-=PCTechTalk=- Re: spyware software?
- From: dktrfaustus@xxxxxxxxxx
- To: pctechtalk@xxxxxxxxxxxxx
- Date: Wed, 29 Jun 2005 22:35:00 +0100
On 29 Jun 2005 at 13:05, milady wrote:
> One persons opinion? or do others concur??
That one wasn't an opinion, I'm afraid. It may seem like a bold
claim, but I'll explain in detail (based on my own experiences of
attempting to remove malicious software on every Microsoft Windows
operating system from Win95 onwards).
Most virii has the ability to self-replicate indefinitely. Spyware is
similar in nature, although not as destructive.
If a malicious program is already present in your system memory,
removing the file from the hard drive is no better than removing a
copy. The version held in memory will immediately produce another
copy of itself upon finding the disk-version gone (and vice-versa).
That's why you can't run these scans with any degree in confidence in
"normal" Windows. There is always the danger that the malicious
program is present in a 32-bit environment.
Moving to the bare-bones, 16-bit environment of Safe Mode removes the
possibility of Windows loading the virus in the first place.
Standard scans in a 32-bit environment, even with quality programs
like Norton Antivirus, don't do much more than:
(1) remove or "quarantine" the file from the hard drive,
and
(2) attempt to remove the copy already present in memory.
[Note that I didn't mention the "attempt to fix" setting, which is
set as the default setting on some antivirus programs, and the most
ineffectual of all.]
But if you look at some of the removal instructions for many of the
more-widespread virii out there, you'll notice that most of them not
only place file(s) on your hard drive, but also place entries in the
standard "startup" sections of your registry, and supply possible
alternate names for the disk-based source file, should it be deleted.
Another common tactic is for the malicious software to aggressively
bar attempts to manually remove the program held in memory, so that
the user has trouble closing it down via the normal method [Task
Manager; Ctrl-Alt-Del]. These things go to great lengths to protect
themselves.
My experience with antivirus scanning programs attempting to remove a
virus from both memory AND the hard drive has been that, very often,
they don't properly catch the memory version. In that situation,
you're no better off than if you hadn't run the scan at all.
Therefore, permanent removal of certain types of virus is _only_
possible when using Safe mode.
Faustus
--
<Please delete this line and everything below.>
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
Other related posts:
