Re: Any anti-malware software that can scan the registry of a slaved drive?



"Virus Guy" <Virus@xxxxxxx> wrote in message
news:4B1B00AD.713DC1C7@xxxxxxxxxx
FromTheRafters wrote:

Is there any anti-malware software that can properly scan a
slaved drive from another system - specifically, to scan the
registry files contained on the slaved drive?

That's a great question. I often remove an infected drive and
put it in an enclosure as a way of bypassing the malware.
It would be nice to be able to clean the registry at the
same time

Couldn't you load the hive in regedit then export it to a regfile
and then edit the regfile to your hearts content?
(I don't know, I'm just asking)

In a recent situation where I had MBAM operate on an infected system,
I
would not want to manually edit the registry on a slaved drive if I'm
dealing with > 700 registry entries.

Yeah, that really *would* be a PITA.

If you're at a point where slaving to drive is the easy way,
then the registry is not the worst of your problems.

If you slave a drive to a host system, an AV/AM scan will never detect
100% of the mal-files on the slaved drive by simply file-signature
analysis.

True, and the registry could still cause the undetected malware to load.
The key to detecting malware is...well ..the ability to detect malware.

It's my opinion that the most useful and reliable function that AV/AM
software can perform against an infected system is to analyze (and
manipulate) it's registry, and that most systems are restored to
operational status more because of mal-keys and mal-data removed from
the registry rather than mal-files detected on the file-system.

And *that* they do (scan "the registry"), but when the registry data
structure's data is stored on disk it is a binary data file requiring
manipulation upon boot to build the data structure known as "the
registry". I think what you suggest could possibly be done, but at what
cost - and for what benefit? It is still only data that undetected
malware would have to be leveraging.

Often it is easy enough to avoid the malware becoming active
by booting from alternate (read only?) media and scanning
for malware from there.

That is just another way to scan the drive without the drive's native
or
installed OS being active.

Yes, and it doesn't require another computer at all.

And it still doesn't address the issue that
the registry is not scanned and can still cause re-infection or
mal-operation when the system is re-started.

Only if there is a failure to detect the malware using the registry as a
start method or as a repository for (possibly hidden) code.

This may interest you.

http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf


.



Relevant Pages

  • Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?
    ... malware is known to alter. ... modified policy keys in place, ... Most users don't know what those registry ... MBAM doesn't alert on me for those changes. ...
    (alt.comp.anti-virus)
  • Re: malicious software removal tool
    ... have never had this program on your computer, you still have malware. ... Event Type: Error ... error include insufficient security rights or a corrupt local profile. ... Windows was unable to load the registry. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: registry hacked under XP limited account
    ... >> The thing I want to know is that the registry can be modified ... Running as limited account does VERY LITTLE to stop ... running with administrative rights is a VERY BAD HABIT. ... This tactic will NOT be effective against future malware. ...
    (microsoft.public.security)
  • Re: XP upgrade: FAT32 to NTFS
    ... >>FAT32 can detect and clean malware? ... Although if you load the registry into your PE's regedit, ... >>disc if you like Linux. ...
    (microsoft.public.windowsxp.hardware)
  • Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?
    ... It was not a pest. ... malware is known to alter. ... Most users don't know what those registry keys are for. ...
    (alt.comp.anti-virus)