Which drives and partitions to scan?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


My computer consists of two physical drives. The master is partitioned
as C, E, F, H and I, and the slave as D and G. Is it necessary to scan
all the partitions, rather than just C? In other words, even if there
are viruses etc. in one of the non-C partitions, can they launch and
cause problems?

Re: Which drives and partitions to scan?



Ray K wrote:
Quoted text here. Click to load it
I scan c daily and my files on g. The rest weekly exept my backups on i
which I do monthly

Re: Which drives and partitions to scan?




Quoted text here. Click to load it

I am of the opinion that scanning is a waste of time, other than to
reassure oneself that the system is clean, as far as the AV/AM program
knows at the moment. If malware is on the system but not running, it
does no harm. As soon as it runs or is accessed in any way, it will be
delt with the same as if it had been found during a scan. I'd be
interested to know if this logic is faulty or dangerous.

Re: Which drives and partitions to scan?



Quoted text here. Click to load it

I felt the same way about scanning within archive files.

The problem there is that Java might be doing the "unzipping" in a VM
where the AV has no hooks.

Maybe something similar exists for your scheme? Malware detected in a
Java jar in a manual scan but not JIT <g> to save you in Java runtime.



Re: Which drives and partitions to scan?



Quoted text here. Click to load it

Well true. But it is a time bomb. It is like a package of bad stuff on your
front porch. You do not want to leave it there indefinitely. You want to
put it in the garbage. Otherwise there is always the risk it will get in
your
house and open up. Then you are hosed.

Quoted text here. Click to load it

If definitions exist to deal with the virus/malware you should be OK.


Re: Which drives and partitions to scan?




Quoted text here. Click to load it

Depends. The definitions may support the detection of the virus, but
offer no antidote. Most malware OTH are glorified trojans so deleting
them and reversing any unwanted changes they made in the registry will
usually remove them without unwanted sideffects. The same cannot be said
for an actual virus.


--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh..
nudge this boulder right down a cliff." - Goblin Warrior


Re: Which drives and partitions to scan?



In general, if the virus or malware compromises the system areas, it is a
wipe
and reinstall. I do not care what you experts say. You cannot be 100%
certain
you know everything the virus did via the compromise.

Quoted text here. Click to load it
 


Re: Which drives and partitions to scan?



Some malware does known and reversible things, no need to wipe and
reinstall.

Other malware introduces unknowns, necessitating that drastic step.

Quoted text here. Click to load it



Re: Which drives and partitions to scan?



Would you happen to have a magic decoder ring that will tell us all
which one is which?

Quoted text here. Click to load it
 


Re: Which drives and partitions to scan?



Yes!

Quoted text here. Click to load it



Re: Which drives and partitions to scan?




| Would you happen to have a magic decoder ring that will tell us all
| which one is which?


Which of the 100's of thousands ?




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Which drives and partitions to scan?



Yes "Which of the 100's of thousands ?" is the exact problem. How is the
normal
person supposed to know when you are OK doing the manual knife and scalpel
fix versus reimage?

Right. So this is so well understood that IMHO the best course of action in
the
event of compromise is reimage. And just because some kick ass ultimate NG
hero can fix it does not mean the average user looking for help here can
deal
with the manual fix. For example, how many registry entries is too many to
manually ensure are fixed? I had one guy come up to me with a manual fix
from Symantec for some virus. It had dozens of manual registry entries that
needed to be addressed. We did not go that route.

Quoted text here. Click to load it

Re: Which drives and partitions to scan?




Quoted text here. Click to load it

I'm with you there...

What people should do is have a recent good image there, so as to make a
reimaging task the easiest route as well as the one that gives the most
confidence in return.

Otherwise, it is often easier to recover than it is to restore.



Re: Which drives and partitions to scan?




Quoted text here. Click to load it

I have a word for people who are quick to wipe and reload; can you guess
what it probably is? yes, the word is incompetent.

In many cases, the big bad virus and/or malware can be removed without
further harm to the system. Exceptions do exist and will require a
reload, but that's not the general norm. If you really wipe and reload a
system to remove.. say, antivirusxp2010; you shouldn't be anywhere near
computers. It's a non replicating trojan...


In many cases, what the virus or malware program did can be well
documented and studied on test systems; so yes, one can learn what the
malware in question did AND how to undo it.

Quoted text here. Click to load it



--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh..
nudge this boulder right down a cliff." - Goblin Warrior


Re: Which drives and partitions to scan?



And in a corporate environment where you do not have time to manually remove
the big bad virus or malware? Then what?

Quoted text here. Click to load it

Re: Which drives and partitions to scan?




| And in a corporate environment where you do not have time to manually remove
| the big bad virus or malware? Then what?

In a corporate environment that follows a strict IA compliance it would be a
complete wipe
and re-image.

However note "re-image".  Something that most enterprises practice while most
individuals
do not.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Which drives and partitions to scan?



OK. I am mainly talking about the corp environment not the home environment.

:-)

Home-wise, I manually fix problems when they arise because it is in my best
interest to
try to do so.

Quoted text here. Click to load it

Re: Which drives and partitions to scan?



Per David H. Lipman:
Quoted text here. Click to load it

As a home user I think re-imaging is highly under-rated for
people like myself.

Having had a teenager pounding on my boxes for a number of years,
I will re-image in a heartbeat - and have done it many, many
times.

Once one figures out how to keep from saving data to the system
partition, re-imaging becomes pretty much trivial: no
uncertainty, no decisions... and takes maybe 20-30 minutes,
depending on what one has installed since the last image....  as
opposed to virus removal - which I suspect would take at least
that long to research the proper removal tool/technique and still
not be 100% sure of success.
--
PeteCresswell

Re: Which drives and partitions to scan?



Yes your point on virus removal is 100% spot on.

Quoted text here. Click to load it


Re: Which drives and partitions to scan?




Quoted text here. Click to load it

That depends on the situation. I'd be asking myself in the corporate
environment how this machine was compromised in the first place and take
steps to prevent that from happening again. Being as it is a corporate
computer and shouldn't have user personal data or anything on it, I'd
resort to a known clean image. I should have one readily available if it's
a corp machine.

In any event, before wiping and reloading; I'd want to know how the machine
was compromised, it's important. :)

 
IMO, taking a wipe and reload approach to all situations is akin to using a
shotgun for target shooting.



--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Site Timeline