Then i would like to recommed SARDU
You can download all ISO antivirus from various antivirus -> http://www.sarducd.it/antivirus.html vendor and put it in USB or ISO burn to DVD using SARDU -> http://www.sarducd.it/downloads.html
SARDU have update feature and Multiple Antivirus Vendor that release free downloadeable ISO.. when you boot to this antivirus some of it has update feature as well.. the drawback is you can only choose one.. at one time
You tweak and incorporate secure2k boot cd as well in it https://community.mcafee.com/thread/6923
Message was edited by: obelicks on 10/14/10 10:02:47 AM MYT
Scanning the c drive remotely won't pick up threats in memory and may well reduce performance considerably
If you setup a memory scan to scan periodically during the day, then have a query on your dashboard to show all detections via memory scan for the last day.
That will give you good information.
You can use various tools to clean machines: such as starting off with rkill, tdsskiller, rootkit revealer/gmer/backlight, malwarebytes, superantispyware etc etc - run from safe mode.
Let face it- if machines get infected users are going to get interrupted. Or you backup the data and reimage the machine, depending on which takes less time and resources.
on 14/10/10 03:35:13 CDTAll: decided to license a few workstations worth of Trend's workstation antivirus and do the remote file scanning for this second opinion use. Thanks for all the feedback!
@obelicks - thanks for the link to Sardu--that does look like an excellent resource for standalone machines to run and map a drive remotely for scanning or when you can reboot to a CD image. I'll definitely check that out.
jmcleish, thanks for the response as well. Totally agreed that such scanning misses memory which can definitely be the only harbinger to infection for threats that don't touch the disk for any persistence. In my use case here, we'd already have run mcafee including a memory scan on the machine, and it'd have been reboot since prior detections. Just having something remote to check out the disk's contents therefore is the thought.
But I'd never thought of scheduling on-demand scans of "memory for rootkits" and "running processes" only during the day... that actually sounds like a hell of a good idea. What schedule do you use in your environment and how many nodes? Is there a noticeable performance impact to users or is it pretty transparent?
Hello,
Maybe you could approach this from a different angle and build a process on how to deal with suspicious behaviour on a target system. In my opinion, scanning using tools from different AV vendors, especially for new threats, will always return either nothing or falses using generic/behaviour drivers.
The process to deal with suspicious activity on particular system is different depending on what's been reported. Here is a list of tools to help you dig for malicious code in most cases:
- Process Explorer
- Process Monitor
- TCPView
- HiJackThis
- McAfee CommandLine Scanner v6
- WireShark
...the list goes on.
Each tool serves a different purpose. In most cases they should be combined to help you get that malicious EXE, DLL..etc. You can either submit the file(s) to virustotal.com then AVERT Lab for further analysis. In the intervening time, make use of Access Protection rules to contain the threat.
With regards to systems being never the same after infection and cleaning, it's a result of damage done by the malware. If a virus or trojan corrupt certain part of the system, most cleaning logics include restoring deleted registry keys, modified files...etc, but some don't. In some cases, the damage is far greater for an AV to recover and becomes part of data recovery - where a good backup can be used.
In cases where infection has persisted for a long time with threats such as FakeAlert or a bot, my advise is to re-image the system because you will never know what's been left behind or may not be worth your time to investigate. Luckly, it's not that bad most of the time.
HTH,
Redouane
All good advice, and part of what we'll do on certain hosts I'm happy to report. The variable is time, of course. 🙂 so, I wouldn't look at that as a different angle so much as a complementary one.
In many cases, you get one detection or two that looks like it got handled, a followup VSE scan comes back clean, but you still have some suspicions. Being able to remotely scan a machine out of band with another scanner would be another due diligence feather in the cap that both doesn't require much technician time, and is a highly repeatable automated process.
The more I think about this, the more I want to stand up a dedicated virtual machine that does nothing but get used to remotely mount drives of suspect systems and scan them with a competitor's product.
Also have a look at GetSusp https://community.mcafee.com/groups/getsusp30-beta-feedback
It's still in Beta, but is very promising. I have been able to find some active threats using the tool.
@Regis: You might want to check Multi-AV which can be obtained here -> http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html (Scroll down, the link is at the very end of the page)
Cheers,
Markus
Message was edited by: mikesierra on 10/13/10 9:06:54 AM CDTHi Mike, thanks for the response. David Lippman's multi_av.exe is something I've used in the past on personal boxes, and is actually somewhat the motivation for the question (what a great concept -- 4 command line scanners built into one!). On the downside though, its trustworthiness is an issue (the source code's never been published as far as I know), and its legality with respect to copyright and licensing is unfortunately specious at best. There has never been a terribly stable home for that tool over the many years I've been following it, and I suspect that may be mostly due to copyright infringement and cease and desist activity. It's now hosted in Switzerland. But, boy do I wish there was a tool like that that was legit, vetted and useful in a corp environment.
But I may need to revisit the most current version on a test box and attach an http proxy to it and see what it's grabbing and from where, since as I recall, it's just pulling down the latest versions of several free command line scanners. Potentially grabbing one of those 4 scanners and using that as my 2nd opinion command line scanner might do the trick.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA