-=PCTechTalk=- Re: spyware software?

On 29 Jun 2005 at 13:05,  milady wrote:
> One persons opinion? or do others concur??

That one wasn't an opinion, I'm afraid. It may seem like a bold 
claim, but I'll explain in detail (based on my own experiences of 
attempting to remove malicious software on every Microsoft Windows 
operating system from Win95 onwards).

Most virii has the ability to self-replicate indefinitely. Spyware is 
similar in nature, although not as destructive.

If a malicious program is already present in your system memory, 
removing the file from the hard drive is no better than removing a 
copy. The version held in memory will immediately produce another 
copy of itself upon finding the disk-version gone (and vice-versa). 
That's why you can't run these scans with any degree in confidence in 
"normal" Windows. There is always the danger that the malicious 
program is present in a 32-bit environment.

Moving to the bare-bones, 16-bit environment of Safe Mode removes the 
possibility of Windows loading the virus in the first place.

Standard scans in a 32-bit environment, even with quality programs 
like Norton Antivirus, don't do much more than:

(1) remove or "quarantine" the file from the hard drive,

and

(2) attempt to remove the copy already present in memory.

[Note that I didn't mention the "attempt to fix" setting, which is 
set as the default setting on some antivirus programs, and the most 
ineffectual of all.]

But if you look at some of the removal instructions for many of the 
more-widespread virii out there, you'll notice that most of them not 
only place file(s) on your hard drive, but also place entries in the 
standard "startup" sections of your registry, and supply possible 
alternate names for the disk-based source file, should it be deleted. 
Another common tactic is for the malicious software to aggressively 
bar attempts to manually remove the program held in memory, so that 
the user has trouble closing it down via the normal method [Task 
Manager; Ctrl-Alt-Del]. These things go to great lengths to protect 
themselves.

My experience with antivirus scanning programs attempting to remove a 
virus from both memory AND the hard drive has been that, very often, 
they don't properly catch the memory version. In that situation, 
you're no better off than if you hadn't run the scan at all. 
Therefore, permanent removal of certain types of virus is _only_ 
possible when using Safe mode. 


Faustus



--
<Please delete this line and everything below.>

To unsub or change your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

Other related posts: