|
mindphlux posted:no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line. You say it's not practical, but treating it as a hardware failure and taking it out of circulation until it's restored from zero is something that actual large companies do. Give them a loaner like you would if their drive died, and restore them from backup. Your position seems to be that while it's the right thing, it takes too long. Maybe that's the case for your MSP business, and that the service you provide is "as much as we can do in an hour" rather than "clean according to best practices". That could even be what your customers prefer, hopefully on an informed basis. Even then, why would you recommend that to an individual who hasn't indicated that they're similarly time-constrained? Why not recommend the right thing to start with?
|
#
?
Oct 27, 2015 15:19
|
|
|
|
| # ? May 17, 2024 20:30 |
|
|
Since Khablam has yet to answer my question about how to deal with rootkits, I'll ask mindphlux here:mindphlux posted:rkill Of which of these tools will it address a rootkit where the malware is loaded before the bootloader? Explain to me why you'd think that if you really do believe you understand how the tools work.
|
|
#
?
Oct 27, 2015 15:33
|
|
|
OSI bean dip posted:Since Khablam has yet to answer my question about how to deal with rootkits, I'll ask mindphlux here: While we wait, can you talk a bit about your process? What tips you off that such an infection is present? Do you attempt to identify the malware, and if so, how? What additional steps do you take before/after formatting and reinstalling? Not trying to be snarky or whatever; I'm genuinely curious.
|
|
#
?
Oct 27, 2015 16:13
|
|
|
OSI bean dip posted:Since Khablam has yet to answer my question about how to deal with rootkits, I'll ask mindphlux here: Roguekiller would check the boot stuff. You didn't list it. So the malware is loaded before the boot loader? How about imaging the hard drive and then zero'ing it out and restoring only the MBR and main partition? Also before the bootloader might be the UEFI.. so I would try and re-flash the BIOS although I really don't know much about UEFI exploits, this is new territory for my skills. I thought the secure boot process prevented stuff like this. Maybe I am mistaken. redeyes fucked around with this message at 16:30 on Oct 27, 2015 |
|
#
?
Oct 27, 2015 16:24
|
|
|
Toast Museum posted:While we wait, can you talk a bit about your process? What tips you off that such an infection is present? Do you attempt to identify the malware, and if so, how? What additional steps do you take before/after formatting and reinstalling? These are good trick questions and something I did cover in in the thread I made that tells one how to properly address malware. What tips me off when an infection occurs is really no different than most: something obviously malign has happened. The problem we have though is that that isn't always the way that something will get detected because if the malware is designed to hide itself, you may just not know. In a controlled environment (like a sandbox), it's quite apparent what changes were made by the malware, but on your day-to-day machine? Good luck. For those of you who want to refute this, even anti-virus vendors themselves cannot detect some malware that's sitting right under their nose. Detections are easy to avoid if you understand how anti-virus engines work. I know of cases where the AV vendor gets desperate enough to just detect malicious software by its icon resource and nothing more because the file is packed in such a way that makes it difficult to write an effective signature. Suspicious behaviour creates far too many false positives for what it is worth--it's bad to the point where rolling it out on a corporate network would probably generate far too much noise. More often than not I do not attempt to detect the type of malware except if I am of the belief that it is a targeted attack. In that case, I do go and retrieve the malicious files and then run it in a sandbox. If it looks dire, I'll go and do some simple reverse engineering to see what it may be. At the extreme end, I have in the process taken over a botnet in order to get an idea of the problem at hand. It's a lot to go over but I am always happy to share stuff with people who are interested in this sort of thing. For your last question: it's pretty simple as all I suggest is nuking the bootloader as that is for now the best course of action. My biggest fear is that with SSDs becoming more mainstream and the fact that there is little care put into how these drives are designed (I legitimately have no faith), it may get to the point where malware remediation may become nigh-impossible. SSDs do happen to run their own software stack to manage everything and we already have proof of concepts with old fashioned platter disks. Of course this is "looney talk" as Khablam puts it. redeyes posted:Roguekiller would check the boot stuff. You didn't list it. So the malware is loaded before the boot loader? How about imaging the hard drive and then zero'ing it out and restoring only the MBR and main partition? Re-read what I posted: I didn't create this list. And yes. Destroying the bootloader is the only way to fix it. Of course, mindphlux's list of idiot tools would have not done this and therefore his client's machines run the risk of getting reinfected. Also this infection vector does exist and was a way that fake anti-virus kept leverage on machines. But hey! They're not my clients! Lain Iwakura fucked around with this message at 17:22 on Oct 27, 2015 |
|
#
?
Oct 27, 2015 16:55
|
|
|
OSI bean dip posted:These are good trick questions and something I did cover in in the thread I made that tells one how to properly address malware. I want to be clear that I did not intend for them to be trick questions. I guess I'm admitting to some ignorance here, but I'm not even sure what the trick would've been. Thanks for replying; I'll check out the other thread.
|
|
#
?
Oct 27, 2015 17:11
|
|
|
Toast Museum posted:I want to be clear that I did not intend for them to be trick questions. I guess I'm admitting to some ignorance here, but I'm not even sure what the trick would've been. Thanks for replying; I'll check out the other thread. Nah. I know you didn't. But they're trick questions nonetheless. 
|
|
#
?
Oct 27, 2015 17:17
|
|
|
OSI bean dip posted:Nah. I know you didn't. But they're trick questions nonetheless. so finally, after all this, your argument is 'you didn't check the bootloader'. why didn't you say this ages ago? I do when I think it's warranted, but it doesn't matter at this point - what matters is having an educational thread for the forum. not e-pointscoring or swinging your dick. PS, I've read your thread, it doesn't really have any helpful information beyond a paranoid 'you guys are hosed, reformat!!'. stop pointing people at it. w/rt clients : some have spare machines, some have budgets where the concept of 'a spare machine' is laughed at. 'we'll buy it when we need it!!' or 'why are you asking me to spend $1000 and hours of billable time on something that I'm not going to use'. I'm good at persuading and justifying a responsible approach to IT, but unless you've worked for a MSP, I don't think you'd understand what you're up against. ask me about how I've desperately tried (in writing), to change the password policy of a financial services company from 'a standard variation on your last name' to 'literally anything remotely sensible'. as in, everyone's password is the same variation on their last name. noting their entire network is open to even recently departed employees. you can VPN in with full access by just guessing the managing partner's user/pass. 4mm company. you can either help and inform as many people as you can, and nudge them in the right direction as often as possible - or you can get all aspergery and throw your hands up and go 'you're an idiot' and walk away. I choose the former.
|
|
#
?
Oct 27, 2015 18:05
|
|
|
mindphlux posted:so finally, after all this, your argument is 'you didn't check the bootloader'. why didn't you say this ages ago? I do when I think it's warranted, but it doesn't matter at this point - what matters is having an educational thread for the forum. not e-pointscoring or swinging your dick. PS, I've read your thread, it doesn't really have any helpful information beyond a paranoid 'you guys are hosed, reformat!!'. stop pointing people at it. Sorry. So far what you've opened up with is, "you've caught me not knowing what I am talking about but I've opted to continue on about how you're wrong because my ego cannot take a hit". You went and suggested a list of tools, said it belonged in the OP, failed to demonstrate what you know about those tools, and then got upset when I demonstrated that you're talking out of your rear end. Here's what I said in the thread I made: quote:Secondly, you'll want to evaluate what action you'll want to take. If you believe that the infection is something minor like fake anti-virus or something that is creating popups, perhaps you should just do an offline scan of the machine. However, if the machine is severely infected where you are not sure what is going on, are you going to continue to trust that machine with details like your online banking, e-mails, and perhaps your SA forum account? If no, consider a wipe and restore here. Because I think you have poor reading comprehension skills, I'll simplify this for you further:
At no point do I suggest "format first; don't ask questions" because all I am asking for the individual is to make a personal risk assessment of the continued use of that machine. If the risk is acceptable, then continue to use the machine; if you believe otherwise, then loving don't. This concept goes over your head because you appear to have a lack of critical thinking skills, but it's easier for you to go back on telling me I am wrong I am sure. quote:w/rt clients : some have spare machines, some have budgets where the concept of 'a spare machine' is laughed at. 'we'll buy it when we need it!!' or 'why are you asking me to spend $1000 and hours of billable time on something that I'm not going to use'. I'm good at persuading and justifying a responsible approach to IT, but unless you've worked for a MSP, I don't think you'd understand what you're up against. You're making assumptions about me and my job history; it's really cute. I have a very, very good understanding of the MSP world--a lot of providers tend to undercut their competition and do so by offering shoddy services like you do. I like how you keep falling back to "well in my experience" statements instead of actually taking the time to understand what I am saying. I don't give a gently caress about your MSP experience because all you're telling me is that it's better to do the job quickly than to do it correctly. It's as if you don't really give a gently caress about what happens to the clients as long as you get your money. quote:ask me about how I've desperately tried (in writing), to change the password policy of a financial services company from 'a standard variation on your last name' to 'literally anything remotely sensible'. as in, everyone's password is the same variation on their last name. noting their entire network is open to even recently departed employees. you can VPN in with full access by just guessing the managing partner's user/pass. 4mm company. Great! I have horror stories too like that. I am sure you have a great idea for password policies. quote:you can either help and inform as many people as you can, and nudge them in the right direction as often as possible - or you can get all aspergery and throw your hands up and go 'you're an idiot' and walk away. I choose the former. Let me rewrite this as: "you can keep telling me I am wrong, but I'll go tell other people that I am right and then demonstrate I have no skill in arguing my supposedly solid points". Since you're in the Atlanta area and run your own business, I suggest merging your company with this local to you moron.
|
|
#
?
Oct 27, 2015 18:24
|
|
|
OSI bean dip posted:
wow, we're agreeing on something! this is exactly what I do and recommend in practice! my list you're hung up so much about is my 'how to perform a scan' 101 checklist. I've just actually detailed what I do to run a scan, whereas you waive your arms and say 'run a scan', which is not helpful for the less savvy readers of this thread. but I guess helps you feel good because you're the magical keeper of the mystic 'how to run a scan' information??? or something??? honestly don't know what your deal is. quote:I don't give a gently caress about your MSP experience because all you're telling me is that it's better to do the job quickly than to do it correctly. It's as if you don't really give a gently caress about what happens to the clients as long as you get your money. yes. I'm telling you sometimes it is better to do the job quickly than to do it correctly. just let that sink in. are you missing something?
|
|
#
?
Oct 27, 2015 18:32
|
|
|
mindphlux posted:wow, we're agreeing on something! this is exactly what I do and recommend in practice! my list you're hung up so much about is my 'how to perform a scan' 101 checklist. I've just actually detailed what I do to run a scan, whereas you waive your arms and say 'run a scan', which is not helpful for the less savvy readers of this thread. How are we agreeing on something? Let me remind you of the post that started it all: shyduck posted:
Then you chime in: mindphlux posted:rkill Then added: mindphlux posted:someone should just add this to the OP tbqh At no point did I see anything relating to what I said being said in your post. quote:yes. I'm telling you sometimes it is better to do the job quickly than to do it correctly. Just let this sink in: you have no clue about what you're talking about and would rather keep defending your original posts because I have somehow maligned your ego. It's one thing to make mistakes but it's another to keep going on and beating a dead horse even though you are without a doubt wrong.
|
|
#
?
Oct 27, 2015 18:36
|
|
|
mindphlux posted:so finally, after all this, your argument is 'you didn't check the bootloader'. why didn't you say this ages ago? I do when I think it's warranted Congratulations on your psychic powers.
|
|
#
?
Oct 27, 2015 18:44
|
|
|
mindphlux posted:w/rt clients : some have spare machines, some have budgets where the concept of 'a spare machine' is laughed at. 'we'll buy it when we need it!!' or 'why are you asking me to spend $1000 and hours of billable time on something that I'm not going to use'. I'm good at persuading and justifying a responsible approach to IT, but unless you've worked for a MSP, I don't think you'd understand what you're up against. What do you tell customers when you return their computer to them? That you cleaned it up a bit; that you've verified it's clean; that it's safe to use? I've been a consultant, I understand that customers don't always want to buy the thing you genuinely think is best for them. I'm curious about how you frame what they *do* ask for and get.
|
|
#
?
Oct 27, 2015 19:15
|
|
|
mindphlux posted:wow, we're agreeing on something! this is exactly what I do and recommend in practice! my list you're hung up so much about is my 'how to perform a scan' 101 checklist. I've just actually detailed what I do to run a scan, whereas you waive your arms and say 'run a scan', which is not helpful for the less savvy readers of this thread. but I guess helps you feel good because you're the magical keeper of the mystic 'how to run a scan' information??? or something??? honestly don't know what your deal is. You're missing that he's a turbo-sperg and will just get angrier and angrier until you bow and crown him the god of all malware research. That this doesn't present anything useful for anyone else isn't his concern. It's just "you can't ever know what I know so just reformat and/or throw away your hardware plebian  "OSI bean dip posted:Since Khablam has yet to answer my question about how to deal with rootkits I'm perfectly willing to tell you what I'd do to <MALWARE> if you'd simply tell me which malware is invisible to mindplux's list. You scoff at my "0.001% risk" yet can't pick one example out of millions of pieces of available malware. Pretty much just confirming what I'm saying. Until then I'm just playing whack-a-mole with your theoretical targeted/nationstate level malware that may or may not exist.
|
|
#
?
Oct 27, 2015 19:42
|
|
|
Khablam posted:Until then I'm just playing whack-a-mole with your theoretical targeted/nationstate level malware that may or may not exist. Okay. Time for you to shut up. Let me introduce you to TDL[1-4]/TDSS/Alureon, a family of malware that was common across fake anti-virus for a few years. This is the very thing I kept going on to you two that you seemingly somehow don't believe exists. Here are a bunch of whitepapers and slides that I am sure you'll ignore: http://www.eicar.org/files/eicar_backdoor.tdss__tdl3_.pdf http://www.drweb.com/static/BackDoor.Tdss.565_%28aka%20TDL3%29_en.pdf http://go.eset.com/us/resources/white-papers/TDL3-Analysis.pdf This isn't some nation-state garbage, it's "commodity" in the sense that users were getting them on home PCs and corporate networks. Here's how it became a rootkit within Windows XP:
That simple! And while I bring up XP, it's for good reason: in Service Pack 2 and earlier, it didn't even have to worry about user intervention to install itself as a driver because of a vulnerability that existed within the print spooler--which was fixed in SP3. Of course, the user intervention would occur in Service Pack 3 or in Vista and Windows 7. Here's the sort of poo poo that a user might see after getting hit with the family I am describing:  Oh dear. That's some real "nation-state level" poo poo right there. Oh. And it does other things like redirect users to other websites and other supposedly "nation-state level" poo poo that you seem to think it is here. AV vendors had to create special tools to deal with this and KB articles are aplenty on how to remediate--which involves steps using OS tools needing to be used offline. This stuff will come up again and again and neither of you two have any clue.
|
|
#
?
Oct 27, 2015 20:02
|
|
|
TDSS/Alureon is not that big of a deal really. Easily detectable. Roguekiller will remove that sucker. The crypto locker poo poo is way way worse for most people.
|
|
#
?
Oct 27, 2015 20:40
|
|
|
redeyes posted:TDSS/Alureon is not that big of a deal really. Easily detectable. Roguekiller will remove that sucker. It has been mostly thwarted in the past few years for a number of reasons, but it's a matter of time before another one comes up and evades your fancy suggestion.
|
|
#
?
Oct 27, 2015 20:44
|
|
|
OSI bean dip posted:It has been mostly thwarted in the past few years for a number of reasons, but it's a matter of time before another one comes up and evades your fancy suggestion. Fancy? So how is this going to load unsigned drivers in a 64bit OS with secure boot?
|
|
#
?
Oct 27, 2015 20:45
|
|
|
i'm glad code signing certs are hard to obtain
|
|
#
?
Oct 27, 2015 20:47
|
|
|
Wiggly Wayne DDS posted:i'm glad code signing certs are hard to obtain There are certainly problems with compromised certs recently but it seems like the industry revokes them pretty fast. I've yet to see a boot sector virus or anything like it on systems with secure boot enabled. quote:turbo-sperg 
|
|
#
?
Oct 27, 2015 20:48
|
|
|
redeyes posted:Fancy? So how is this going to load unsigned drivers in a 64bit OS with secure boot? Yeah. Secure boot is never going to have issues. http://www.kb.cert.org/vuls/id/976132 http://seclists.org/bugtraq/2015/Oct/70 Please stop while you're ahead.
|
|
#
?
Oct 27, 2015 20:49
|
|
|
OSI bean dip posted:Yeah. Secure boot is never going to have issues. That was a question not a statement pal. Windows 10 is not Windows 8 so maybe this is fixed. quote:No public attack against systems for which the owner does not want the redeyes fucked around with this message at 20:54 on Oct 27, 2015 |
|
#
?
Oct 27, 2015 20:52
|
|
|
redeyes posted:There are certainly problems with compromised certs recently but it seems like the industry revokes them pretty fast. I've yet to see a boot sector virus or anything like it on systems with secure boot enabled. redeyes posted:That was a question not a statement pal. Windows 10 is not Windows 8 so maybe this is fixed.
|
|
#
?
Oct 27, 2015 20:55
|
|
|
redeyes posted:That was a question not a statement pal. Windows 10 is not Windows 8 so maybe this is fixed. "Maybe it has been fixed"--please stop again. If you had done a search for the CVE (or read to the bottom of the advisory for that matter), you'd have found this link indicating that it has been. There are no such things as "maybe" around here. Of course, it goes over your head here that this was in fact reported through normal channels to Microsoft and thus was fixed through a normal patch cycle. There has never been a situation where malware has been using previously-unknown exploits--nosiree! Lain Iwakura fucked around with this message at 21:03 on Oct 27, 2015 |
|
#
?
Oct 27, 2015 20:59
|
|
|
OSI bean dip posted:Here's the sort of poo poo that a user might see after getting hit with the family I am describing: This poo poo hit when I was working for a mom-and-pop shop. The amount of crying and whining because we would basically give them two options - 1) take it somewhere else or 2) backup/reinstall. And so many people had non-valid office keys, etc. It sucked, but it kept us from having people come back. Alureon was loving horrible. Interesting thread though, and some neat info. I'm always a "if its worse than some random popups/browser toolbar, blast it", and don't really have issues on my own system, but christ if I'm not thinking about just nuke it from orbit. Also, the SSD thing is lovely. Secure erase possibly not a solid alternative?
|
|
#
?
Oct 27, 2015 21:06
|
|
|
Siochain posted:Also, the SSD thing is lovely. Secure erase possibly not a solid alternative? Not really. The big problem with SSDs is that internally they have their own software to manage the flash memory--IE: block off writes to specific places, et cetera. If the software stack is somehow infected, there is probably no real reliable way to fix it short of getting friendly with JTAG then praying that you don't brick your drive in the process. For those of us who end up dealing with forensics, write blockers are sort of ineffective with SSDs because while the OS we're using cannot write to the drive, it doesn't mean that the drive isn't writing at all as the built-in software may be doing its usual maintenance. SSDs are going to be interesting from a malware perspective as they become more popular.
|
|
#
?
Oct 27, 2015 21:11
|
|
|
OSI bean dip posted:Not really. The big problem with SSDs is that internally they have their own software to manage the flash memory--IE: block off writes to specific places, et cetera. If the software stack is somehow infected, there is probably no real reliable way to fix it short of getting friendly with JTAG then praying that you don't brick your drive in the process. For people like most of those that post in this subforum, until we can get viable action items from security vendors on theoretical SSD malware, it's all just farting in the wind however. SSD's in laptops are becoming pretty ubiquitous, and the best way to guard against data loss is to treat the laptop as a "Portal to work" rather than the place work itself happens. If one of our managers dumped his laptop in the pond/got it infected with the nasties our net loss here would be the laptop itself. The data's all going on a network drive that gets snapshotted on a fairly consistent basis to the point where I can walk back to minutes before the infection while simultaneously flattening the laptop. Net loss of work is at most what was done between infection and flatten process (And even then you probably won't lose much). I generally flatten any virus laden PC, nine times out of ten it will take far more effort for me to dig down and see what's going on and I don't have the resources. But I also recognize that I created an environment that is suited to this methodology and solutions like this are expensive, or can be at any rate. EDIT: I do have to say I'm entertained whenever someone has a horror story about Crypto*, because in my environment that poo poo was the biggest damp squib ever. Flatten PC, roll back shares from immutable snapshot, take nap.
|
|
#
?
Oct 27, 2015 21:34
|
|
|
Siochain posted:This poo poo hit when I was working for a mom-and-pop shop. The amount of crying and whining because we would basically give them two options - 1) take it somewhere else or 2) backup/reinstall. And so many people had non-valid office keys, etc. It sucked, but it kept us from having people come back. Alureon was loving horrible. I loving hated that poo poo. We were doing what mindphlux said, and found that on some machines (even recent ones) it would take hours, if not a day or two (depending on how much poo poo they had) to do effective deep scans with some of it. Then the machine would come back the next week, with the same virus, and the customer hadn't barely used the computer (We did check browser histories and whatnot). Eventually we got to the point where when we saw it we simply told the customer for the same price of what they were quoted, we'd backup and reformat. Saved us tons of time in the end.
|
|
#
?
Oct 27, 2015 21:35
|
|
|
OSI bean dip posted:Not really. The big problem with SSDs is that internally they have their own software to manage the flash memory--IE: block off writes to specific places, et cetera. If the software stack is somehow infected, there is probably no real reliable way to fix it short of getting friendly with JTAG then praying that you don't brick your drive in the process. Kind of figured. I know most SSD's do their own thing, so in theory if someone can compromise that, its "get virus, throw away HDD". Mind you, proof-of-concept of doing that for platter drives exist. Basically we're all loving boned. Wheee!
|
|
#
?
Oct 27, 2015 21:51
|
|
|
Rhymenoserous posted:For people like most of those that post in this subforum, until we can get viable action items from security vendors on theoretical SSD malware, it's all just farting in the wind however. SSD's in laptops are becoming pretty ubiquitous, and the best way to guard against data loss is to treat the laptop as a "Portal to work" rather than the place work itself happens. Oh. Don't get me wrong: nothing so far has been shown to be going about infecting SSDs so I am not about to go and suggest nuking them from orbit. It's just going to suck when we start to see this sort of stuff becoming ubiquitous.
|
|
#
?
Oct 27, 2015 21:54
|
|
|
redeyes posted:I've yet to see a boot sector virus or anything like it on systems with secure boot enabled. Why do so many people in this thread seem to think that "I haven't seen one" is the same as "they don't exist"
|
|
#
?
Oct 27, 2015 23:17
|
|
|
OSI bean dip posted:Okay. Time for you to shut up. Let me introduce you to TDL[1-4]/TDSS/Alureon, a family of malware that was common across fake anti-virus for a few years. This is the very thing I kept going on to you two that you seemingly somehow don't believe exists. Why do you think I don't know this exists, or malware very similar? It's readily detected by a whole host of anti-malware tools (including some mindplux posted) and/or a catch(nearly)all offline scan. It's also detectable by being really loving in your face, leading to investigations into what is wrong. I'd deal with this by performing a complete flatted and reinstall, being sure to clear the MBR. I asked for an example of your magical mystery malware that can pose a very significant threat whilst evading any detection by the things mindplux posted and you give me low hanging fruit like it's some sort of gotcha lol You still haven't also answered the logical questions I posed: - If the malware is invisible to a "free web tools" / paid AV analysis, why are you looking for it? - If you have no concept of what it is, how can *any* remedy be sufficient? The only logical conclusion to your posed anger tantrums is to forever conclude there might be an issue and start from a clean image on new hardware every day / just use LiveCDs / airgap (and unplug the speakers lulz)
|
|
#
?
Oct 27, 2015 23:46
|
|
|
Khablam posted:Why do you think I don't know this exists, or malware very similar? And yet you decided to go on and on about a rootkit like what I just showed in the quoted post you have there as being "state-level" nonsense. Let me remind you of what you said: Khablam posted:Until then I'm just playing whack-a-mole with your theoretical targeted/nationstate level malware that may or may not exist. And yet you say you know that such a thing exists? quote:I asked for an example of your magical mystery malware that can pose a very significant threat whilst evading any detection by the things mindplux posted and you give me low hanging fruit like it's some sort of gotcha I did and you acted completely clueless, thinking that it doesn't exist. Now you're saying that you knew all along it exists. quote:You still haven't also answered the logical questions I posed: Sure. I'll answer your questions. 1. Does a bear poo poo in the woods? 2. Your question is the answer. The only logical conclusion in these responses (read: an attempt to restore a maligned ego) to my tantrums (read: factually-based opinions that you don't agree with because of your maligned ego) that you still fail at reading comprehension and therefore will continue an endless cycle of contributing nothing to this thread. I am sure you're great with spreadsheets in space and iPhones, but so far you've demonstrated a complete lack of comprehension around computer security.
|
|
#
?
Oct 27, 2015 23:57
|
|
|
Khablam posted:- If the malware is invisible to a "free web tools" / paid AV analysis, why are you looking for it? Thank you for visiting the Genius bar, have a great day.
|
|
#
?
Oct 28, 2015 00:01
|
|
|
Khablam posted:- If the malware is invisible to a "free web tools" / paid AV analysis, why are you looking for it?
|
|
#
?
Oct 28, 2015 00:33
|
|
|
OSI bean dip posted:And yet you decided to go on and on about a rootkit like what I just showed in the quoted post you have there as being "state-level" nonsense. Let me remind you of what you said: Gonna quote myself in the vain hope you'll see the distinction Khablam posted:e: Can either of you blowhards stop trying to play "prove the negative", and suggest a piece of malware that slips through the SOP you're stamping your feet about? Khablam posted:Which one in particular does this whilst not appearing to an offline scan or the other rootkit tools mindplux mentioned? I'm saying things like "nation-state" level and "targeted" malware because I can't think of a single example of sophisticated malware never being detected and categorised in any way except the examples we know/assume are such, like stuxnet. Do you have an example or are you just going to keep getting mad? Wiggly Wayne DDS posted:I mean I had an idea you were criminally negligent but this is a level beyond what I was thinking. Why would he conclude that no evidence of it existing was proof that it was?
|
|
#
?
Oct 28, 2015 02:20
|
|
|
I still don't get why we're nitpicking over whether a bunch of heuristic-based tools will happen to detect a rootkit when we can fix the problem by formatting and reloading from a recent backup. If this is any harder than running X, Y, Z, A, B, C, C# D, E, and F virus scanning tools that you use, maybe you should work on unfucking your / your client's awful IT structure instead of hoping that the 95% fix works 100 times in a row.
|
|
#
?
Oct 28, 2015 02:28
|
|
|
Khablam posted:2 days later, again asking for a simple example of one that evades the SOP you're getting to mad about. Alureon doesn't. Stop being obtuse and read the white papers I posted. quote:I'm saying things like "nation-state" level and "targeted" malware because I can't think of a single example of sophisticated malware never being detected and categorised in any way except the examples we know/assume are such, like stuxnet. Again, read the white papers I posted. You are demonstrating that you have some very inadequate knowledge about malware. Not a surprise considering earlier posts in this thread consists of you recommending anti-virus based on tests. Actually, earlier posts of your own demonstrate a complete lack of knowledge on how to remediate TDSS/Alureon/TDL because if I go back to 2012, I see you recommending RogueKiller in this very thread without any recommendation to restore the boot loader. By that time, TDL was on its fourth iteration which was doing the bootloader rootkit as shown in one of those three PDFs I linked you to. Of course, you're the blind, tier-1 help desk kind that just goes and acts like an "IT superhero" just like our earlier friend is, suggesting blindly on what to do, so I guess it's no surprise you'd link to a tool without consideration for other complications. Of course, you're painfully oblivious (and likely negligent) and are continuing to beat this stupid drum of yours because somehow you cannot admit to being wrong. [edit] Actually you do suggest to restore the MBR (two posts afterward without suggesting it in the first place for TDSS) which means either you're being an idiot and are arguing for the sake of arguing or you haven't made the connection--I think the former is more accurate. Lain Iwakura fucked around with this message at 02:41 on Oct 28, 2015 |
|
#
?
Oct 28, 2015 02:35
|
|
|
Subjunctive posted:What do you tell customers when you return their computer to them? That you cleaned it up a bit; that you've verified it's clean; that it's safe to use? I've been a consultant, I understand that customers don't always want to buy the thing you genuinely think is best for them. I'm curious about how you frame what they *do* ask for and get. ........ return...... their computer? we resolve issues remotely (included in MSP costs). if we see evidence of a rootkit or something looks completely hosed, we advise the client we need to come onsite to fix, and that they should expect we'll have to flatten and reformat. (not included in MSP costs) If things look completely hosed, we come onsite, disconnect network to the machine, scan, assess, remediate - and packet log and check network traffic for anything really bizarre network-wide. and if it's actually hosed and we can't resolve in under an hour or so, we advise them we need to flatten and reformat and it will take X number more hours. we remind them they should have listened to our earlier advice about purchasing a spare workstation and being proactive - and for those who actually listen to us, we compliment them on their wise decision and point out how much they're saving on onsite services because we can just swap out an already imaged system for them and deal with. under no circumstances would I ever claim any machine is 'verified clean', which is part of why I don't understand why OSI is on about himself so much. you can't prove a negative. there exists malware that survives a flatten and reformat, bootsector and all. we just do the best we can, and are transparent with all our clients about their risks and options. you have to assume all digital systems are vulnerable to attack, and we tell our clients that upfront. our results are great, and our clients are happy - and disclaimers built into our contracts - so everyone wins. we don't insist our clients spend 5 hours reformatting with every stupid java vulnerability or whatever (because we honestly aren't security shills wielding the e-dick specter of COMPLETE SAFETY in return for inflated billable hours), we save them money, they're satisfied with the results in practice - as are we!
|
|
#
?
Oct 28, 2015 07:20
|
|
|
|
| # ? May 17, 2024 20:30 |
|
|
Thanks, I understand better now. Appreciate it.
|
|
#
?
Oct 28, 2015 11:02
|
|