Catch up with high-end malware?

Protect the system in front of the 'wicked confidant pair' worm and virus that requires a thorough examination of the drive.

Businesses are still looking for a more effective way to battle against malware like viruses, Trojans and bots. Regrettably, the 'black hat' programmer continues to constantly mix more dangerous new codes. Therefore companies also need to update more security weapons and new protection plans.

Viruses are often edited from legitimate host codes and distributed via e-mail or instant messages. They are more difficult to write than worms and Trojans, because writing the virus code is a must to be destructive, making new editing files undamaged.

Microsoft Windows and Windows File Protection (introduced for the first time as System File Protection in Windows Me) protect about 99% of system files by default with unknown edits. If a virus modifies the given file, Windows will replace the corrected copy with a healthy copy within a few seconds.

The upcoming Windows Resource Protection of Windows Vista is even better upgraded, protects more files and prevents editing from the start. In response to this measure, most malware programs today create new files in their destructive activity.

Wanting to remove the virus requires removing each of them from infected files, often more difficult than just discovering them as the usual anti-viurus programs do.

As for worms, bots, spyware, and Trojans are different. Simply define and remove new independent poisoning files. I regularly use the Autorun function of Sysinternals or SilentRunner.vbs to determine the location and type of unknown programs. Within half a century ago, with most known viruses, malware removal became easy, unless the computer was attacked by a rootkit program.

But now, a bunch of new worms appear that complicate the identification process, like Downloader.Agent.awf. Known as spawner or twin, these worm (and virus) pairs will modify the environment of the infected computer. When the system tries to execute a legitimate file, the malicious file will run first.

After the execution, the Download.Agent.awf malware program reads the HKLM registration code (or HKCU) of the infected computer to identify previously installed programs. Then copy the original executable program to a new area and replace the original file with the copy file to rename the worm. When the computer executes the Run registry key, it will run the replacement program pair, then continue to the original program.

This makes the detection and removal program complicated. The worms will appear as previously known or as a commonly installed executable program is commonly recognized. So when looking for malicious code, you can't simply trust the file name and storage area. You must verify each integrity hash function in the file before a harmless copy or a known value.

With the reappearance of malware pairs and the growing threat of rootkit Trojans, legal investigators need to carefully examine suspiciously infected computers with out-of-band methods (such as boot openings). for example) and verify the integrity of all installed programs.

To be more honest, any personal computer security program should really have an extended backup plan attached. But when most malware doesn't do this, it's easy to become lazy with shortcuts.

I often use boot Linux disks (like Live distros) to perform out-of-band tests. My favorite boot disk today is Live distros, for legal analysts like Ubuntu, Knoppix, and BackTrack.

But Linux Live distros cannot run Windows 32-bit software to check the legality of a Windows computer. Also, although they can often read NTFS partitions, but most cannot be written (such as removing a malware program, disabling the operation of a service or automation mechanism .). They don't even understand many Windows extensions (like EFS, Compression, etc.). In many cases, it is very difficult to quickly boot a 32-bit Windows shell out-of-band to do some cheating.

Microsoft corporate customers with the software reinsurance mechanism already have the Windows Preinstallation Environment (WinPE) from Windows XP. The original purpose of this program is to support quick installation of the operating system. WinPE and 'command line' interface become interesting insiders in the form of checking out-of-band in poisoned systems. Windows Vista has WinPE 2.0, an extended member of the WinPE family with a nice Windows 32 bit GUI interface, supports Windows API and a read and write mechanism for NTFS, network login mechanism, drive control, and can run on most Windows programs. Unfortunately, these extensions are only available in Windows Vista.

There is now a better product called BartPE. BartPE Builder can help you create all Windows out-of-band boot images. When installing, the program will search your hard drive first to install the file. Each time you find the program, you will use it to build a new boot image. BartPE Builder can create an ISO image or take photos directly to a CD or DVD.

It is a full 'weak' version of Windows. Although it comes only before installing with a test program group (called a plug-in), you can add any latest legality or add the test program you like. Photo of Chris BartPE, who supports the author of this article, has 13 installed antivirus products, 6 anti-spyware programs and 20 integrity tests, both RootkitRevealer and rootkit checker program and Blacklight nearly 100 another show. When you need to check the legitimacy of a system, you can boot the optional BartPE CD and everything you need is in a GUI menu. You can manually create your own customized BartPE with The most useful function.

However, when you do this, you will find that the simpler auto-run file checking is less reliable. Consider using BartPE to build the ultimate Windows toolkit checker for you.