Anti-virus wars start up again (Its time to party like its the 1999)

[Bear Bottoms]

From: "Bear Bottoms" <[email protected]>

| |
|
| With an image of the infected system, all information is there to do
| with as you will. Nothing is lost. You are simply wrong.

That's not true. You ignore that Delta and Data Factors.

The Delta Factor are those changes that have been made to the OS and
software since the image was made.

The Data Factor is the user data that can be lost with the restoration
of an image.

Dustin is correct.

Wow....how can both of you "experts" get it so wrong. It is an example
of ancient mentality hanging on in spite of a more learned approach.

For YOU this might be a "good fit" solution but is not an overall
solution. It is only a partial solution and requires a great deal of
recognition and preparation. The computer user who thinks the DVD
drive in the desktop is a cup holder will neither recognize this nor
prepare for this. That a worsde case scenario computer user and their
are a wide variety of people and the computer experience and
knowledge. You have an overly simplistic POV that only comes from
your experience. One has to put themselves into the shoes of a wide
variety of computer users and see the state of affairs from their eyes
and their POV. You also need to perform "thought experiments" with
numerous "what if" scenarios to come up with broad spectrum solutions.

You are limiting your concept of what I speak to mounting an image and
exploring the malware from the mount. No! At any point and time, you can
reload that image and do what you will. You have lost nothing.

You should always first image a system that is infected before you do
anything else. After which, you can do whatever you wish to do with the
infected system, lose nothing, and if you muck it up you can reload and
start over. See, you can't project your mind-set away from the old
methods.

If anyone wishes to explore/analyze/attempt removal,"recognize and
prepare" and document to report, they can always reload the infected
image, do their thing and NOTHING is lost. Even with your narrow minded,
wrong, and not well thought out statements. Delta factor my ass. YOU
LOSE NOTHING - YOU CAN ALWAYS RELOAD THE INFECTED IMAGE and explore
away.

Most people won't. I know this from EXPERIENCE. Your candid off-the-cuff
snide remarks are noted again.

 

[Bear Bottoms]

Are you suggesting that an image of the infected drive is the same
*forensically* as having the actual 'still infected' drive to examine is?

Yes. It /is/ the same. It is still an image of the actual 'still infected'
drive. The mistake you are making is common...assumption. You are assuming
that one would explore the image from a mount. Wrong. If exploration for
whatever purposes is desired, you can reload the infected image and you
have it as it was...and it will do what it would do as if you never imaged.

Are you suggesting that an image is not the same system as it was after you
reload it?

 

[FromTheRafters]

Somehow, you've attributed *my* question to David.

Yes. It /is/ the same. It is still an image of the actual 'still infected'
drive. The mistake you are making is common...assumption.

I'm not so sure that I'm the one assuming. I was asking a question and
you assume that I was assuming something that I'm not.

You are assuming that one would explore the image from a mount.

Again, it is you doing the assuming here.

Wrong. If exploration for
whatever purposes is desired, you can reload the infected image and you
have it as it was...and it will do what it would do as if you never imaged.

Are you suggesting that an image is not the same system as it was after you
reload it?

No, I asked a question, and you have given me an answer. I accept that
answer, but probably not for the reason you may think.

 

[Bear Bottoms]

Somehow, you've attributed *my* question to David.


I'm not so sure that I'm the one assuming. I was asking a question and
you assume that I was assuming something that I'm not.


Again, it is you doing the assuming here.


No, I asked a question, and you have given me an answer. I accept that
answer, but probably not for the reason you may think.

Isn't communication great

 

[Bear Bottoms]

Somehow, you've attributed *my* question to David.


I'm not so sure that I'm the one assuming. I was asking a question and
you assume that I was assuming something that I'm not.


Again, it is you doing the assuming here.

OK, I'll play. How else could you have meant it?

 

[kurt wismer]

With an image of the infected system, all information is there to do with
as you will. Nothing is lost. You are simply wrong.

i don't think you're quite getting what dustin is saying.

if you put the system back to the state it was in before it got
infected, it will just get infected again. whatever got past your
defenses before will get past them again if they aren't augmented to
deal with what you just had. restoring a clean image doesn't augment
those defenses. without diagnostic information you can't perform that
augmentation.

if this needs to be said in pictures, so be it:
http://www.secmeme.com/2012/01/half-assed-recovery.html

 

[Bear Bottoms]

i don't think you're quite getting what dustin is saying.

if you put the system back to the state it was in before it got
infected, it will just get infected again. whatever got past your
defenses before will get past them again if they aren't augmented to
deal with what you just had. restoring a clean image doesn't augment
those defenses. without diagnostic information you can't perform that
augmentation.

if this needs to be said in pictures, so be it:
http://www.secmeme.com/2012/01/half-assed-recovery.html

That is basic 101 stuff. Dustin doesn't understand the concept.

 

[Bear Bottoms]

That is basic 101 stuff. Dustin doesn't understand the concept.

Like I said, the first thing you should do to an infected system is to
image it. Then you can do whatever you are going to do to the infected
system and if you muck it up, you can reload the infected image and try
again until you get or do whatever it is you want.

You can also mount the infected image from a clean reload and retrieve
files if you like or get other information you might want.

There is no silver bullet against malware. People are going to get
infected sooner or later (or again). Of course they should do their
best to prevent future infections. Only advanced users can determine
most of what Dustin and David refer to and most average users won't do
any of that. They usually need to ask for help...with the system I
describe, they won't need help to recover. This has already been said by
me...and went over the heads of Dustin, David and a few more.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-
mail

 

[FromTheRafters]

OK, I'll play. How else could you have meant it?

Exactly as I wrote it. I made no assumptions about what you were doing
with the drive or its image. I understood your answer as it applies to
your usage of images and have no problem with that.

The average user isn't going to do the right thing, and IMO that is to
replace the drive with one that has a clean image and turn the infected
drive over to forensic analysts. They will make an image with a trusted
application being run by a licensed operator. Giving them an image made
by Easeus probably isn't *the same* as far as they are concerned.

 

[Bear Bottoms]

Exactly as I wrote it. I made no assumptions about what you were doing
with the drive or its image. I understood your answer as it applies to
your usage of images and have no problem with that.

Fair enough.

The average user isn't going to do the right thing,

I agree. They certainly aren't going to do as Dustin/David the
professionals would do or as they suggested.

and IMO that is to
replace the drive with one that has a clean image and turn the infected
drive over to forensic analysts. They will make an image with a trusted
application being run by a licensed operator. Giving them an image made
by Easeus probably isn't *the same* as far as they are concerned.

They could do anything they decided to set up and/or what was required by
those they might decide to send it to...though I don't think sending some
one an image of /their/ computer is really a workable solution for
them...maybe so or some.

What I want them to do is learn to effectively use various image
techniques. Anyone with basic skills can easily learn this well enough to
become self-sufficient (no longer need the family or neighborhood geek or
pay money to get out of trouble). Much easier than learn to do what
Dustin/David suggest which takes a lot of effort, time, and experience.
That doesn't mean they shouldn't learn as much as possible about aspects of
what they suggest, just most people won't...some will.

 

[DUST1N]

That is basic 101 stuff. Dustin doesn't understand the concept.

Dustin has far more understanding than you credit him with. You are too full of your own importance to accept it.