If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#76
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"
Interesting sig ("Running Windows-based av..."). Could you explain why you feel that way? Basically, whichever code runs first has the potential to assert "air superiority", i.e. is in a position to block other code from running, monitor its files and threads to detect attempts to kill itself, and take punitive action, e.g. a "poison-pill" effect. There are two easy ways for malware to take countermeasures against antivirus software. The first - which is routine these days - is to watch for known av process names. It's a little bit like a virus scanning for antivirus software, and a lot easier for the malware to do - given there are far more viruses (that the av successfully looks for) than there are antivirus programs for the malware to look for. The second is to be self-aware, i.e. to watch the malware's own startup and integration settings and files. If these vanish, it can re-assert them, or take revenge. Some malware spawn multiple threads, which watch each other; when one thread is terminated, the other acts. For this reason, it's safest to detect the malware while it is not active. As you don't know where in the HD the malware has patched in (that's what you are scanning to find out), it's best to run no code off the HD at all. Then you *know* the malware's inactive and it's safe to identify it, if not necessary to delete it. You also have more confidence that a negative result doesn't just mean the malware has found a way to hide itself via some runtime duck and jive. Once you know what you are dealing with (and can believe the results), you can look up reference info on the malware to see whether it's safe to clean it, or whether particular caveats apply. Trouble is, there's no maintenance OS for NTFS - the only OS that can read NTFS without any compatibility FUD is NT, and NT can only run from the ?infected HD. MS has what could be a maintenance OS (the PE disk) but it's so tightly held that techs who need it can't get it, and with such a tiny market, av vendors won't write products to run from it. Bart's PE builder is an alternative, but once again it's an uncertain market for av vendors to develop for. "cquirke (MVP Win9x)" wrote this sig: -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
Ads |
#77
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"
Interesting sig ("Running Windows-based av..."). Could you explain why you feel that way? Basically, whichever code runs first has the potential to assert "air superiority", i.e. is in a position to block other code from running, monitor its files and threads to detect attempts to kill itself, and take punitive action, e.g. a "poison-pill" effect. There are two easy ways for malware to take countermeasures against antivirus software. The first - which is routine these days - is to watch for known av process names. It's a little bit like a virus scanning for antivirus software, and a lot easier for the malware to do - given there are far more viruses (that the av successfully looks for) than there are antivirus programs for the malware to look for. The second is to be self-aware, i.e. to watch the malware's own startup and integration settings and files. If these vanish, it can re-assert them, or take revenge. Some malware spawn multiple threads, which watch each other; when one thread is terminated, the other acts. For this reason, it's safest to detect the malware while it is not active. As you don't know where in the HD the malware has patched in (that's what you are scanning to find out), it's best to run no code off the HD at all. Then you *know* the malware's inactive and it's safe to identify it, if not necessary to delete it. You also have more confidence that a negative result doesn't just mean the malware has found a way to hide itself via some runtime duck and jive. Once you know what you are dealing with (and can believe the results), you can look up reference info on the malware to see whether it's safe to clean it, or whether particular caveats apply. Trouble is, there's no maintenance OS for NTFS - the only OS that can read NTFS without any compatibility FUD is NT, and NT can only run from the ?infected HD. MS has what could be a maintenance OS (the PE disk) but it's so tightly held that techs who need it can't get it, and with such a tiny market, av vendors won't write products to run from it. Bart's PE builder is an alternative, but once again it's an uncertain market for av vendors to develop for. "cquirke (MVP Win9x)" wrote this sig: -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#78
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Perhaps you should alert the folks at Symantec (for example.) According to
you, they've completely missed the boat. I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! Rocky "cquirke (MVP Win9x)" wrote in message ... On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel" Interesting sig ("Running Windows-based av..."). Could you explain why you feel that way? Basically, whichever code runs first has the potential to assert "air superiority", i.e. is in a position to block other code from running, monitor its files and threads to detect attempts to kill itself, and take punitive action, e.g. a "poison-pill" effect. There are two easy ways for malware to take countermeasures against antivirus software. The first - which is routine these days - is to watch for known av process names. It's a little bit like a virus scanning for antivirus software, and a lot easier for the malware to do - given there are far more viruses (that the av successfully looks for) than there are antivirus programs for the malware to look for. The second is to be self-aware, i.e. to watch the malware's own startup and integration settings and files. If these vanish, it can re-assert them, or take revenge. Some malware spawn multiple threads, which watch each other; when one thread is terminated, the other acts. For this reason, it's safest to detect the malware while it is not active. As you don't know where in the HD the malware has patched in (that's what you are scanning to find out), it's best to run no code off the HD at all. Then you *know* the malware's inactive and it's safe to identify it, if not necessary to delete it. You also have more confidence that a negative result doesn't just mean the malware has found a way to hide itself via some runtime duck and jive. Once you know what you are dealing with (and can believe the results), you can look up reference info on the malware to see whether it's safe to clean it, or whether particular caveats apply. Trouble is, there's no maintenance OS for NTFS - the only OS that can read NTFS without any compatibility FUD is NT, and NT can only run from the ?infected HD. MS has what could be a maintenance OS (the PE disk) but it's so tightly held that techs who need it can't get it, and with such a tiny market, av vendors won't write products to run from it. Bart's PE builder is an alternative, but once again it's an uncertain market for av vendors to develop for. "cquirke (MVP Win9x)" wrote this sig: -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#79
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Perhaps you should alert the folks at Symantec (for example.) According to
you, they've completely missed the boat. I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! Rocky "cquirke (MVP Win9x)" wrote in message ... On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel" Interesting sig ("Running Windows-based av..."). Could you explain why you feel that way? Basically, whichever code runs first has the potential to assert "air superiority", i.e. is in a position to block other code from running, monitor its files and threads to detect attempts to kill itself, and take punitive action, e.g. a "poison-pill" effect. There are two easy ways for malware to take countermeasures against antivirus software. The first - which is routine these days - is to watch for known av process names. It's a little bit like a virus scanning for antivirus software, and a lot easier for the malware to do - given there are far more viruses (that the av successfully looks for) than there are antivirus programs for the malware to look for. The second is to be self-aware, i.e. to watch the malware's own startup and integration settings and files. If these vanish, it can re-assert them, or take revenge. Some malware spawn multiple threads, which watch each other; when one thread is terminated, the other acts. For this reason, it's safest to detect the malware while it is not active. As you don't know where in the HD the malware has patched in (that's what you are scanning to find out), it's best to run no code off the HD at all. Then you *know* the malware's inactive and it's safe to identify it, if not necessary to delete it. You also have more confidence that a negative result doesn't just mean the malware has found a way to hide itself via some runtime duck and jive. Once you know what you are dealing with (and can believe the results), you can look up reference info on the malware to see whether it's safe to clean it, or whether particular caveats apply. Trouble is, there's no maintenance OS for NTFS - the only OS that can read NTFS without any compatibility FUD is NT, and NT can only run from the ?infected HD. MS has what could be a maintenance OS (the PE disk) but it's so tightly held that techs who need it can't get it, and with such a tiny market, av vendors won't write products to run from it. Bart's PE builder is an alternative, but once again it's an uncertain market for av vendors to develop for. "cquirke (MVP Win9x)" wrote this sig: -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#80
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#81
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#82
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#83
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#84
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#85
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#86
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#87
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"
I've been using Norton AntiVirus since 1997 and never once has my computer been infected. Talk about a string of luck! That's what you'd expect a good av to do - *prevent* malware from going active by detecting and killing it beforehand! As long as your av is already running at the time the malware tries to run, the av has the upper hand and should manage the problem fine. When the av fails to detect the malware - usually because it's a new variant that doesn't match the known detection tests - the opportunity to stop the malware cold has been lost. If the malware then goes active, I would not use the same av that has already failed to detect the malware to chase after it while it's running. Instead, I might use the "rescue" facility of that av to tackle it formally. Most Windows-based av have a "rescue' facility that basically prepares boot and av diskettes for formal scanning, but obviously two problems come to mind: 1) Your file system may be incompatible with the rescue disks Rescue disks tends to be DOS-based, and while a DOS mode diskette from Win95 SR2 or later can read FAT32, they can't read NTFS 2) You can't really trust av disks prepared within infected OS Many malware will knock down your resident av, or block the ability to update it - so you should prepare the diskettes on another, clean PC. Because of (2), it's often more practical to download and use an arbitrary free DOS-based av, rather than the "rescue" facility of your installed av, if the clean PC you use doesn't use the same av. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
Thread Tools | |
Display Modes | |
|
|