Posted on April 4, 2006 at 10:46 PM in @earthlink
Note: The below is an archived entry from Earthling, formerly EarthLink's official blog. The blog itself has been decommissioned and is no longer updated, and comments are trackbacks are no longer accepted.
In this entry, Tracy West, Senior Product Manager for EarthLink CyberCheck takes the blog for a spin to react to Ryan Naraine's eWeek article about the current state of malware removal:
"In an eWeek story today, Microsoft program manager Mike Danseglio is quoted as suggesting that computer security services might as well give up on solving malware problems other than reimaging the customer's drive. He argues that hackers are too clever and today's approach to solving the problem may actually keep the tools a bit behind the eight ball.
Truth be told, if a local PC doc shows up at your doorstep to fix a malware problem chances are pretty high that he's going to reimage the drive. It's fast, global, and he probably has a physical hard drive to do the back up. But is this really the right solution for every case, or even most cases? Is it really time to throw up our hands and choose the least elegant solution, no matter what the problem?
On Microsoft News Tracker David Hunter observed that this solution is all too common in corporate circles:
My experience with large corporate IT departments is that their answer to just about any nontrivial problem is wiping the machine.
Let's not make this standard operating procedure in our homes and home offices as well.
How many malware problems really need such a total solution right off the bat? Most people don't know how to solve even the most basic malware problems. Many don't know the difference between their potentially out-of-date A/V program and their free download of some no-longer supported form of Ad-Aware. And often they have downloaded countless programs to fight malware out of frustration. So their PC's are slow because the tools are all resource hogs and none of them really work and play nicely together. None of these problems should require a complete rebuild of the hard drive.
The tools aren't friendly, the services are pricey, customers don't know how to prevent the problem from happening again. The world of malware moves pretty fast and it's right to be worried about rootkits - but we're missing some of the basics! The hackers prey on those who don't know - in many cases it's about the fundamentals, not the latest and most insidious threat. Don't get me wrong. SpyAxe, Aurora, CoolWebSearch - serious problems. Are rootkits spyware? Or are they rootkits? My point is, who cares? Not the masses.
I know, I know - it's about fraud not annoyance. But when was the last time grandma called you to come over on Sunday afternoon and look at the PC because she's worried about identity theft? She probably wants weatherbug uninstalled.
The eWeek piece quotes Danseglio as saying:
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases there really is no way to recover without nuking the systems from orbit."
We need great minds working on "some cases" - but we need great minds and great solutions for "most cases" too. It's not nearly as glamorous to solve crippling but fixable problems as it is to find the next cure for the next cutting-edge virus, but who gets into the spyware removal business for the glamour?"
-Tracy West
Comments
the "some cases" (those relating to rootkits and advanced spyware and things that hook the kernal - otherwise known in the malware field as stealth techniques for the past 2 decades or so) were solved a long time ago...
before NTFS, stealth was easily dealt with by booting from a known-clean bootable floppy disk and scanning from DOS... now there is no DOS that can parse an NTFS partition, but there are technologies out there to acheive the same end and (surprise) microsoft has had one kicking around for years but apparently doesn't understand it's value for disaster recovery and doesn't feel it should be made available to us peons...
Posted by kurt wismer | April 5, 2006 7:40 AM