|
Posted by wng_z3r0--MSMVP Security on May 8, 2006, 6:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I am well aware as how system restore works. I am not talking about when
you actually use a system restore point. I assumed the reason panda_man
suggested clearing the sys restore cache was to prevent malware from
running from the sys restore folder, or what I have seen, looking for
any missing parts of the infection (assuming at least part of the
infection is active), and then regenerating the missing pieces from the
sys restore cache. Note this doesn't involve actually running the system
restore program.
As per residual damage, I have no problems with flushing the cache
*after* the computer is clean. That is what usually do anyways.
wng
cquirke (MVP Windows shell/user) wrote:
> On Mon, 08 May 2006 05:33:03 -0500, wng_z3r0--MSMVP Security
>
>> The system restore files cannot be modified easily, as many of the API
>> calls are disabled. I'm not saying it can't be done, but 99% of malware
>> files out there today are not capable of regenerating themselves from
>> system restore.
>
> They don't have to; System Restore will do it for them, by design.
>
> After all, what SR does is restore original code files (e.g. a malware
> file deleted by an av) and integration context info such as the
> registry (so the malware file will be patched in again).
>
> Similarly, SR does not have to be written to - to get malware into SR,
> just create the malware file, create a restore point, then delete it.
> The malware will be in SR data, and the restore point will restore it.
>
> As to *running* from within SR, that's less easy unless the malware
> exploits a defective internal risk surface such as SR itself.
>
> The most common re-infection scenario goes like this:
> - av tools are installed
> - malware is cleaned
> - residual damage remains
> - user does System Restore to make things work again
> - SR fallback removes installed av tools
> - SR fallback restores malware and integrates it to run again
>
> As to "residual damage remains", consider teeners who want thier KaZaA
> working again, after the cleanup nukes the commercial malware that
> KaZaA looks for before it will run... or consider the cleaning of
> "difficult" intra-file code infectors such as Magistr, where your
> existing code files may now be clean, but may not work.
>
> The effects of post-cleanup damage to code files may not be obvious,
> if the virus patches in and/or overwrites code deep in the file rather
> than at the entry point - perhaps it will only crash when you go
> Tools, Options, Advanced or File, Import or something like that.
>
>
>
>> --------------- ----- ---- --- -- - - -
> Tech Support: The guys who follow the
> 'Parade of New Products' with a shovel.
>> --------------- ----- ---- --- -- - - -
--
Microsoft MVP - Security 2006
http://spyware-free.us
| 
XML site map