Disinfecting PC's Without the Need for Tedious Security Software

[Gnosis]

Many of us know about all of the paid and free security software options at our disposal; BB's, suites, HIPS, HIDS, NIDS, stand-alone AV's, stand-alone firewalls, quarantined RAM (sandboxie), etc.

Barring any hardware or BIOS rootkits, there could be a fast and simple malware infection solution without the need for the above listed security program types. With the help of a super fast solid state hard drive, I could see the future of malware prevention as not being "prevention" anymore, but it could be as simple as throwing away the infected meat; in essence, every OS would be geared to automatically have a system image, consisting of every last OS detail, less the malware, via periodic restore points for the user to choose from. Then if they believe they are infected, they can choose from weekly system image restore points and implement them in a matter of seconds, not hours or minutes, thus there would be no need for prevention anymore.

I know there are system image utilizations presently, but the speed at which you can implement a system image might make other security software options more appealing due to time constraints.
I really believe it could be that simple pretty soon. But that is about the time that every Chinese component comes out of the box with a firmware rootkit installed. LOL

Let me know what you think of this theory.

 

[Fabian Wosar]

Such software already exists. ShadowDefender, DeepFreeze, RollbackRX, Returnil, and similar tools work in exactly that manner. And guess what: These rollback solutions are inherently unsafe.

Here is the problem:

Your idea essentially revolves around the idea that malware will be unable to survive a reboot as the system will be reset to a guaranteed uninfected state every time during boot. The first glaring issue is the fact that malware doesn't need to persist through reboots to cause damage. Password stealers for example just need to be started once to read your browser's password storage to find out your saved passwords for example.

The other big issue is due to the way these applications operate. Rollback solutions are usually implemented as a disk filter driver. This means they essentially add themselves to I/O chain that Windows uses to write to disk. A rollback solution will usually redirect every write access to the disk to a temporary area that is discarded at reboot. So all changes that you make during a normal session never actually end up on your hard disk. They end up in a temporary file that is deleted upon reboot, completely negating all changes made to your system. The problem is that there is no way to enforce another kernel mode driver to honor the Windows I/O chain. What you can do is just look at the device stack for the hard disk, figure out the lowest device which is in most cases the actual hard disk driver and talk to the device directly, completely bypassing the I/O chain. The rollback filter driver is usually located directly above the disk driver, so by talking to the disk driver directly it never actually sees that you wrote to disk and therefore can't intercept your write request.

This isn't a theoretical risk either. Some of the most widespread bootkits (TDL-4 for example) do exactly that and will happily infect system protected by rollback software and survive a reboot.

 

[Gnosis]

What about a rapid reformat (SSD required) before utilizing the last known clean
system image restore point?
That is the gist of what I intended to convey. In essence, the clean system image is integrated with the fresh OS after a hard drive wipe. The clean system image would consist of every detail of the original pre-malware OS settings, documents, programs, etc.
I am thinking that a SSD could allow the wipe and re-installation to happen in a very short time. I would guess that an external SSD cooperating with an internal SSD would be needed to make this happen, and happen in a rapid fashion, as to make it feasible. Basically the clean system image would be exported to the external, or secondary internal SSD, and then the primary SSD would be wiped, and then the OS with the clean system image is transferred back to the primary SSD from the secondary SSD. Barring a BIOS/hardware rootkit, wouldn't that work?

It is kind of like a reformat/rollback type of procedure, not just a rollback via system image; the best of both worlds.

 

[Fabian Wosar]

If Windows will be able to create these snapshots so will be malware. Plus your entire approach still doesn't solve the issue with malware being able to steal data from the current session which may already be enough.

 

[iPanik]

While your solution may work in theory it does seem a lot more expensive (time and money wise) than having a real-time scanner in the background.
Also how would you know that you were infected without a scanner? Not all malware is big and shouty ransomware-types, many viruses are invisible to the user.

 

[Gnosis]

Malware is going to be able to steal data once a system is infected. That can happen during any infection. Nonetheless, users still want to get the OS back to normal as to avoid more of the same.
I am speaking of target dates where system images are made weekly. Those system images are malware free and transferred to the secondary SSD.

Once again, I am referring to a rapid reformat to rid malware and keep EVERYTHING intact via the pre-infection image.

Once people's OS's are infected we know that they either run scans and attempt to remove the malware, or they give up and reformat. This would not be a prevention method (as stated before), but a return-to-normal-after-infection method.

While your solution may work in theory it does seem a lot more expensive (time and money wise) than having a real-time scanner in the background.
Also how would you know that you were infected without a scanner? Not all malware is big and shouty ransomware-types, many viruses are invisible to the user.

Good point.
You would still run a HitMan Pro followed by PCHunter and Comodo Killswitch to determine that (piece of mind in under 5 minutes, or faster with SSD). Yet, as I mentioned, no suites, HIPS, HIDS, BB's or sandboxes.
Cost now would be high, but maybe not in the future, esp. since SSD's are rapidly decreasing in price.
Remember that this is for a worst case scenario for when one might opt to reformat anyway because it is quicker to simply reformat for piece of mind. And once you reformat, you would have your clean system image, fully intact from the original uncorrupted one. Everything would be as it was a week or two prior, and you would have a wiped drive that you know is malware free, and a system image that is malware free.

I am basing the necessity of a method like this on the fact that HIPS and BB's can allegedly be tricked now. Sandboxes are soon to follow, maybe. The future is always uncertain, but if there are no safe defenses (not even sandboxes, HIPS, or BB's), a lighting fast and solid removal method via system image and hard drive wipe would be relevant, imho.

 

[Frank_Leblanc]

It would be lovely if it works. But I think other replies cast doubt on that.

I have another approach which does require all those anti-malware utilities, but allows me to continue working until I get things cleaned up.

I have a separate partition with a second copy of the operating system (Windows 7). Completely legal because both copies are used on the same machine and never at the same time.

I used Easeus Partition Master to make a 50 GB primary partition and then installed a second copy of Windows 7 on drive B and then Microsoft Office, browsers, my VPN manager and lots of anti-malware utilities also on drive B.

Now when I am struck by viruses, trojans and other malware, I restart in my emergency partition and continue working. [I use two different passwords to acsess the OS on drives B and C.]

I should mention that I keep all long term data on the first primary partition in logical drives E (work) and F (personal). Only temporary data is stored on drives B and C.

This approach is not foolproof, but in practice it's convenient and cheap.

[SNIP]
Let me know what you think of this theory.
[/quote]

 

[Gnosis]

Now when I am struck by viruses, trojans and other malware, I restart in my emergency partition and continue working.

I like that. Things don't happen overnight, but methodologies like yours can be tweaked by software developers and take us in a direction we never really dreamed of. It is all about speed, efficiency, and effectiveness. That is what people want in a cyber environment.

 

[Fabian Wosar]

Malware is going to be able to steal data once a system is infected. That can happen during any infection.

Correct, so you need to prevent the infection in the first place. Even with the solution you propose. So you still need to run your real-time AV, your firewall, your HIPS or behavior blocker, your sandbox and whatever else you use to protect yourself.

So your approach does nothing in regards to provide any additional security at all. It merely adds convenience. Convenience a normal backup would provide as well.

Those system images are malware free and transferred to the secondary SSD.

How do you propose to determine whether or not a system is actually malware free?

Once again, I am referring to a rapid reformat to rid malware and keep EVERYTHING intact via the pre-infection image.

You are aware that a reformat is not enough to remove some bootkits, right?

Now when I am struck by viruses, trojans and other malware, I restart in my emergency partition and continue working. [I use two different passwords to acsess the OS on drives B and C.]

Just pray you never get hit by crypto malware or file infectors (Parite, Polypos, Sality etc.). Both will happily encrypt and infect your B drive.

 

[Gnosis]

Correct, so you need to prevent the infection in the first place. Even with the solution you propose. So you still need to run your real-time AV, your firewall, your HIPS or behavior blocker, your sandbox and whatever else you use to protect yourself.

So your approach does nothing in regards to provide any additional security at all. It merely adds convenience. Convenience a normal backup would provide as well.

Agreed. (theoretical approach, as I am not literally implementing this strategy even if it were possible to implement in a reasonable amount of time) But as I said before, it is for the worst case scenarios where one would choose to wipe the drive and reinstall the OS due to the tediousness of other methods of removal that correspond with whatever nasty infection might manifest.
We could say the same relative to on-demand or realtime security that pretty much did not exist 15 years ago, at least as we know them to be in 2013. I am sure some ideas sounded pretty reckless and wacky at that juncture as well. How about Norton AV years back. It sounded like a good idea, but it was such grayware that it was as bad as being infected by malware of the time.

How do you propose to determine whether or not a system is actually malware free?

You would still run a HitMan Pro followed by PCHunter and Comodo Killswitch to determine that (piece of mind in under 5 minutes, or faster with SSD). Yet, as I mentioned, no suites, HIPS, HIDS, BB's or sandboxes.

You are aware that a reformat is not enough to remove some bootkits, right?

Like I said in a prior post: "barring BIOS/hardware rootkits/bootkits"

Just pray you never get hit by crypto malware or file infectors (Parite, Polypos, Sality etc.). Both will happily encrypt and infect your B drive.

Thus the need to possibly have an external secondary SSD with second OS.

Keep in mind that the gist of this figment is to avoid the tediousness of setting up realtime security, and dealing with pop-ups from suites, and having to tweak sandboxes, HIPS, HIDS, etc; and to avoid a lengthy removal session that might not even heal the system properly.

Besides, I would think that there is software out there that can take the primary OS and compare it with the secondary OS to check the primary OS for "lies". That would be as sufficient as anything to confirm or refute an infection, because you know as well as I that the only way besides that to absolutely know for sure that you are not infected is to manufacture and assemble your PC's hardware yourself instead of buying a computer that may have rootkits preinstalled. Software out of the box is a potential culprit too, as are the installation mechanisms. Then there is wiping the hard drive for peace of mind. It is not an exact science in the first place. Flaws are constantly being observed and exploited for legitimate means and illegitimate means. There is really never and end unless you throw your tech away and never get online again.

 

[Fabian Wosar]

We could say the same relative to on-demand or realtime security that pretty much did not exist 15 years ago, at least as we know them to be in 2013.

Did you use security software 15 years ago? Because the techniques haven't changed at all. 15 years ago there already were behavior based realtime protection for example and HIPS. Heck, even MS DOS 6.x (released 20 years ago in 1993) came with a behavior blocker/HIPS on board!

You would still run a HitMan Pro followed by PCHunter and Comodo Killswitch to determine that (piece of mind in under 5 minutes, or faster with SSD). Yet, as I mentioned, no suites, HIPS, HIDS, BB's or sandboxes.

Even combining all three tools won't give you peace of mind nor do they guarantee that you are malware free.

Like I said in a prior post: "barring BIOS/hardware rootkits/bootkits"

The only time you ever said the word bootkit is now. You talked about and excluded BIOS and hardware roorkits, not bootkits.

Thus the need to possibly have an external secondary SSD with second OS.

This wasn't actually addressed towards you. But you are correct, if you do backups or maintain an "emergency OS", you better store them on an external storage device that is disconnected from your PC if not used.

 

[Gnosis]

(released 20 years ago in 1993) came with a behavior blocker/HIPS on board!

I have read about that somewhere, but I figured it was pretty rare, and experimentally quirky to the point of making a beta release seem more like pre-alpha.

Even combining all three tools won't give you peace of mind nor do they guarantee that you are malware free.

Agreed.

The only time you ever said the word bootkit is now. You talked about and excluded BIOS and hardware roorkits, not bootkits.

True. Bootkits won't matter though, will they? Esp. if you have no corruption of BIOS or hardware, and a clean OS and system image waiting for you after the hard drive wipe.

 

[Fabian Wosar]

I have read about that somewhere, but I figured it was pretty rare.

Actually it was pretty common. Every DOS anti-virus had a behavior blocker and real time scanner back then and MS DOS was by far the most widespread operating system. You even had the same issues you have nowadays: These anti-virus TSRs (TSRs are background processes/services in DOS) consumed quite a bit of resources and could be quite noisy literally issuing alerts on pretty much every activity taking place.

True. Bootkits won't matter though, will they? Esp. if you have no corruption of BIOS or hardware, and a clean OS and system image waiting for you after the hard drive wipe.

Actually, they do. Bootkits often exist outside the normal Windows file system. So even if you format your NTFS partition and copy back all files from your backup disk the bootkit may still be there. Simply because the bootkit exists outside of the NTFS file system you just reset. Instead it lives in some unused sectors of your hard disk that don't belong to any partition and therefore aren't effected.

The only way you can make sure that no bootkit survives is if you do a sector by sector backup of your disk and restore it sector by sector. This isn't very cost efficient though and even with modern SSDs backing up and restoring a 128 GB SSD would take roughly 5 minutes.

 

[Gnosis]

Instead it lives in some unused sectors of your hard disk that don't belong to any partition and therefore aren't effected.

The only way you can make sure that no bootkit survives is if you do a sector by sector backup of your disk and restore it sector by sector. This isn't very cost efficient though and even with modern SSDs backing up and restoring a 128 GB SSD would take roughly 5 minutes.

Truly fascinating. This turns the geek on inside of me.

I hope you will have the time to chime in as days and weeks and months go by. I can tell you have much to offer. We need someone like you here. You will greatly complement and supplement the talent and knowledge here.

I really like this one too:

Such software already exists. ShadowDefender, DeepFreeze, RollbackRX, Returnil, and similar tools work in exactly that manner. And guess what: These rollback solutions are inherently unsafe.

Here is the problem:

Your idea essentially revolves around the idea that malware will be unable to survive a reboot as the system will be reset to a guaranteed uninfected state every time during boot. The first glaring issue is the fact that malware doesn't need to persist through reboots to cause damage. Password stealers for example just need to be started once to read your browser's password storage to find out your saved passwords for example.

The other big issue is due to the way these applications operate. Rollback solutions are usually implemented as a disk filter driver. This means they essentially add themselves to I/O chain that Windows uses to write to disk. A rollback solution will usually redirect every write access to the disk to a temporary area that is discarded at reboot. So all changes that you make during a normal session never actually end up on your hard disk. They end up in a temporary file that is deleted upon reboot, completely negating all changes made to your system. The problem is that there is no way to enforce another kernel mode driver to honor the Windows I/O chain. What you can do is just look at the device stack for the hard disk, figure out the lowest device which is in most cases the actual hard disk driver and talk to the device directly, completely bypassing the I/O chain. The rollback filter driver is usually located directly above the disk driver, so by talking to the disk driver directly it never actually sees that you wrote to disk and therefore can't intercept your write request.

This isn't a theoretical risk either. Some of the most widespread bootkits (TDL-4 for example) do exactly that and will happily infect system protected by rollback software and survive a reboot.

 

[illumination]

The theory is interesting, it does raise one question with me, maybe someone can answer. Would the wiping of the SSD every time one came across infection deteriorate the memory cells faster in the SSD, thus shortening the lifespan of the drive?

The newer systems with "refresh windows" and "reset to factory settings" images are a nice feature, and a lot faster then the traditional reformat/finding and placing drivers on ect, although one will still have to reinstall windows updates and their own personal programs again.

With that in mind, being able to create an image here and there would be great, not to have to go through all of that, and even better to access upon infection.

 

[Gnosis]

I was a little hardheaded about the bootkit problem that Fabian explained. That seems to be quite the issue, even if pricing and speed of the process made my brain vomit feasible.

 

[illumination]

I was a little hardheaded about the bootkit problem that Fabian explained. That seems to be quite the issue, even if pricing and speed of the process made my brain vomit feasible.

Combine this theory with the new UEFI of windows 8, see where that takes you. As we have all mentioned before, as long as malware remains lucrative, we will have our hands full trying to patch vulnerabilities..

This is just a theory, and with such, one can see the pro's and con's of it, although it did raise responses, meaning, it was as i stated, an interesting one..

 

[Gnosis]

An infinite number of bugs in any given software = PROBLEM. For every patch, there are two more flaws.

 

[Fabian Wosar]

The theory is interesting, it does raise one question with me, maybe someone can answer. Would the wiping of the SSD every time one came across infection deteriorate the memory cells faster in the SSD, thus shortening the lifespan of the drive?

It depends. Some SSD drives provide a special feature called "secure erase". The way it works is this:

The SSD controller writes all data to the disk AES encrypted. So essentially every single sector (or cell as we talk about SSDs here) is encrypted. The secure erase feature now doesn't touch the encrypted data at all. Instead it resets the AES key used by the SSD controller. The result is that the SSD disk controller tries to decrypt the data on the disk using the wrong AES key, returning complete garbage, effectively deleting all data on the disk without the need to waste precious write cycles that could shorten the life span of the memory cells.

If you perform such a secure erase bootkits would be disabled as the sectors the bootkit resides in can no longer be decrypted.

 

[Deleted member 178]

After enjoying reading all the thread, i'm quite happy to be paranoid and deployed my layered config

The main point i saw is we still need a kind of Real-Time AV, since we can still be infected by a BIOSkit that reinstall themselves even after a reformat.

Even if i use Emsisoft IS + WSebroot SA + sandboxie + Shadow Defender + Rollback RX ; i still did a sector/sector image of my system after a fresh installation, and store it on a dvds, where im sure it can't be infected.

Of course, nothing is impervious to malwares, but with good habits and a sufficient knowledge we can reduce greatly the risks.