Re: Multi_VA trashed my system (Can David H Lipman please look a this) - Page 4

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

kurtw@sympatico.ca says...
Quoted text here. Click to load it

Well, if it's a case of "Do your best to rid my machine of malware",
then I have no issues cleaning it. Now that you've made that clear, I
have no issues with it, knowing that something could be missed that
neither you or I might be able to detect.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


kurt wismer wrote:

Quoted text here. Click to load it

I have no clue how one would deem a machine certiflyably clean short of
writing all the firmware, software, etc themselves and having that
subjected to intense peer review....

Realistically, this isn't possible.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

bughunter.dustin@gmail.com says...
Quoted text here. Click to load it

Contact an attorney and see what is required for your comfort level, I
have, and I've already posted it here.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


kurt wismer wrote:

Quoted text here. Click to load it

Didn't we have a similiar discussion here years ago?

Quoted text here. Click to load it

With new stuff coming everyday it seems. :) We're not allowed to claim
the machine is 100%, We specifically state it's been cleaned of all
known malware. IE: Known either to us or the various applications we
use. Today for example, several of our applications missed another
vundo (winfixer) varient. It's been added to bughunter to help others
remove the pesky critter.

We can't claim 100% clean in any case.. You simply can't claim that.
EVen with shrinkwrap software, theirs a risk. As for this mass patching
routine some seem to employ; I wonder how many research those patches
before putting that machine back in service. Some ms patches don't
react well with some software packages. If you just got patching and
making it "up to date" you really risk breaking apps the client may
use.

A good example is a patch microsoft recently released which broke
certain HP software configurations. This resulted in some wonderful
errors...
Here's the article id: 918185.. The items affected:

Any HP deskjet with a card reader
HP scanners
some HP cd-rw and dvd-rws
some HP cameras.

It's part of the security update #908531. You cannot just patch patch
patch, some patches break stuff.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On 19 May 2006 08:09:08 -0700, "Dustin Cook"

Quoted text here. Click to load it

Hmm. Seems to me the way out of that problem for repair techs is to
first note the update level of a PC and if reformat/reinstall is
required, only install updates to the original level. But then that
has the problem that it might have been patching ills that brought
the PC into your shop. You can't win :)

I wonder how many users update and patch. I wonder how many repair
techs update and patch customer's PCs.

Are you implying that you don't update and patch?

Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Art wrote:

Quoted text here. Click to load it

Any good tech will do research to see whats going on with the machine,
before doing anything to it. Techs who are quick to reformat/reinstall
aren't really techs, they're monkeys.

Quoted text here. Click to load it

We patch and update, of course. We also monitor which patches are
causing what issues based on the software already present on the
machine. But, we don't go willy need and apply all the patches without
checking to make sure they're kosher with the software present already
on the machine. Yes, it takes more work this way, but the computer runs
better.

Quoted text here. Click to load it

Did I say I didn't? I believe what I said was, techs who go patch patch
patch without checking the box are the ones who cause problems.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On 19 May 2006 09:44:45 -0700, "Dustin Cook"

Quoted text here. Click to load it

You didn't say you did either, which is why I asked.

Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On that special day, Dustin Cook, (bughunter.dustin@gmail.com) said...

Quoted text here. Click to load it

The problem is, that the line between good and bad, wanted and unwanted
is a *very* thin one.

There is software that not everybody wants to be on his/her machine,
although its presence is legal. It might even be just a (mis)
configuration, that causes issues. If you remove it, you break a law,
if you leave it there, your customer says, you failed to keep up to
your words. I mean things like the Sony XCP program, or Alpha DVD.

How do you explain a customer, that his/her machine is free from
nasties, if the printer driver phones home, and the desktop search
application opens their data base to the world (see Google desktop)?

http://www.gartner.com/DisplayDocument?doc_cd=137896

What will their lawyers say?


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Gabriele Neukam wrote:

Quoted text here. Click to load it

Seems to be user judgement tho. :(

Quoted text here. Click to load it

I'm aware of both scenarios, having done the manual removal a few times
of Sony's product...

Quoted text here. Click to load it

We explain to the customer what we did, what they need to do, and what
remains on the computer that they elected to install. For example, the
google desktop. We inform the customer of the risks of using it, and
they make the final decision. We can lead a horse to water, but short
of drowning him, we can't make him drink it.
 
--

Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On 17 May 2006 11:25:18 -0700, "Dustin Cook"
Quoted text here. Click to load it





Well, that's the point - if you can't be sure you've cleaned all the
malware, you don't know what types of malware may remain.

In the absolute sense, Leythos is correct when he balks at certifying
a cleaned system as clean.  Where he's wrong is (by the same absolute
standards) considering a wiped and rebuilt PC as (staying) clean.

The fact that a malware (i.e. any kind of unwanted sware) is present,
means whatever defenses that system had, have failed.  If they failed
once to let one malware through, they may have failed a number of
times to let a number of malware through.  

And if they failed before, then putting up a freshly-setup system is
as likely to fail again - particularly as a freshly-installed
installation is unpatched and vulnerable.

Quoted text here. Click to load it

I'd prefer a cleaned system to a fresh duhfault install that has to be
patched via the 'net in the face of incoming attacks.  If the stakes
were high enough, I'd keep the original HD out of the box for offline
forensics while a fresh build is deployed in the meantime.

Quoted text here. Click to load it

How do you know what you're dealing with, if all your scanners etc.
have to run from the infected OS?

How do you know a fresh build will stay clean, if you have to go
online while unpatched to get patches?

How do you know a fresh build stays clean, if you restore a "data
backup" that contains IE downloads, incoming MS Messenger attachments
and incoming email attachments hidden in the mailboxes?

So yes, Leythos; there's uncertainty in cleaning systems.  But "just"
wiping and starting over does not dispell that uncertainty.

To be near-absolutely sure of being clean in mid-2006, you'd need:
  - an up-to-date off-system set of checksum data for every code file
  - ability to examine and suppress every integration point
  - off-HD maintenance OS to run all of the above

In practice, maintaining an up-to-date database of code checksums is
tricky, because of the "version creep" effect of incessant patching.

Most of us don't whitelist all code files, nor maintain comparison
data to generically detect trojan replacement or intra-file infection.
Instead, we use a variety of av scanners that look for known bad guys.
These, plus scanners for commercial malware, debulk the more common
stand-alone malware files that rely on explicit integration, and then
we use HiJackThis or similar to check the common integration points.

Quoted text here. Click to load it

Absolutely - it's as useless as advice to "just" do backups.



Quoted text here. Click to load it
  Tip Of The Day:  
  To disable the 'Tip of the Day' feature...
Quoted text here. Click to load it

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

cquirkenews@nospam.mvps.org says...
Quoted text here. Click to load it

I have no misconceptions of a machine, one that I've wiped and
resinstalled, staying clean in the hands of a non-technical type. I've
managed to keep my own machines free of malware for the almost 30 years
I've been using computers (yea, malware has not really been around that
long).

Legally, the only thing that matters, if you are providing a
certification of a machine being clean, is that it was clean by all
standards when given/returned to the customer.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


cquirke (MVP Windows shell/user) wrote:

Quoted text here. Click to load it

I'm not entirely sure in all cases the defenses have failed. You can't
build an inpentrable workstation or server. :) When I was writing
malware, defense systems in place didn't necessarily fail, it was brand
new unknown code to them. The computer did as it should do, followed
the instructions inside. It's not possible to build a proactive malware
defense system that is going to catch everything. Being as much of what
we call malware is really just a trojan that is accessing the internet
without the users knowledge, how do you anticipate what all of those
could look like?

Even Shrinkwrapped software has been known to carry something with it,
and up to date virus/other defenses at the time missed it.

Quoted text here. Click to load it

Extremely so.


It would seem you and I are interested in preservation, not outright
destruction. :)

Quoted text here. Click to load it

Cquirk, how long have we been preaching booting clean for this very
reason? Even so, the scanner can only find what it knows about.

Quoted text here. Click to load it

Not only this, it trashes everything on the workstation. I don't know
about your clients, but this would be lost hours of productivity while
software and data is reloaded. Not to mention server links
re-established, and reconfiguration on the workstation to talk to the
server and associated services.

Quoted text here. Click to load it

Very true.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On 20 May 2006 18:06:59 -0700, "Dustin Cook"
Quoted text here. Click to load it



Oh, they've failed alright - the presence of active malware is about
as eaten a pudding as you can get, when it comes to proof  :-)

Big view: "Defences" are everything done to avoid infection, and the
other half of the equation is exposure.  Weak defences may succeed if
(or rather, while) exposure is low.  I appreciate that no defences are
100%, but where exposure is successful, you need to patch whatever
missing 1% facilitated the attack's success.

For example, the weakness may be a single user who "opened" an emaul
attackment because it's "from someone they know".  Or it might be a
3rd-party app that exposes an unpatched GDIPlus.dll to JPG attack.

Quoted text here. Click to load it

The big-view of "defence" would never restrict itself to black-list
identification, i.e. "virus scanning".  That's is the "goalie of last
resort", i.e. most offensive play should be stopped long before it
gets that far up the field towards the goal posts.

And yes, allowing malware to get so close that only the av is left to
block it, is a failure of your defences.

Quoted text here. Click to load it

It's not a matter of "catching", it's managing risk so that:
  - unwanted risks are not taken
  - wanted risks are assessed before being taken
  - risks should not misrepresent the level of risk they actually are

Quoted text here. Click to load it

You don't - you manage risk instead.  That's a looong post  :-)

Quoted text here. Click to load it


Yep.


Formal use of a mOS also facilitates unfettered (i.e. unedited by
rootkit) assessment of integration points and manual management of
files by the hairy eyeball (e.g. de-bulking Temp and TIF)

Quoted text here. Click to load it


Quite.  You're still finding "new" breakages 6 months later.



Quoted text here. Click to load it
  Tip Of The Day:  
  To disable the 'Tip of the Day' feature...
Quoted text here. Click to load it

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Betina wrote:
Quoted text here. Click to load it

I've had no problem using it. It identified two of my files as trojans,
as expected (they're not, but every antivirus program I've tried flags
them anyway). It did nothing harmful to my system, and it did nothing
that I did not ask it to do.

rl
--
Rhonda Lea Kirk

Never underestimate the power of human stupidity.
                                 Robert A. Heinlein



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Rhonda Lea Kirk wrote:

I've had no problems running it and ALL the Scans, it has found the odd
rogue file and deleted them.

--
Keith (Southend)
http://www.southendweather.net

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Quoted text here. Click to load it

Pcbutts1 said, in another group, that he's betina and posted the above
reply. So, since he hates David, you all know how much weight his
postings about the multi-av tool carries.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos wrote:
Quoted text here. Click to load it


Ah another name for the killfile!

--
Cheers,

Quilly

Sorry, but an individual reply goes into my spam filter



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

flightsim@yahoo.co.uk says...
Quoted text here. Click to load it

The problem is that with all his name shifting, KF'ing his different
names many actually KF a valid name at some point.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On Tue, 16 May 2006 12:09:04 +0000, Leythos wrote:

Quoted text here. Click to load it

A while back I killfiled  you inadvertently. It took me about four or five
days to realize my mistake when I failed to see your posts. All of this
troll nonsense just disrupts the group. Which is their aim in the first
place. Trolls should be rigorously plonked. There is no excuse for feeding
a troll.



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

James E. Morrow wrote:
Quoted text here. Click to load it

i just wish Thunderbird had newsgroup plonking built-in. i eagerly
await the day i can killfile some of these dickheads...

bob

Site Timeline