15 April 2005

Reclaiming Your PC

If Microsoft's security Rule #1 is "If a bad guy can run code on your system, it's not your system anymore" is as true as it is, then it beats me why we are so eager to allow web sites, unsolicited email "message text" and "data documents" to own our systems.

By design, each of these were left to automatically run scripts, which can escalate to raw code. Modern Windows and MS Office are less inclined to automatically run scripts in "messages" and "documents", but web sites and even media files are still getting unwanted traction on our PCs.

So, what do you do when it's "not your system anymore"? You try and get it back! A corollory to Rule #1 might be "If the bad guy's code is not running, you may be able to reclaim your PC", and that informs how I approach such matters.

I found a useful article on this topic here...


...though in some ways it differs from my own approach, which is (terse version)...

Clean the system:
  • Isolate the PC from all networks, i.e. LAN, Internet, Bluetooth, WiFi, IR
  • Formally scan for traditional malware, detect only, log results
  • Read up on the malware found, clean according to caveats (warnings)
  • Safe Mode Cmd Only scans for commercial malware
  • Read up on the malware found, clean according to caveats
  • Manually visualize integration points, manage what you find
  • Repeat for each user account
At this clean point:
  • Purge all web caches, set a sane cache size (e.g. 20M), for each user account
  • Purge Temp files
  • If system running OK, purge all System Restore, manage SR size
  • Create new System Restore point
  • Defrag file systems
  • Apply risk management settings
  • Apply malware wall-outs e.g. Spyware Blaster or similar
  • Set new baselines e.g. for HOSTS backups, etc.
  • Create new System Restore point
  • Make sure firewall is enabled / installed
  • Review LAN network shares; do NOT full-share any part of startup axis
  • Remove File and Print Sharing from unwanted "networks" (Internet, IR, WiFi etc.)
  • Create new System Restore point
Now re-enter the world:
  • Repeat cleaning process on all PCs on your LAN
  • Reconnect cleaned PCs to LAN
  • Reconnect to Internet
  • Get and apply patches
  • Create new System Restore point
Here's a cheery, simple and dated description of how to do a formal virus check, from the Win9x days when diskettes were the boot mainetnance standard and when DOS mode access was possible via the FATxx file system. If you're PC has no diskette drive and/or you are using post-FATxx file systems such as NTFS, then you'd have to do something different that meets the same criteria. Think bootable mOS CDRs and frequently-updated data on USB sticks.

No comments: