Stefan
Tue Mar 29 16:04:22 CST 2005
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
> "Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
> news:%23giA6j8LFHA.3960@TK2MSFTNGP12.phx.gbl...
>
> > [top posting is nasty]
>
> It depends on your point of view. I use both top posting and bottom posting
> depending on which makes more sense for a given post.
Hmmm... I've never seen that a top posting did make sense!
It's almost always bad habit.
> > > > Message is Share violation
>
> Bink, I know you said that you were convinced these files were not in use,
> but I [and Stefan] think you are mistaken. How are you sure these files are
> not in use? How did you check this?
Fine question.
> Have you tried uninstalling the program that put the files there? Whatever
> deleted the other files in that directory could have deleted files necessary
> for the uninstaller to run. In order to uninstall and remove these files,
> you might have to re-install the program. But once it's reinstalled, maybe
> you should just leave it there.
>
> > > > Dialer.GMsoft file:C:\PROGRA~1\VCom\PowerDesk\PDShExt.dll
> >
> > Most probably a shell extension and still loaded, either from
> > EXPLORER.EXE or as part of the malware which is still running and
> > locks this file as "protective" measure.
>
> I agree. When I first suggested that the files were in use, the OP said s/he
> was sure they were not.
>
> While this could be malware, my gut feeling is that it is not. "PowerDesk
> Pro is a simple, fast and fun way to organize and manage files, digital
> photos, MP3 music files and web images on your PC"
>
> > > > Dialer.GMsoft file:C:\PROGRA~1\VCom\Recovery Commander\RCHOOK.DLL
> >
> > A hook, but for which purpose?
>
> Google suggests this file and folder name are both part of "VCOM Recovery
> Commander, System Restore for Windows." Again, my gut feeling is that this
> is probably not malicious.
Correct.
Sometimes I try to be sort of "advocatus diabolus", which means to treat
the not completely correct assumptions of the OP here (which I can't read,
I assume s/he is posting with anonymous@discussions.microsoft.com which I
prefer to bury in my killfile).
> > BUT: the system had been compromised, installed software even damaged, so
> > the ONLY correct action is: flatten and rebuild! See
> >
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
>
> I assume you meant to say "IF the system had been compromised?"
Yes. The OP but tells us that s/he thinks the system has been compromised.
> ...because there's no evidence in this thread that the system has been
> compromised. Reformatting the system without confirming there is a
> compromise is not good at all.
No, reformatting is the appropriate action if there is a doubt of a compromise
and you can't assure the system has not been tampered.
BETTER BE SAFE THAN SORRY! Sorry for getting loud, but it is necessary here.
> Note that not everything Jesper or other experts say is necessarily true.
Yes. I had an controversial email exchange with him some months ago about
these evil ICMP that should be blocked according to his papers, but in fact
breaks PPPoE.
> They make mistakes like the rest of us. I find that people that go out on a
> limb and make blanket statements of "always do this" or "never do this" are
> often wrong.
>
> Jesper's article says "The only way to clean a compromised system is to
> flatten and rebuild. That's right. If you have a system that has been
> completely compromised, the only thing you can do is to flatten the system
> (reformat the system disk) and rebuild it from scratch (reinstall Windows
> and your applications)."
>
> That's actually totally wrong as written. First, define "compromised." Not
> every compromise requires a complete reinstall. A virus is a compromise,
> but most people couldn't afford to reformat their system with every virus
> infection. Sure, relying on AV software to remove an infection is a risk,
> because there could also be an undetectable root kit remaining. But its a
> risk most people have to accept, and rightly so. Even with FTP pubstro /
> tagging events, it can be acceptable to remove the malware without
> reformatting.
No, that's totally wrong. You (or should I say, I) can't trust a system that
had been compromised, by whichever malware you choose.
Better be safe than sorry!
> Second, it's completely wrong to say that formatting is the only way to
> clean a system. It's clearly not the only way. I think maybe he meant to
> say that [in his opinion] it's the best way to clean the system, or the most
> reliable way. But it's not that either. Jesper has absolutely no idea what
> my home or corporate network, security needs and other mitigating factors
> and safeguards are, or what the compromise is, so he cannot from his vantage
> point dictate what the best course of action is always going to be for every
> future compromise on my network.
If you can be ABSOLUTELY sure that the malware has only affected your user
profile (ie. your account is neither member of any "administrator" group nor
"power user") and your HOME directory, then it's sufficient to delete both
and restore them from the backup. If you don't have a backup: better be safe
than sorry.
> Third, it is very dangerous to make such a blanket statement without
> explicitly making the caveat that it is usually best to try to confirm that
> a compromise has taken place, and try to determine what happened, how and
> why. Formatting removes all the evidence of the attack. Clearly a
> compromised system has a security flaw on it. What if it's a flaw in your
> installation procedures that is repeated when the system is formatted? What
> if its a zero day vulnerability with no patch? Microsoft would have been
> pretty upset if everyone that was compromised via the NTDLL.DLL / WebDAV
> zero day vulnerability had followed Jesper's advice and formatted right
> away, because he didn't make this caveat clear. Maybe he said this in a
> previous article, but not everyone reads the previous articles.
If you and I (and some more people) find a compromised system they had once
installed we'll do forensics and search the hole.
I but doubt that users like the OP here have a system that has been setup
correctly and hardened if possible.
Such a system is not worth the effort to look after, the best advice is
"reinstall".
> Jesper knows [I think I've heard him say it, and its in the CISSP exam] that
> computer security is about managing risk. You can reduce risk, but you can
> also choose to accept risk. Computer security does not mean you should jump
> through every hoop that is out there, no matter how expensive it is, in
> order to try to become completely secure. Because there is no such thing as
> completely secure, only less or more risk. Sometimes the cost of
> reformatting is worth the reduction in risk, but sometimes the reduction in
> risk is not worth it. The most secure solution is not always the best
> solution.
That's correct, but: better be safe than sorry.
> Is formatting the system properly the only way to be totally confident you
> have removed all of the malware? Yes. Do home users always need to be
> totally confident they have removed all the malware? No. Can formatting
> the system incorrectly make the system less secure than before? Yes. Do
> most home users that are infected with viruses have the ability to format
> properly or pay someone to format it properly for them? No.
If the home user ain't able to properly use a computer they should keep their
hands off.
As long as PCs bought from the shell are NOT properly setup from their vendor
they shouldn't be used by unexperienced people.
Do compromised systems from home users act as zombies? yes.
Are they abused for sending spam? yes.
> I feel Jesper is writing and thinking primarily about enterprises when he
> wrote that article. Most home users are less secure after a complete
> reformat, even if they have a computer friend or Circuit City tech to it for
> them, or use the system restore CD that came with their PC. I've seen it
> time and time again, where a user gets infected, a tech reformats the
> system, and now it's missing even more patches than before, and gets
> infected again. That isn't an increase in security, and it's not realistic.
That's BAD work, very bad work. Such "techs" should also keep their hands
away from computers.
> I have sympathy for what Jesper has written. I suspect he is exaggerating
> the truth to try to scare more people into formatting their systems more
> often. I've done the same kind of exaggerating on occasion. It could also
> be that he is frustrated by arguing with bean counters at various customer
> sites that say "we need this cleaned without reformatting." But guess what,
> the bean counters are right and Jesper is wrong, because it is the bean
> counters who best understand their company and who ultimately have to accept
> the risk and keep the company running affordably.
How long does it take to remove an even well-known virus and reassure that
the typical home user system is clean?
How long does it take to reinstall a system and set it up properly?
The second choice wins, both in time and cost.
Stefan