical to the one that
got compromised. It would be naive in the extreme to expect that this newly
installed system won't get compromised, too.
> The value of your data is something few consider, but, there are simple
> ways to keep the local data and then restore the OS/Applications
> included with most systems.
>
> If you run a cleaner, and get your system back to what appears to be
> normal, or at least so that you can burn a CD or make some other backup,
> you're in good shape - backup, flatten, reinstall with a wipe, reinstall
> apps, scan backups for infection, restore files....
>
> If you can't get the system back to a place you can backup your data
> from, you can give up or purchase a cheap drive, install it, install OS/
> and AV product, scan the old drive, copy the data files to the new one,
> reinstall your apps - wipe the old drive and keep it as a spare.
>
> If you think it's worth it to run with a machine that's been
> compromised, then you don't value your data much.
What do you think you're doing when you "run a cleaner, and get your system
back to what appears to be normal"? You're running with a machine that's
been compromised.
An uncompromised machine is rather like virginity. You can't get it back
when you've lost it. A compromised machine is compromised until it has been
formatted and reinstalled.
Using a cleaner on a compromised machine does not get you an uncompromised
one, it gets you a slightly cleaner one, one from which you can save your
data.
Re: Software Registry: is "Advanced INF" legit Explorer?
Alun Jones <alun@texis.invalid> wrote:
> Let's say I have all the photos of my family on an infected laptop.
> I would rather remain running on an infected system than wipe out every
> photo of my family.
In this case, booting a second system and getting the photos would be
possible without any risk.
> The answer, of course, would be to teach such a person about backups...
Yes.
> The only 100% guaranteed(*) method of malware removal, it would seem,
> requires the destruction of your data as well as your installation.
No.
> If you're paying any kind of attention at all, you'll note that there are
> lots of ways to detect opportunistic infections - infected machines don't
> tend to stay infected if someone is trying to clean them up.
Oh, yes, unfortunately usually they do. If you remove a malware with a
backdoor, for example, then it's very likely that there is a second
malware already running on your system. And this malware usually the
virus scanner does not detect.
This is what backdoors are for.
> "Flatten and reinstall" is only appropriate in an environment (such as an
> enterprise) where you have good data retention, analysis and recovery
> procedures in place.
No. For many cases, it's just the only chance not to be a zombie for
distributed attacks, not to be a store for kiddy-pr0n, to own your box
again and not being 0wn3D.
> You also neglected to address the point that "flatten and reinstall" merely
> provides a clean operating system for exactly the same infection to take
> hold once again - if you do not close the hole it used (either technological
> or human), it, or something like it, will come in through that hole again.
After installation, of course the box has to be hardened.
> And if you didn't scan your system to detect the malware, how do you know
> that you've closed the hole that was used?
Malware can come from three main sources with a hardened Windows-PC:
- Outlook Express
- Internet Explorer
- Documents, which are using a type of application infection
The first two one should avoid. For fighting the third one, one should
avoid all "penis enlargements" and "banking software, which makes you
rich".
Afterwards, there is a rest of risk. And this rest one should fight with
keeping all applications up to date, which are used directly for communi-
cation in the Internet, and which are used indirectly - for received
documents, including music, video, Office documents and so on. And a virus
scanner can help. It does not solve the problem, but it can help.
There is no way to be 100% secure - but there is a way to be so highly
secure, that never or only after some years one has to face an infection
with a Windows box.
And then one should have a backup.
Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.
Re: Software Registry: is "Advanced INF" legit Explorer?
"Volker Birk" <bumens@dingens.org> wrote in message
news:434a17fc@news.uni-ulm.de...
> Alun Jones <alun@texis.invalid> wrote:
>> The only 100% guaranteed(*) method of malware removal, it would seem,
>> requires the destruction of your data as well as your installation.
>
> No.
You are willing to say that data never carries code that will later infect a
system? Wow, I wasn't aware we had advanced that far in computer security.
I must have been asleep for a long time.
I was assuming that some of the document-based viruses you refer to below
may be present in some of the documents that comprise the user's data.
Perhaps you have a means of discerning data from virus and separating them
that isn't the "virus cleaner" you are arguing is a bad idea. If you do, I
hope you are selling it - you will make a fortune with a virus cleaning
method that doesn't involve virus cleaning.
>> If you're paying any kind of attention at all, you'll note that there are
>> lots of ways to detect opportunistic infections - infected machines don't
>> tend to stay infected if someone is trying to clean them up.
>
> Oh, yes, unfortunately usually they do. If you remove a malware with a
> backdoor, for example, then it's very likely that there is a second
> malware already running on your system. And this malware usually the
> virus scanner does not detect.
>
> This is what backdoors are for.
Given that malware doesn't go through the same sort of architectural and
implementation review as many applications do, it's redundant to say
"malware with a backdoor" - assume that they all have back-doors. The good
news is that even the secondary infection, tertiary, etc are eventually
added to the repertoire of virus scanners.
>> "Flatten and reinstall" is only appropriate in an environment (such as an
>> enterprise) where you have good data retention, analysis and recovery
>> procedures in place.
>
> No. For many cases, it's just the only chance not to be a zombie for
> distributed attacks, not to be a store for kiddy-pr0n, to own your box
> again and not being 0wn3D.
You seem to think that these are primary concerns for most users. No, sadly
most users are interested in turning on the computer, running their
applications, and accessing their data. If a malware does not noticeably
interfere with that, you can guarantee that the user will not care to fix
the infection. A sense of social responsibility is not high on most
people's list of common virtues.
Most users will only remove viruses (anything from "clean" up to "flatten
and reinstall") under two conditions:
1. The virus has adversely affected their ability to use the computer. It's
overwriting data, or it's slowing their system down.
2. They have been denied access to some resource because of the virus on
their system (this is really 1.1, but it's frequently the enterprise case,
whereas 1 is more frequently the home user case).
>> You also neglected to address the point that "flatten and reinstall"
>> merely
>> provides a clean operating system for exactly the same infection to take
>> hold once again - if you do not close the hole it used (either
>> technological
>> or human), it, or something like it, will come in through that hole
>> again.
>
> After installation, of course the box has to be hardened.
If you don't know where it was soft, how do you do that? Guess? Simply
download and apply "patch-du-jour"?
>> And if you didn't scan your system to detect the malware, how do you know
>> that you've closed the hole that was used?
>
> Malware can come from three main sources with a hardened Windows-PC:
>
> - Outlook Express
> - Internet Explorer
> - Documents, which are using a type of application infection
Wow, I use all three of those on a regular basis. I haven't had any malware
infest my PC. Clearly, these are not as dangerous as at first believed.
Obviously there's something different between me, and the guy who gets
infected.
> The first two one should avoid. For fighting the third one, one should
> avoid all "penis enlargements" and "banking software, which makes you
> rich".
Ah - here we are, here's the difference. I don't fall for any of those.
Clearly, though, that's not because of any of your three primary infection
routes being absent, it's because my _behaviour_ is different from those
that get infected. While many worms have been successful in exploiting
technological vulnerabilities, it still seems to be the sociological
vulnerabilities that are the most successfully abused.
> Afterwards, there is a rest of risk. And this rest one should fight with
> keeping all applications up to date, which are used directly for communi-
> cation in the Internet, and which are used indirectly - for received
> documents, including music, video, Office documents and so on. And a virus
> scanner can help. It does not solve the problem, but it can help.
A virus scanner is clearly part of the solution. It would be nice if
aggressive law enforcement were another part of the solution, but currently
too many virus authors are given minor slaps on the wrist and then get a
comfy job with a press-hungry "security" company.
[Word to the wise - an attacker needs only to find one hole, once. A
defender must find every hole, all the time. Attackers do not automatically
make good defenders, because the mind-set is different. Attackers consider
depth of penetration more than breadth of attack; defenders think breadth of
coverage more than depth of protection.]
> There is no way to be 100% secure - but there is a way to be so highly
> secure, that never or only after some years one has to face an infection
> with a Windows box.
Security is a process. It's a mindset. It's what you do in order to stay
uninfected.
> And then one should have a backup.
Abso-darn-lutely.
But how do you prevent yourself from backing up, and restoring the malware?
Re: Software Registry: is "Advanced INF" legit Explorer?
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1db40cda49000c6b98a238@news-server.columbus.rr.com...
> Immediate, well, in some cases it is - where the user has no clue, no
> means to download updates, no means to get the system back online due to
> the infection. Also, where the user has no understanding of what they
> did, flattening the system will give them pause and time to reconsider a
> lot of things.
Surely there are easier ways to teach your users? I recommend starting with
a few books, a Powerpoint presentation or two, maybe even sitting them down
for a lecture. Wiping out their machine seems to smack of mere punishment.
> Yes, and I agree that most people have never made a backup and most
> people won't have the resources to save their files before they wipe the
> system - but, and while it's sad, it's a valuable price for learning the
> first rule of computing (Backup often).
There we go again - punish the user for not knowing as much as you feel they
ought to. Negative reinforcement isn't considered very good for teaching.
Can you think of any positive reinforcement you could use to teach the same
message?
> But my experience is that more than 50% of the people with a first time
> compromised machine will learn something from it, install a protection
> method and will not have the same type of compromise again. If second
> timers, almost 80% of those learn and get it right by the second
> reinstall. The remaining people are just too stupid and need a MAC.
What does the Mac do that protects them better? Other than not being as
frequent a target, that is - because that could change the moment the mass
of users make a decision to switch. I'd hate to recommend a strategy that
requires that mob mentality remains the same.
> Sort of - if you wipe/reinstall you get your virginity back, and you
> don't have to carry all the baggage/history you had - it's like a second
> chance (and it actually is). Again, so you don't misunderstand, I fully
> support the wipe/reinstall method of cleaning machines that are
> compromised.
It's like getting your virginity back by dying and being reborn. A tad
drastic :-)
But yes, wiping and reinstalling will remove the malware. Whether you can
persuade the user who owns the machine to do so is another matter, of
course. That's where the idea of cleaning the system and recovering its
data prior to the format and reinstall comes in handy.
Re: Software Registry: is "Advanced INF" legit Explorer?
Alun Jones <alun@texis.invalid> wrote:
> "Volker Birk" <bumens@dingens.org> wrote in message
> news:434a17fc@news.uni-ulm.de...
> > Alun Jones <alun@texis.invalid> wrote:
> >> The only 100% guaranteed(*) method of malware removal, it would seem,
> >> requires the destruction of your data as well as your installation.
> > No.
> You are willing to say that data never carries code that will later infect a
> system?
No. I'm willing to say, that you don't need to destruct your data - have
a backup.
BTW: it is possible to restore data from an infected disk without getting
into the risk of being reinfected. But it is non-trivial.
> Given that malware doesn't go through the same sort of architectural and
> implementation review as many applications do, it's redundant to say
> "malware with a backdoor" - assume that they all have back-doors.
Yes, this is one of the problems. A virus scanner should search for a
malware using patterns, but check for a found malware using cryptographic
hashes.
I don't think, that many actual virus scanners will do so. This is one of
the reasons, why I'm recommending "flatten and rebuild" in most cases.
> > For many cases, it's just the only chance not to be a zombie for
> > distributed attacks, not to be a store for kiddy-pr0n, to own your box
> > again and not being 0wn3D.
> You seem to think that these are primary concerns for most users.
No. But I think, it's in the interest of most of the users.
> No, sadly
> most users are interested in turning on the computer, running their
> applications, and accessing their data. If a malware does not noticeably
> interfere with that, you can guarantee that the user will not care to fix
> the infection. A sense of social responsibility is not high on most
> people's list of common virtues.
I'm talking about interests of the users themselfs. Nobody likes to be
accused for dealing with kiddy-pr0n, for example.
One of the problems with users is, that they're believing in advertizing.
But in fact, this is more a problem of the "security" companies, which are
advertizing their virus scanners or anti-spyware toolz to be able to
remove any virus or spyware.
They're just lying, and users are believing this.
> >> You also neglected to address the point that "flatten and reinstall"
> >> merely
> >> provides a clean operating system for exactly the same infection to take
> >> hold once again - if you do not close the hole it used (either
> >> technological
> >> or human), it, or something like it, will come in through that hole
> >> again.
> > After installation, of course the box has to be hardened.
> If you don't know where it was soft, how do you do that?
Closing every possible attack vector which can be closed easily. And:
teaching an educating users, how PCs can be used more safely.
I don't think that re-engineering the problems, say: computer forensics
are an option for most of the cases. Most people don't have the time, nor
the money nor the knowledge for that.
> > - Outlook Express
> > - Internet Explorer
> > - Documents, which are using a type of application infection
> Wow, I use all three of those on a regular basis. I haven't had any malware
> infest my PC.
Or you just don't know it.
> Clearly, these are not as dangerous as at first believed.
Oh, yes, they are. Especially Internet Explorer has many unfixed
holes left today:
This is not bleeding edge any more - a few holes on this list are fixed
now, but some are missing.
But the main point is, that Microsoft refuses to fix many holes in
Internet Explorer, some of them for years now.
Beside the fact, that ActiveX is a security design flaw, and ActiveScripting,
too.
There is a lack of a good source for a complete list of unfixed security
holes in Internet Explorer, though. Does anybody have one?
> > The first two one should avoid. For fighting the third one, one should
> > avoid all "penis enlargements" and "banking software, which makes you
> > rich".
> Ah - here we are, here's the difference. I don't fall for any of those.
Good to hear.
> Attackers do not automatically
> make good defenders, because the mind-set is different.
I would doubt that.
> Security is a process. It's a mindset. It's what you do in order to stay
> uninfected.
Yes.
> But how do you prevent yourself from backing up, and restoring the malware?
The only way would be to find the reason for the infection. So it is
impossible to handle this securely for a home user. But she/he can backup
the documents only, so there is no way to reinfect but with document based
attacks. And she/he can scan her/his documents with an actual virus scanner
before restoring them.
This does not make it impossible to get reinfected, but very unlikely.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister
Software Registry: is "Advanced INF" legit Explorer? 
Linear Mode
