Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: Knitebane
The only way to clean a compromised system is to flatten and rebuild.

Depending on what you mean by compromised, I could agree. But all the machines I have any control over have up-to-date anti-virus, anti-spyware, and the latest patches. The internet is accessed through a hardware firewall with all incoming ports blocked.

The cases where I had to reinstall were not successfully infected. Basically the duel between the protective software and the attempt to install malware resulted in an unbootable machine.

55 posted on 02/02/2009 3:00:38 PM PST by js1138
[ Post Reply | Private Reply | To 54 | View Replies ]

To: js1138
But all the machines I have any control over have up-to-date anti-virus, anti-spyware, and the latest patches.

Matters not one bit.

Once a system has been compromised, unless you are running (and properly running) a file verification system like Tripwire, ALL files on the machine are now suspect.

Detection software only catches stuff that is well known. J. Random Attacker may not use well-known exploits. He might use a well-known trojan to install something he wrote, in which case all of your third-party software won't do a thing to detect it.

The internet is accessed through a hardware firewall with all incoming ports blocked.

How about outbound ports? Are you aware of how a bot net works?

The bot software gets installed on a machine. It can be by trojan or worm. The bot software sits there quietly and then contacts a server on the Internet. That's how it gets it's instructions. Many of them are spam bots. They download a list of addresses and spam messages and start sending spam out.

The bot gets controlled not by someone sending messages to the bot, but by the bot communicating outbound.

Unless you are blocking outbound traffic, and snooping the outbound traffic with an intrusion detection system, a firewall that only blocks inbound traffic does little to help.

Bottom line, once a machine has been infected you can never be sure you got everything. And much of the new malware isn't like the old stuff. It doesn't bother the user and it doesn't hog up your bandwidth. It's quiet and unobtrusive. It joins up with millions of its brothers and that's where the power comes from.

Just "cleaning" the systems is insufficient. And it's not just me saying that. Wipe and reinstall is industry best practice for a reason.

59 posted on 02/04/2009 9:03:35 AM PST by Knitebane
[ Post Reply | Private Reply | To 55 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson