Re: Any anti-malware software that can scan the registry of a slaved drive?



"David H. Lipman" wrote:

All anti malware scanners presume that they are installed on the
OS that is affected.

I fully undertand that - although your "all" proviso leaves no doubt
about it, and so far nobody else has suggested that there is even one
scanner that can do what I'm asking about.

But your statement does not answer the question:

| Are hive structures either so proprietary or so complex to make
| that task impossible?

I mention the above because many presume placing an affected
drive in a surrogate PC is one of the best ways to deal with
removing malware that may be loaded at run-time. However, if
you do, when you run the Anti malware software it will not
correct the registry of the OS of the affected drive and may
leave the OS of the affected drive impotent.

Hence my question as to whether or not the "next frontier" of AM
(anti-malware) software would be to have the ability to scan and correct
the registry present on a slaved drive.

I am NOT saying placing an affected drive in a surrogate PC is
not a good methodology. I am saying that it can have drawbacks
and you must be prepared for them.

Would it not be possible to run a system in safe mode and therefor not
experience the BSOD in your example?

An advantage of placing an affected drive in a surrogate PC
is that if there is a RootKit

In my case, it seems that the malware in question was preventing me from
(re)installing and running NAV (and even the task manager) but not
MBAM. We know that it's fairly common for malware to have an in-built
list of file names and processes to interfere with and prevent proper
operation.

To your knowledge, is MBAM on such lists?

If you place an affected drive in a surrogate PC expect
it ONLY to work at the file level disk level and not
affect the Registry.

That is already a given, and was presumed in my first post in this
thread.

I'm asking if there are technical reasons why "external" registry files
could not accessed and manipulated by third-party software.

I'm suggesting that the functionality of AM software could be enhanced
and their utility and desirability increased by having this ability.
.