"Al Dunbar" wrote in message
news:u1dZcsl3IHA.4988@TK2MSFTNGP04.phx.gbl...
>
> "Will" wrote in message
> news:JfydnQ3UJ91BXPPVnZ2dnUVZ_hOdnZ2d@giganews.com...
>> "Twayne" wrote in message
>> news:eRJPHGj3IHA.3500@TK2MSFTNGP05.phx.gbl...
>>> > "Doug McIntyre" wrote in message
>>> > news:486bd948$0$60075$8046368a@newsreader.iphouse.net...
>>> >> "Will" writes:
>>> >>> Can someone recommend an anti-virus solution that lets you build a
>>> >>> boot CD that will inspect the NTFS file system for trojans or
>>> >>> viruses without any need to boot the OS on the file system you are
>>> >>> inspecting?
>>> >>
>>> >> Thats not going to be too common, because its not a very effective
>>> >> model for ongoing A/V protection.
>>> >
>>> > Day-to-day protection has to balance many different issues like
>>> > intrusiveness and performance on a system under use. It's very easy
>>> > to subvert modern virus checking programs with root kit viruses. The
>>> > rootkit simply rewrites kernel functions and reports back to the
>>> > virus checker only the data it wants the checker to see.
>>> >
>>> > Booting from a standalone CD is the only approach that guarantees
>>> > that all files on the file system can be inspected by an OS and
>>> > application that is not under control of a trojan or rootkit. It
>>> > would be an extremely good way of checking for hidden files or
>>> > folders that would otherwise be hidden from view if the rootkit were
>>> > active.
>>> > It's a shame if no anti-virus vendor has seen to create such a
>>> > bootable CD.
>>>
>>> Norton and, I think McAfee both allow that, actually. The only gotcha
>>> is that only PART of the inspection can be done that way. Since virus
>>> profiles are constantly changing, it will still have to access the drive
>>> to get those signatures. But, it's still a very reliable way of
>>> handling infections on PCs. A CD, once written and its session closed,
>>> is not going to be affected by any virus or malware of any kind. So,
>>> yes, the do it with the exception of using the signature files on the
>>> hard drive.
>>> I can't understand why everyone is saying no one does it I just
>>> pulled out my CD to make sure I'm right, and, well, I'm right! .
>>> Toss it in the drive, boot from it, the AV process automagically starts,
>>> and off we go. It's not new been this way for a long, long time.
>>
>> What you are describing is a way to run a virus checker from a CD after
>> booting the OS on the affected system.
>
> Re-read what Twayne wrote: "Toss it in the drive, boot from it, the AV
> process automagically starts". to me that means booting from the CD, not
> booting the OS installed on the machine.
I guess I can go buy one and find out. I did read what he wrote, but
somehow thought he didn't mean it as he literally said it.
--
Will
>> The problem with that approach is
>> that a rootkit virus can alter the operating system calls to disguise
>> what
>> is on the disk.
>>
>> The c:windows folder might contain a subdirectory named
>> evilvirustoolkit,
>> but as long as you boot your OS under the control of the rootkit that
>> folder
>> stays invisible to every application on the system, including your virus
>> checker.
>>
>> What I was asking for was a virus checker that boots from *its own
>> operating
>> system embedded on a CD*. That way there is no involvement with
>> infected
>> OS code on the system being inspected.
>>
>> --
>> Will
>>
>>
>
>