Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have said on many occasions in another group that the his multi_av tool is
too intrusive. It just deletes things it finds automatically without user
intervention, It does not make a backup, there is no quarantining, and the
scanning is very slow. Good luck with your issues.





Quoted text here. Click to load it



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Quoted text here. Click to load it

I've used it on quite a few systems, even ones that are not infected,
and never seen where it has done damage to good files. Sure, if you've
got an infected file that is critical to the operation of the PC you're
going to have problems with any removal utility, but why would you
expect less?

Removing a virus/compromise should be a stop gap measure on the way to
saving the data and then wiping the machine. As all virus / malware
removal tools are "reactionary", in that they can't get the latest and
greatest until detected, you only means to ensure a clean machine is to
wipe/reinstall from scratch in a secure environment.

I use Multi-AV to clean machines, but I also won't certify the machines
as clean - I will only certify a wipe/reinstall machine as to being
clean.

In my experience, once a machine is compromised, all bets are off as to
it working properly, even after removal of the malware - that's whey
they have a "repair/reinstall" mode.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos you are a stalking idiot.




Quoted text here. Click to load it



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On that special day, , ("Betina" <->) said...

Quoted text here. Click to load it

An interesting reply, especially as Leythos didn't mention a certain
"ass" name in his reply, at all...
 

Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Leythos wrote:

Quoted text here. Click to load it

Which leads me to question your expertise in this case. Malware is
offly vague. If you won't certify a box as clean due to any version of
malware, I seriously question your credibility and experience in this
field.

Quoted text here. Click to load it

Which malware are we talking about? viruses, worms, trojans,
keyloggers, desktop hijackers.. what specifically would come under the
"all bets are off" terminology? Surely your not going to tell me a
trojan/backdoor/desktop hihacker and/or keylogger requires a
reformat/reinstall to make sure it's clean? Even with today's viruses,
it's usually not necessary. It really does depend on what your dealing
with. To say reformat/reinstall clean in all cases is foolhearty.

Regards,
Dustin Cook
author of BugHunter
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

bughunter.dustin@gmail.com says...
Quoted text here. Click to load it

If I have to "Certify" the box as clean, I will only do so if I
wipe/reinstall in a clean environment. If you don't understand why, then
you've never talked with an Attorney about liability and you've never
worked with the Government for secure networks.

Now, if it was a friends computer, and he didn't want my Business
signature on the cleaning, I would have no problems cleaning the machine
and feeling confident that I completely cleaned it, but there is no
financial liability there.

If you really think you can perfectly, 100% of the time, clean a
compromised system without a wipe/reinstall, then you need to doubt your
own logic.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Leythos wrote:

Quoted text here. Click to load it

Those are fine accomplishments, kind sir.. Now in all seriousness, I
asked you why you would wipe and reinstall under some particular
conditions; quite frankly, nobody does this in my profession for very
sound reasons.


Quoted text here. Click to load it

Hmm...


I don't recall claiming 100%. Nothing is 100%. Without that silly
percentage your comment falls flat on it's face, like much of what
you've said.

In some cases, you can be sure the box is alright after cleaning
particular things. I made no statement otherwise in my previous post to
you. What I did was question your actual technical skill. By chance are
you a programmer yourself, or do you have to rely on others work to
clean these clients machines?

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

bughunter.dustin@gmail.com says...
Quoted text here. Click to load it

In most cases, and I've only seen a few where it wasn't, it's quicker to
flatten a box then repair it. My profession is secure networks and
network design, my side profession is database / application design and
production tuning/maintenance.

Quoted text here. Click to load it

It's all about liability, not about my confidence. If I claim to clean
your machine of all malware, 100%, and you take it to your office/home,
and you get ripped off because some unknown, never before seen, malware
records all your banking information... Then two weeks later the AV
vendors develop a signature for it, and then your computer is shown to
have been infected from before my cleaning, well, I can kiss my company
goodbye.

Quoted text here. Click to load it

I code in 11 languages, half of them are machine control languages,
other are your common application development languages. I design secure
network for medical centers and medical groups along with government
groups, and we've never been compromised inside the networks we design
and then manage. In my 20+ years, I've had 1 customer, a CFO that used
his own laptop, could not get it any other way, that would not let us
lock it down, he signed a waiver, compromised. His laptop did not
compromise the rest of the network, but lets just say he learned a
lesson and won't be playing poker online any more :)

Look at it this way, when it comes to security and cleaning a machine,
I'm wise enough to know that there are kids out there creating new
malware that's undetected every day, that AV/Spyware vendors lag behind
days if not weeks, and I'm not going to take chances when I have to
certify something clean. Anything less would be irresponsible of me.


--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Liar!



Quoted text here. Click to load it



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

says...
Quoted text here. Click to load it

Please be more specific - what specifically is a lie?


--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

pcbutts1 - 18.05.2006 04:37 :

Quoted text here. Click to load it

only to say that little kind word, you unnecessaely fullquote again as
usual (~ over 80 fullquote lines snipped). What a bad usenet behavior.
Seems you never learn :-(

--
by(e) PS
spam will be killed


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On that special day, Peter Seiler, (psprivate@mailinator.com) said...

Quoted text here. Click to load it

Not pcbutts - I guess you know the german term "merkbefreit"? It fits
perfectly for him.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Gabriele Neukam - 18.05.2006 18:03 :

Quoted text here. Click to load it

THX for your guess. Yes, I know the term "merkbefreit" - I'm German
myself.  What would be the translation of "merkbefreit" in English? As
you see, English is not my native language ;-)

How ever, IMO the usual fullquoting of pcbutts1 (and some others) is
really not a good behavior, isn't it?

--
by(e) PS
spam will be killed




Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On that special day, Peter Seiler, (psprivate@mailinator.com) said...

Quoted text here. Click to load it

Actually, I have no idea. "free from notion" perhaps?

It might be helpful if you tell newbies, that the Outlook (Express)
settings are designed contrary to good netiquette rules; but there are
cases which cannot be treated. You spend your efforts on something
without getting anything in return.

It is bad enough that pcbutts1 steals other people's work, and he
continues to do so even when people are telling him he does, without
any sign of remorse or embarrassment, so why should he be caring about
your complaints, at all?

This is just wasted energy.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

"Gabriele Neukam" wrote:

Quoted text here. Click to load it

Sounds like "clueless" would be right word.



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Gabriele.Spamfighter.Neukam@t-online.de
says...
Quoted text here. Click to load it

"gormless", perhaps
Dunno if they have that in the USA, but it's a great English word. Nobody knows
what a
gorm is, but everybody knows what gormless means.
Quoted text here. Click to load it

--
News: use seven bits;
or accept you cannot know
how it looks elsewhere.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Leythos wrote:

Quoted text here. Click to load it

So it's not security as much as how fast can you get that machine back
online then?
If recent backups are available, that's an excellent option. Sadly, I
don't work in the field where everyone does backup the data as they
should be doing. Oh the benefits of government work. :) by database. Do
you mean an interface for an sql server backend, or something along
those lines? You have to understand, when I see the word database.. I'm
assuming the "database programmer" actually understands and wrote the
code reading/writing the database file. If not, the programmer is
really making a frontend for someone elses software.

Although with images and restore cds handy in all cases, I'm assuming
you or your clients has these materials readily available since it's
quicker to flatten it...Your job does get a little easier. As for total
security, I'm afraid it's just not possible unless you remove the human
element entirely.

Quoted text here. Click to load it

some unknown never before seen? That's still present on the machine
functional after I'm done with it? Hmm, not to tout my own horn here,
but I don't think that's a realistic possibility. I too code, alot..
Have for a very long time, speak assembler well I do, I don't think
some unknown software is going to sneak past me. I was once on that
side of the fence, I know the tricks. :) If you know the OS well as you
may or may not, depending on how low you've coded on windows.. dos,
whatever, you really shouldn't see anything actually getting past you.
Especially if your suspicious to begin with. For a fine example of
this, checkout the sysinternals.com chronicles with regard to sony.
That was sneaky unknown software, and it lived so long as he held no
suspicions. Notice how long it survived when he thought something was
amiss?

If it's quicker on time to waste the box, are they all just work
stations? Nothing really user specific, customized, hours lost if the
system is hosed? What do you do in the case of an infected server? Say,
one that you can't trust the backups are clean...?

Quoted text here. Click to load it

While I'll grant you, a virus I suppose might possibly sneak past you,
maybe... Something like a non replicating trojan and/or backdoor
program really shouldn't. Your into security, you should be able to
monitor incoming/outgoing connections and deal with it accordingly.
Besides, windows only has so many ways to auto launch a program, no
matter what it's intent. And you can only hide internet traffic from
the user for oh so long before somebody figures it out. If your truely
into security, that somebody should be you.

Quoted text here. Click to load it

machine control... plasma cutters and such?

You haven't mentioned the types of software you write tho. I know many
talentend programmers who don't grasp how to write an overwriter... :)
But they are very gifted in other programming areas. Databases etc. And
it was silly of me to ask if your a programmer, it doesn't really
matter. It does help that you are, but doesn't go any further towards
proving you know anything about malware really and I don't mean this in
an insulting or rude manner. I'm sure you know many things written
about this or that, but my doubt is whether or not you understand whats
going on inside the software. At that level, I have serious doubts if
you did that much malware would actually remain undetected when you
were finished with a machine.

Quoted text here. Click to load it

The fact his laptop posed no threat to your network doesn't necessarily
mean your network was secure. What his laptop had may not have been
interested in network shares. Originally they werent too particular
about it. :) I am not saying you don't know what your talking about per
say, I'm just suspicious of your actual knowledge of how malware
functions at the software programming level. It's an important
distinction.

 > Look at it this way, when it comes to security and cleaning a
machine,
Quoted text here. Click to load it

various malware sure, the virus scene is all but dieing.. :( spyware is
such a menace anymore. Keyloggers are on the rise. ... Etc...

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

bughunter.dustin@gmail.com says...
Quoted text here. Click to load it

No, but there is a cost factor in anything one does for anything except
personal help.

Quoted text here. Click to load it

I would be called an architect and production maintenanace/tuning type.
I design the database hardware layout, the schema, the maintenance
plans, then I also code the Sp and scripts so that the guys called
programmers don't have to think about query optimization (as they don't
understand it most times)... I also write the code they write, but I
don't like to get drug into that level much.

Quoted text here. Click to load it

I agree, total security isn't possible, but we can get close as long as
we have good people following the rules, and as long as we build
multiple layers to protect them.

I've only run into a couple people that didn't have a means to reinstall
(cd's, diskettes, etc..) the system. As for backups, we can generally
clean the machine enough to burn the data files to CD/DVD or some other
media, and salvage most of it for them.

Quoted text here. Click to load it

I understand, having been a coder since 76, but I'm also realistic. I
may not have a day to check/monitor a system, they may want it back in 2
hours or 4 hours.... If I wanted to spend time checking for every
possible malware, it would take longer than that.

Quoted text here. Click to load it

It's never happened, never had a server compromised in all my years. The
only thing we've had compromised is an external use laptop in all this
time.

We get new customers, where they have compromised networks, servers,
workstations, and we have often wiped and rebuilt the data in a secure
area, then tested it several ways, then passed back to the production
environment what we considered certifiable.

Quoted text here. Click to load it

Yes, but, again, unless the machine has files that can't be replaced,
rebuilt, etc... it's quicker and less cost to wipe/reinstall and replace
the data. If this was a research project, time/cost would not be a
consideration.

Quoted text here. Click to load it

Small system modules and entire plant control systems that go from the
discrete I/O point on a limit switch to the scheduling and tracking in
databases for materials and material movement. In the old days I did a
complete 64 feeder batching system (scales) on a S100 based system that
I designed from scratch - used the 85 series CPU and didn't have an
assembler back then, was all machine code :)

Quoted text here. Click to load it

It's OK, I don't mind your questions. I understand where you are coming
from, but, it's not going to change my methods - liability is a
motivating factor.

Quoted text here. Click to load it

Didn't mean it to sound like it was.

Quoted text here. Click to load it

Yep, I understand that too.

Quoted text here. Click to load it

Yep, I understand that too - I just take this approach, as it's simple,
works in all cases, reduces exposure, and is 100% certain (at least as
certain as possible to be).

Quoted text here. Click to load it

Thank god for HTTP Proxy content filtering!

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On 17 May 2006 20:33:37 -0700, bughunter.dustin@gmail.com wrote:
Quoted text here. Click to load it


Which means your focus is not workstations, which you probably treat
as disposable - after all, all the "real" data is on the server, and
who cares what preferences, software etc. are lost?

That approach is inappropriate when 1 PC represents the entire
infrastructure of a company or user - there's no magic server holding
the data, no well-maintained installation image, no neat little
whitelist of a handful of "approved" apps.

Do you have any idea how long it could take to rebuild such a system
to exactly the same applications, settings, ptreferences, etc.?

Quoted text here. Click to load it

That includes removing software, given this is created by fallible
(and sometimes downright gullible) humans.

Quoted text here. Click to load it

IOW, CYA.  If the client gets ripped to shreds a week later, that's
fine as long as the malware came in after you'd returned the PC.

Quoted text here. Click to load it

It would be interesting to do this experiment:

1)  Take 10 MSFT employees; they can be chosen by MSFT
2)  Let each draw up a list of "all" integration points
3)  Compare the lists to see if there's > 5% variance
4)  Get another 100 MSFT employees to check the list
5)  See what % of missed integration points they add to the list

If even MS can't enumerate all possible integration points, much less
provide a "safe mode" that suppresses ALL of them, then you can safely
say we've lost control of the game   ;-)



Quoted text here. Click to load it
  Tip Of The Day:  
  To disable the 'Tip of the Day' feature...
Quoted text here. Click to load it

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

cquirkenews@nospam.mvps.org says...
Quoted text here. Click to load it

While we have a lot of servers and most customers have a server, several
of our smallest customers have only 3~5 workstations, but we're smart
enough to backup data between them or to a external device.

Quoted text here. Click to load it

In our installations we would not provide a solution with the problems
you describe. Sure, there are many that have that problem, but that's
because of some idiot setting it up that way.

Quoted text here. Click to load it

I've been doing this for almost 30 years, so, yes, I have a very real
understanding. Are you aware that if you don't provide clients with a
simple means to backup their data, with a means to backup their email
folders/files, etc.. that you are doing this a great disservice?

Quoted text here. Click to load it

Why do you keep going around in circles, we never discussed what happens
AFTER, only the cleaning stage. In all my years of designing and
maintaining networks I've never had one of our networks compromised as
long as we managed it. I've had clients with home PC's that were
compromised that we cleaned up, installed basic security apps/methods,
locked down, and have worked with them for years without another
compromise... What's your point?

Quoted text here. Click to load it

Which goes back to you just proving my point - if you want a clean
machine you need to wipe it and restore it from scratch in a clean
environment, apply all updates, etc... The machine will be legally clean
and can be returned with the expectation that it contains no malware at
that time. If the users choose to ignore the security methods you've
provided, well, you're not responsible for that, you've done what was
contracted, removed all known/unknown malware from the machine.


--

spam999free@rrohio.com
remove 999 in order to email me

Site Timeline