[TriLUG] Rescue CD

MrB via TriLUG trilug at trilug.org
Wed Apr 15 13:29:37 EDT 2015


Be careful ... some malware puts "autorun" in c:\  ... you could infect the
host system doing the "clean up"


On Wed, Apr 15, 2015 at 1:00 PM, David Burton via TriLUG <trilug at trilug.org>
wrote:

> For badly infected machines, I usually just pull out the hard disk drive,
> hook it up as an external drive on a clean machine, and scan it from the
> clean machine, so that the infections can't "fight back."
>
> Unless you're in a desperate hurry, scan it with several tools, because a
> surprisingly high number of infections are found by some tools but not by
> others. I've had things I thought seemed suspicious get past several scans,
> but when I uploaded them to VirusTotal it told me that, sure enough, many
> other AV tools flagged them as evil, just not the ones I'd used.
>
> But I don't generally do these scans on-site, because many of the scans
> take so long. (E.g., ESET's free pseudo-online scanner seems to take
> forever.) Instead, I borrow the machine for a day or two, so that the scans
> can be done while I'm doing something better than twiddling my thumbs.
>
> BTW, one problem with older versions of "live" Linux distros on recent
> computers is that even if you jump through the hoops to disable UEFI
> "secure boot" so that you can enable "legacy" booting on the machine, and
> then boot the machine from a CD or DVD, the Linux distro might not
> understand GPT partitions. I haven't exhaustively tested which versions do
> and which don't, but I've found that Parted Magic 2013_06_15 does not
> understand GPT, and Parted Magic 2015_01_13 does understand GPT.
>
> One other thing to beware of is that the nastiest Crypto-Ransomware
> infections will reach out to attached devices and encrypt *their* contents,
> as well. *These infections are rampant; I've seen two cases in the last few
> weeks.* So you cannot safely connect a thumbdrive or external hard disk
> drive to such a machine except through a USB write-blocker, and then boot
> the infected Windows.
>
> (That also means that you should try to avoid having writable shares on a
> LAN. People who have an office full of machines with shared-out C: drives
> are asking for catastrophe.)
>
> Dave
> www.geeksalive.com
>
>
> >> I am trying to find a good, recent rescue CD that I can use to rescue
> > >> Windows systems up through 8.1. There are several
> > apparently well-regarded
> > >> ones out there, but most have not been updated for a few years.
> > My primary
> > >> criteria are that it must run Linux and that it must be able to scan
> for
> > >> current new malware, viruses, spyware, Trojans, etc. ...
> >
> --
> This message was sent to: Brent R Brian <brentrbrian at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/brentrbrian%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>



-- 
- - - - - - - - - - - - - - - - - -
sent from GMAIL online


More information about the TriLUG mailing list