[Gllug] Memory scanning

John Edwards john at cornerstonelinux.co.uk
Mon Sep 6 12:39:55 UTC 2010


On Mon, Sep 06, 2010 at 01:01:43PM +0100, James Courtier-Dutton wrote:
<snip> 
> I was looking for a more blind approach.
> Someone gives me a system, I have no idea if it is infected or not by
> some unknown virus.
> I need some software to be able to tell me.

But as you mention in another email, the problem is the OS. If a
virus can modify that then you can not rely on the results of any
program run by that OS.

Booting from a known good read-only medium (eg CDROM) and running
a checksum on the system files is the best way to be sure, but you
also need to then make sure that nothing malicious is being loaded
by the OS after boot.

I like your idea, I just don't think it will work without something
like a hypervisor that is separate from the OS. That then makes
things much more complex and expensive, and can not be bolted on
after an incidence.

And of course hypervisors can be used against you:
	http://en.wikipedia.org/wiki/Blue_Pill_(malware)


> So, I am not really looking for changes as I don't have a "pre" state
> like one does with AIDE.
> I am looking for any executable that does not appear to be from
> certified sources.
> 
> Windows is particulary difficult to use. For example, when booting in
> "SAFE" mode, one cannot even run the McAfee Enterprise virus
> scanner!!!!

"Safe mode" is a repair environment designed to allow you boot a
minimal system so you can disable troublesome drivers and services.
It's not really designed as a secure mode.


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20100906/c51ddd7d/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list