Re: [SLE] Windows Malware Detector from SUSE 9.3
From: Carl E. Hartung (suselinux_at_cehartung.com)
Date: 08/09/05
- Previous message: suse_gasjr4wd_at_mac.com: "Re: [SLE] opensuse"
- In reply to: Greg Freemyer: "[SLE] Windows Malware Detector from SUSE 9.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: suse-linux-e@suse.com Date: Tue, 9 Aug 2005 11:41:07 -0400
On Tuesday 09 August 2005 9:57 am, Greg Freemyer wrote:
> One of my co-workers has a Win2K box that has some kind of malware on
> it. I have run 3 windows malware detectors on it and none of them
> find it. A fourth simply causes the machine to be unacceptably slow.
>
> I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3
> tool for searching thru his C: drive for windows malware?
>
> If not, is there something I can download and attempt fixing his machine
> with?
>
> Greg
Hi Greg,
I have unwillingly become a de facto 'expert' at cleaning up that other OS, to
the extent that it /can/ be cleaned up. It is next to impossible to secure
since a number of FQDNs and IPs are compiled into the code. Monitoring the
system frequently with tcpview and process explorer from sysinternals.com
will confirm this, if you have any doubts. Also very important is the
boot-logging cousin to tcpview (I've forgotten the name) which records
network activity that occurs before the firewall is turned on. *Don't skip.*
Your best-case solution is to keep SuSE on that box, have him use it for
everything related to the Internet (as a start) and physically disconnect
that system from the network when he needs to run a Win32 application.
Hopefully, he'll eventually migrate on his own after he sees how neat SuSE
is. If disconnecting 'doze from the network isn't feasible, at a bare minimum
you need to install *all* of the following utilities and check for updates
twice a week (if they're not automatic):
ZoneAlarm - *absolutely nothing* gets server access outside the trusted zone
Spybot Search & Destroy - don't just run the installer and scan, either. This
complex software is chock full of very effective goodies. Take the tutorial
and spend the time needed to study every menu. Be sure to manually clear the
'ignore products' list, otherwise, new.net and a few others will *not* be
cleaned from the system. Also be certain to install (and update thereafter)
the supplied hosts file, which will block known malware servers.
AdAware - this one is OK to just install and scan. Note: unless you want to
contribute and buy the pay version, you can ignore the 'click to learn about
this update' button and it will then let you download the current definitions
for the installed free version.
Spywareblaster - this one just gets installed; no scans, just 'blocking bits'
placed in the appropriate places to prevent identified malware from
installing itself.
TrojanHunter - the free 30 day trial will download a current definitions file
and clean the system. *Don't skip* I strongly recommend buying the annual
license for this one. It's worth it if you *have* to run that other OS.
Grisoft's AVG Free - this is a great free antivirus package that's pretty much
self-maintaining. Of course, you frequently need to reboot after the
automatic program and definitions file updates. What else is new? ;-)
Manual Intervention:
- HKLM/software/Microsoft/Windows/Current Version/Run
- HKLM/software/Microsoft/Windows/Current Version/Run Once
- HKLM/software/Microsoft/Windows/Current Version/Run Services
- HKCU/software/Microsoft/Windows/Current Version/Run
- HKCU/software/Microsoft/Windows/Current Version/Run Once
- HKCU/software/Microsoft/Windows/Current Version/Run Services
Verify the system isn't loading in debugging mode (run -> msconfig; set to
normal booting) and *then* inspect these registry locations for unusual
entries, i.e. executables living where they shouldn't, particularly in any
temporary directories.
A few other notes:
- There are some utilities out there, crap cleaner and hijack this! being two,
that if *not* used extremely judiciously can irrevocably damage the installed
OS. *If* you install and run the utilities I listed above on a regular basis,
it is less likely that you will need these other 'worst-case' utilities. Save
them for the very last in case the system catches a bug that is so new it's
being overlooked by the others.
- Switch him over to Firefox and Thunderbird. The rationale should be
self-explanatory.
OK, there you have my two cents. Good luck!
- Carl
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: suse_gasjr4wd_at_mac.com: "Re: [SLE] opensuse"
- In reply to: Greg Freemyer: "[SLE] Windows Malware Detector from SUSE 9.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
