[TriLUG] Rescue CD
David Burton via TriLUG
trilug at trilug.org
Wed Apr 15 13:00:45 EDT 2015
For badly infected machines, I usually just pull out the hard disk drive,
hook it up as an external drive on a clean machine, and scan it from the
clean machine, so that the infections can't "fight back."
Unless you're in a desperate hurry, scan it with several tools, because a
surprisingly high number of infections are found by some tools but not by
others. I've had things I thought seemed suspicious get past several scans,
but when I uploaded them to VirusTotal it told me that, sure enough, many
other AV tools flagged them as evil, just not the ones I'd used.
But I don't generally do these scans on-site, because many of the scans
take so long. (E.g., ESET's free pseudo-online scanner seems to take
forever.) Instead, I borrow the machine for a day or two, so that the scans
can be done while I'm doing something better than twiddling my thumbs.
BTW, one problem with older versions of "live" Linux distros on recent
computers is that even if you jump through the hoops to disable UEFI
"secure boot" so that you can enable "legacy" booting on the machine, and
then boot the machine from a CD or DVD, the Linux distro might not
understand GPT partitions. I haven't exhaustively tested which versions do
and which don't, but I've found that Parted Magic 2013_06_15 does not
understand GPT, and Parted Magic 2015_01_13 does understand GPT.
One other thing to beware of is that the nastiest Crypto-Ransomware
infections will reach out to attached devices and encrypt *their* contents,
as well. *These infections are rampant; I've seen two cases in the last few
weeks.* So you cannot safely connect a thumbdrive or external hard disk
drive to such a machine except through a USB write-blocker, and then boot
the infected Windows.
(That also means that you should try to avoid having writable shares on a
LAN. People who have an office full of machines with shared-out C: drives
are asking for catastrophe.)
Dave
www.geeksalive.com
>> I am trying to find a good, recent rescue CD that I can use to rescue
> >> Windows systems up through 8.1. There are several
> apparently well-regarded
> >> ones out there, but most have not been updated for a few years.
> My primary
> >> criteria are that it must run Linux and that it must be able to scan for
> >> current new malware, viruses, spyware, Trojans, etc. ...
>
More information about the TriLUG
mailing list