If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#61
|
|||
|
|||
Well, we appear to be in a quite similar place despite a disagreement about
the advisibility of disabling SR prior to running a AV scan, or other maintenance tasks. In short, neither of us knows enough about programming to imagine how the machine could be reinfected with a virus from the SR archive, or any other store on the machine, unless a malevolent software agent remains to do such restoration. Most of us here are agreed that such an agent is indeed a "virus", and, in this case, the "virus" has not been "cleansed" by the AV tool. Please see my most recent posts to Mike Maltby and Rick T, where each describes this exact situation, and with which I agree. I think we, but not you, are agreed that there is no method by which the SR archive, the registry backups, or other stores, can be used to reinfect, UNLESS this external agent, aka, "memory-resident checker", "startup vector", "bootstrap", or "tickler file" EXISTS even after AV scanning. This is a failure of the AV tool, not a failure of the SR system tool. You are unable to explain how this reinfection from the SR archive can ocurr without such an external agent. We think it cannot, ... and, for that reason, we think that disabling SR is ill-advised, esp. for any casual, naive user who might be incapable of fixing the system later without the SR tool and its previous archives. To us, this position is most reasonable. A better AV tool is needed, not the disabling of SR. I especially thank you for your very courteous replies to me, and your willingness to engage in this most interesting discussion. I think any casual reader will learn a lot from this thread, both about the technical details of SR and, perhaps more importantly, about how to engage in a newsgroup discussion without devolving to any emotional, personal attacks. As I said earlier, we hope to be civil here no matter how heated any disagreements. Some of us here are less than ten years old, but we try to act like "grownups" all the time. Thank you for the fun, and ... Till we meet again, -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "oops!!" wrote in message ... Jack, Considering my admitted ignorance of how the reoccurrence works, it is somewhat difficult to answer your queries. Regarding the basic disagreement, perhaps you should question the MS-MVP's that proclaim the same procedure. They will, of course, be on the same level of discussion as you and will certainly be much more "capable" of explaining it. I do believe this orange has dried out. A special thank you for your rational and "cold" approach. Zee "Jack E Martinelli" wrote in message ... Thank you for your continued interest. Please see my responses interleaved in the slightly rearranged lists below: -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "oops!!" wrote in message ... Jack, I had decided not to post again in this thread, but your comment tempted me: 1. Somehow, I'm seeing some thoughts pointing a little bit towards my ideas. ***** I am unclear as to what your are referring. I am interested in continuing a rational discussion about this apparent disagreement. 3. I believe (and I have already done it) turning off SR before cleansing/scanning is a workaround for that reoccurrence. **** This is the object of this discussion. 4. I also agree, ME is no longer a target, XP will be. ***** I have no idea how this has entered the discussion. Can we discuss this later? 5. The disagreement on turning off or not turning off SR before cleansing will, of course, persist. ****** My intent here is to focus more intently on the apparent, detailed issues of disagreement, with the notion that the disagreement may not actually exist. ***** ***** 2. I don't know if the virus or malware is activated from within SR. But there are some good ideas in these latest posts. The SR external trigger is interesting. **** This is the crux of the matter! Mr. Maltby wrote: " If the start up vector for a virus, or rather malware, since the most difficult to remove (pests) tend currently to be commercial malware (latest versions of VX2, CWS etc), has been removed, the malware is dead, regardless of where it might be located - wastebin, restore archive or system folder. If the startup vector remains, then the virus is still live. " I agree with this perspective, and know of no exception under WinME. What I would like to see from you next, Zee, is either: 1) a documented case of a virus activating from within the SR archive, with no external agent, i.e., a "startup vector", reactivating the virus; 2) a logical description of how, under current computer programming, this might be accomplished for SR under WinME. TIA for your careful consideration, END of J E Martinelli response to this post. 2/02/2005 ---------- "Jack E Martinelli" wrote in message ... I can imagine a situation in which a piece of code, not in itself malicious, restores some bit of malware from a hidden file, in the SR archive or not. Reasonable people might disagree as to whether the first piece is properly called a "virus". IMO, it is properly deemed such, as it leads (can lead) to a malicious result. IOW, two, or more, separate pieces of code can be deemed a single "virus". The failure of any AV tool to detect and remove all such code is a "failure to fully clean", IMO. OTOH, failure to remove detected code from the SR archives is irrelevant. I think we agree about this. However, Zee appears to think a virus in the SR archive can be reactivated on reboot without an external agent. I am not aware that this can be done. I think you agree also. If I understand him, Zee admits to not knowing how this reactivation can be done. I am not sure that it has been reported that it can be done anywhere in these Millennium ng's. IMO, constant redetection of the virus in the (uncleaned) SR archive does not constitute such a claim, since the malware cannot execute from there. Perhaps this is the source of the current disagreement. HTH, -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "Mike M" wrote in message ... I think you will be waiting for a long time Jack. None exist as the moment and I doubt that any ever will for Win Me, being end of line, although it is just possible that something might be designed for XP HOWEVER the simple act of "reactivation" means that the system was never cleaned in the first place therefore once again system restore is irrelevant to the problem. -- Mike Maltby MS-MVP Jack E Martinelli wrote: I would be very interested in hearing from you, or anyone, about any viruses which appear to reside ONLY in the SR archive, and which are reactivated on reboot. If so, then we can ask the spooks at one or more of the AV organizations to tell us how the reactivation works. |
#62
|
|||
|
|||
Please see my most recent response to Zee, where I mention your post here,
and with which I agree. -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "Rick T" wrote in message ... oops!! wrote: Jack, I had decided not to post again in this thread, but your comment tempted me: 1. Somehow, I'm seeing some thoughts pointing a little bit towards my ideas. 2. I don't know if the virus or malware is activated from within SR. But there are some good ideas in these latest posts. The SR external trigger is interesting. 3. I believe (and I have already done it) turning off SR before cleansing/scanning is a workaround for that reoccurrence. 4. I also agree, ME is no longer a target, XP will be. 5. The disagreement on turning off or not turning off SR before cleansing will, of course, persist. Rick T. writes: While not claiming to be an expert in such matters a couple things occur to me... If a virus is in the SR folders, it's not going to start unless either: a) an external virus component retrieves it, or b) SR retrieves it "a" means your AV obviously hasn't done it's job since it's left behind a bootstrap. Hopefully a more recent AV patch will take care of that. "b" also means your AV hasn't done it's job since it hasn't been able to convince SR that things are OK or set an SR point after cleansing. Sounds like it's time for another AV. Rick |
#63
|
|||
|
|||
Please see my most recent reply to Zee, in which I mention your post here,
and with which I completely agree, despite my ignorance of any programming skills which might address the disagreement. Perhaps Zee will soon come to understand our agrument about the necessary existence of the external agent for the reinfection to occur from the SR archive, or elsewhere. Until this point, I suspect he has just imagined the process as a "black box", for which cleansing the archive prevents reinfection. The critical insight is that the "external agent" must be included in the Startup axis. Our position is there is no "black box"; an external agent must exist to reinfect, which has escaped the AV or spyware tool. The tool has failed to clean the startup axis. A better AV tool is needed, not the disabling of SR, in an attempt to clean the "virus". Txs for your help, ... and patience, -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "Mike M" wrote in message ... 1) a documented case of a virus activating from within the SR archive, with no external agent, i.e., a "startup vector", reactivating the virus; Something which logically as well as practically is an impossibility. For anything, malware or not, to be launched without user interaction requires a startup vector or instruction in one of a limited number of places and no part of the restore archive, Win Me or XP, is in that list which is primarily but not exclusively registry orientated. 2) a logical description of how, under current computer programming, this might be accomplished for SR under WinME. You will have a long wait, Jack, for the same reasons. In conclusion I pose a question. If a user considers that it is dangerous to retain the system restore archive whilst cleansing a PC why not also remove the various backed up copies of the registry in the windows\sysbckup folder? As I have mentioned, those proposing the clearing of the restore archive prior to cleansing should consider taking a basic course in logic. -- Mike Maltby MS-MVP "Jack E Martinelli" wrote ... Mr. Maltby wrote: " If the start up vector for a virus, or rather malware, since the most difficult to remove (pests) tend currently to be commercial malware (latest versions of VX2, CWS etc), has been removed, the malware is dead, regardless of where it might be located - wastebin, restore archive or system folder. If the startup vector remains, then the virus is still live. " I agree with this perspective, and know of no exception under WinME. What I would like to see from you next, Zee, is either: 1) a documented case of a virus activating from within the SR archive, with no external agent, i.e., a "startup vector", reactivating the virus; 2) a logical description of how, under current computer programming, this might be accomplished for SR under WinME. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sluggish performance... | Jeff | General | 3 | October 25th 04 08:52 PM |
Stubborn Viruses | Mikey | General | 20 | October 6th 04 11:59 AM |
Viruses and missing DLL'S | Peter L. Clarke | General | 1 | July 17th 04 01:59 PM |
What do viruses target? | Steve | Internet | 2 | July 15th 04 12:17 AM |
Wont start past Checking memory for viruses OK | Susan | Improving Performance | 2 | June 19th 04 06:57 AM |