If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#32
|
|||
|
|||
Well, we appear to be in a quite similar place despite a disagreement about
the advisibility of disabling SR prior to running a AV scan, or other maintenance tasks. In short, neither of us knows enough about programming to imagine how the machine could be reinfected with a virus from the SR archive, or any other store on the machine, unless a malevolent software agent remains to do such restoration. Most of us here are agreed that such an agent is indeed a "virus", and, in this case, the "virus" has not been "cleansed" by the AV tool. Please see my most recent posts to Mike Maltby and Rick T, where each describes this exact situation, and with which I agree. I think we, but not you, are agreed that there is no method by which the SR archive, the registry backups, or other stores, can be used to reinfect, UNLESS this external agent, aka, "memory-resident checker", "startup vector", "bootstrap", or "tickler file" EXISTS even after AV scanning. This is a failure of the AV tool, not a failure of the SR system tool. You are unable to explain how this reinfection from the SR archive can ocurr without such an external agent. We think it cannot, ... and, for that reason, we think that disabling SR is ill-advised, esp. for any casual, naive user who might be incapable of fixing the system later without the SR tool and its previous archives. To us, this position is most reasonable. A better AV tool is needed, not the disabling of SR. I especially thank you for your very courteous replies to me, and your willingness to engage in this most interesting discussion. I think any casual reader will learn a lot from this thread, both about the technical details of SR and, perhaps more importantly, about how to engage in a newsgroup discussion without devolving to any emotional, personal attacks. As I said earlier, we hope to be civil here no matter how heated any disagreements. Some of us here are less than ten years old, but we try to act like "grownups" all the time. Thank you for the fun, and ... Till we meet again, -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "oops!!" wrote in message ... Jack, Considering my admitted ignorance of how the reoccurrence works, it is somewhat difficult to answer your queries. Regarding the basic disagreement, perhaps you should question the MS-MVP's that proclaim the same procedure. They will, of course, be on the same level of discussion as you and will certainly be much more "capable" of explaining it. I do believe this orange has dried out. A special thank you for your rational and "cold" approach. Zee "Jack E Martinelli" wrote in message ... Thank you for your continued interest. Please see my responses interleaved in the slightly rearranged lists below: -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "oops!!" wrote in message ... Jack, I had decided not to post again in this thread, but your comment tempted me: 1. Somehow, I'm seeing some thoughts pointing a little bit towards my ideas. ***** I am unclear as to what your are referring. I am interested in continuing a rational discussion about this apparent disagreement. 3. I believe (and I have already done it) turning off SR before cleansing/scanning is a workaround for that reoccurrence. **** This is the object of this discussion. 4. I also agree, ME is no longer a target, XP will be. ***** I have no idea how this has entered the discussion. Can we discuss this later? 5. The disagreement on turning off or not turning off SR before cleansing will, of course, persist. ****** My intent here is to focus more intently on the apparent, detailed issues of disagreement, with the notion that the disagreement may not actually exist. ***** ***** 2. I don't know if the virus or malware is activated from within SR. But there are some good ideas in these latest posts. The SR external trigger is interesting. **** This is the crux of the matter! Mr. Maltby wrote: " If the start up vector for a virus, or rather malware, since the most difficult to remove (pests) tend currently to be commercial malware (latest versions of VX2, CWS etc), has been removed, the malware is dead, regardless of where it might be located - wastebin, restore archive or system folder. If the startup vector remains, then the virus is still live. " I agree with this perspective, and know of no exception under WinME. What I would like to see from you next, Zee, is either: 1) a documented case of a virus activating from within the SR archive, with no external agent, i.e., a "startup vector", reactivating the virus; 2) a logical description of how, under current computer programming, this might be accomplished for SR under WinME. TIA for your careful consideration, END of J E Martinelli response to this post. 2/02/2005 ---------- "Jack E Martinelli" wrote in message ... I can imagine a situation in which a piece of code, not in itself malicious, restores some bit of malware from a hidden file, in the SR archive or not. Reasonable people might disagree as to whether the first piece is properly called a "virus". IMO, it is properly deemed such, as it leads (can lead) to a malicious result. IOW, two, or more, separate pieces of code can be deemed a single "virus". The failure of any AV tool to detect and remove all such code is a "failure to fully clean", IMO. OTOH, failure to remove detected code from the SR archives is irrelevant. I think we agree about this. However, Zee appears to think a virus in the SR archive can be reactivated on reboot without an external agent. I am not aware that this can be done. I think you agree also. If I understand him, Zee admits to not knowing how this reactivation can be done. I am not sure that it has been reported that it can be done anywhere in these Millennium ng's. IMO, constant redetection of the virus in the (uncleaned) SR archive does not constitute such a claim, since the malware cannot execute from there. Perhaps this is the source of the current disagreement. HTH, -- Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/secu...t/default.aspx Your cooperation is very appreciated. ------ "Mike M" wrote in message ... I think you will be waiting for a long time Jack. None exist as the moment and I doubt that any ever will for Win Me, being end of line, although it is just possible that something might be designed for XP HOWEVER the simple act of "reactivation" means that the system was never cleaned in the first place therefore once again system restore is irrelevant to the problem. -- Mike Maltby MS-MVP Jack E Martinelli wrote: I would be very interested in hearing from you, or anyone, about any viruses which appear to reside ONLY in the SR archive, and which are reactivated on reboot. If so, then we can ask the spooks at one or more of the AV organizations to tell us how the reactivation works. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sluggish performance... | Jeff | General | 3 | October 25th 04 08:52 PM |
Stubborn Viruses | Mikey | General | 20 | October 6th 04 11:59 AM |
Viruses and missing DLL'S | Peter L. Clarke | General | 1 | July 17th 04 01:59 PM |
What do viruses target? | Steve | Internet | 2 | July 15th 04 12:17 AM |
Wont start past Checking memory for viruses OK | Susan | Improving Performance | 2 | June 19th 04 06:57 AM |