The only way ... flatten and rebuild

  • Thread starter Thread starter Frank le Spikkin
  • Start date Start date
Frank le Spikkin said:
"The only way to clean a compromised system is to flatten and
rebuild"

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x

Doesn't agree with my personal experience. What do others think of
the views expressed in this article?

I couldn't read it because the link is bad.

But "flattening" your system (i.e., hard disk), is the naive, sledge hammer
approach. But you can always reinstall your OS code (I keep a MS-supplied
Win2KSP4 installation program ready-to go on all my systems), you are
responsible for your own files and installed programs. So the problem is
the registry which contains all your settings and parameters. The registry
must be backed up as part of-- or at the same time as your filesystem
backup. Note that the registry is just another file(s) and is not
especially fragile. I slip occasionally and have to do repairs and it's not
very hard. We should all study how to write .inf files, how the registry
works, and how to handle it. [If you want a thrill, slip the way I did and
bind .lnk files to Notepad!]
 
Frank le Spikkin said:
"The only way to clean a compromised system is to flatten and
rebuild"

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x

Doesn't agree with my personal experience. What do others think of
the views expressed in this article?

99.99% agreement. They are talking about compromised systems,
not just simple virus or worm activity. The thing I don't agree with
is that they fail to mention a better solution that most other articles
on this topic *do* mention. Rather than "flatten and rebuild" you
should replace the harddrive and then build on a new harddrive so
that the old drive can be analysed for clues as to exactly what has
happened. When you "flatten and rebuild" you destroy evidence
of a crime.

....of course for most people this would be overkill.
 
from the wonderful said:
"The only way to clean a compromised system is to flatten and
rebuild"

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x

Doesn't agree with my personal experience. What do others think of
the views expressed in this article?

I've never seen a system so bad that it couldn't be recovered .. of
course I don't let mine get into a state in the first place, at least
not from viruses (gung-ho patching, registry edits, and driver installs
maybe. 8>.). I think the key word is 'backups'. Having multiple OS
installations available helps too .. you can do a lot to a dead copy of
an OS if you can get at it from a live one.

Of course 'flatten and rebuild' requires minimum brain power, however
what's to say it won't be 'compromised' again within 24 hours if brain
power is in short supply.
 
Frank le Spikkin said:
"The only way to clean a compromised system is to flatten and
rebuild"

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x

Doesn't agree with my personal experience. What do others think of
the views expressed in this article?

Repost the link please. The link was either bad or removed this morning.
I have been told that frequently tech support for large companies suggest a
reformat before indicating the consumer will lose their data.
The avg consumer apparently does not understand what a "format" is. Then
again - the most recent study of resale hdd's on Ebay indicated
90% of the hdd's had not been wiped.
 
Couldn't read the article, but from experience sounds like the worst way.
Get an imaging program (bootitng, ghost etc.). Partition your hd into system
and data partitions then image the os. Bootitng does it all in one product.
Rebuilding a system is a royal pain and I only do this for a new machine
with installed software.
For a new machine, make image of os early, recovery software supplied with
machine these days is iteself an image but of whole hd.
Dave Cohen
 
"The only way to clean a compromised system is to flatten and
rebuild"
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x
Doesn't agree with my personal experience. What do others think of
the views expressed in this article?
******************* RPELY SEPARATER ********************
Wiping the disk and starting over is only necessary if your system has been
compromised by a back door. Once a back door has been opened and accessed, the
hacker could have done anything to your computer that he wanted to, and there
is no sure way of telling what that is. I have only once successfully
disinfected a web server without wiping it out, but I had a good idea when the
compromise occurred, and I was able to search and find all new files added to
the disk since then. This would be difficult on an XP system, because the
search utility does not allow you to search all hidden directories, which is a
favorite place for hackers to hide their files.

J.A. Coutts
 
Frank le Spikkin said:
"The only way to clean a compromised system is to flatten and
rebuild"

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.msp
x

Doesn't agree with my personal experience. What do others think of
the views expressed in this article?

There are a lot of people who recommend this approach as the only option. I
have seen this in many other newsgroups, and forums. Lots of people also
ask if this is the best way to get rid of things on their computer after
they run SpyBot and Adaware and the problem persists.

I'm no expert, but it makes no sense to me as the first option, but, as the
very last when all other options fail. But, my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Jan :)
 
Frederic Bonroy said:
It's way too pessimistic. As far as viruses are concerned, they can in
most cases be removed quite easily. There is no need to nuke the entire
system.

So you advocate erring on the side of complacency?


Shane
 
[snip]
... my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Check to see if you have numerous cab fies in Windows\options\cabs or
if there is a c:\Win98 directory. If so, burn those fies to a CD-R.
They will serve as your original Windows CD, more or less. Also run
WinDriversBackup (freeware) and burn the MyDrivers folder it creates,
to go along with your other CD.

Cheers,
Larry
 
Jan Il said:
There are a lot of people who recommend this approach as the only option. I
have seen this in many other newsgroups, and forums. Lots of people also
ask if this is the best way to get rid of things on their computer after
they run SpyBot and Adaware and the problem persists.

I'm no expert, but it makes no sense to me as the first option, but, as the
very last when all other options fail. But, my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Only finding a backdoor left by a worm is in most cases not a reason to
do anything as drastic as this. If your security is important enough, and
you have any reason to believe that the backdoor the worm left has been
used by a hacker, then you really have no choice but to do the drastic thing.
The administrator has to make the call based on what he or she believes
has happened and what is considered by them to be acceptable risk.

A better link for system administrators is:

http://www.cert.org/tech_tips/root_compromise.html
 
Larry Sabo said:
[snip]
... my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Check to see if you have numerous cab fies in Windows\options\cabs or
if there is a c:\Win98 directory. If so, burn those fies to a CD-R.
They will serve as your original Windows CD, more or less. Also run
WinDriversBackup (freeware) and burn the MyDrivers folder it creates,
to go along with your other CD.

I did back up my Cabs when I first got my machine, in case they cot
corrupted or something. I didn't think you could use it as an install CD
too. I've not heard about the WinDriversBackup, but, I'll look it up. It
sounds like a very good idea.

Thank you very much for the information, Larry, I truly appreciate it. :-)

Jan :)
 
:-)
FromTheRafters said:
Only finding a backdoor left by a worm is in most cases not a reason to
do anything as drastic as this. If your security is important enough, and
you have any reason to believe that the backdoor the worm left has been
used by a hacker, then you really have no choice but to do the drastic thing.
The administrator has to make the call based on what he or she believes
has happened and what is considered by them to be acceptable risk.

A better link for system administrators is:

http://www.cert.org/tech_tips/root_compromise.html

Still 'speaking' to me, eh? <G>

Well....I've read of a few situations on the WinME ng that can cause a need
to reformat the HD, and I shudder to have to do that. I don't have an
administrator for my machine but me. But, I'm still afloat thus far, so
guess I'm doing something right someplace <g> However, being as I am my
only administrator, guess it could not hurt to read the info anyway. I've
been fortunate so far with the garbage that's out there, but, tomorrow is
another day, and I figure it's best to be safe before the fact, instead of
sorry afterward.

Thank you for the additional information, I really do appreciate it. :-)

Jan :)
 
Larry Sabo said:
[snip]
... my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Check to see if you have numerous cab fies in Windows\options\cabs or
if there is a c:\Win98 directory. If so, burn those fies to a CD-R.
They will serve as your original Windows CD, more or less. Also run
WinDriversBackup (freeware) and burn the MyDrivers folder it creates,
to go along with your other CD.

Larry, just to let others know too...the program is a free 'Trail' version
only. At the end to the trail period you must purchase the program to have
further use. But, I have my drivers safely backed up now. I'll burn the to a
CD for safe keeping. :-)

Jan :)
 
Jan Il said:
Larry Sabo said:
[snip]
... my OS came preloaded, so I have
no install CD for it. Thus, if I have to reformat my hard drive I'd be left
high and dry. :-)

Check to see if you have numerous cab fies in Windows\options\cabs or
if there is a c:\Win98 directory. If so, burn those fies to a CD-R.
They will serve as your original Windows CD, more or less. Also run
WinDriversBackup (freeware) and burn the MyDrivers folder it creates,
to go along with your other CD.

Larry, just to let others know too...the program is a free 'Trail' version
only. At the end to the trail period you must purchase the program to have
further use. But, I have my drivers safely backed up now. I'll burn the to a
CD for safe keeping. :-)

Jan :)


You can find the last freeware version at...

http://www.pricelessware.org/2004/PL2004SYSTEMUTILITIES.htm

Also be sure to look up your Product Key and write it on the CD with
an appropriate CD marker.

Cheers,
Larry
 
big snip....

from a practical perspective...I do call-outs for about 12-15 'compromised'
machines every week, in most cases machines that are compromised in any way
tend to be owned by people who are not technically fully aware of system
security and it is rare to find other than multiple problems.

In many cases the machines are very slow at running through the initial,
cleaning, processes and by the time I have removed all the virii,
malware/spyware etc. I often find that what I have left is a crokked system
anyway. It's easy to spend 3 hours removing bugs and in that time I can have
a users files, address book, mail folders, favourites etc. all backed up via
putting their HDD into a system I carry about with me for that purpose.

Generally the time taken to get a system completely set up again after a
wipe is only a little longer than most debugs but at least I can secure and
patch it safely from the outset.

Generally I feel safer, and less likely to get a quirky 'call-back' if I've
flattened and set it up properly.
 
Back
Top