Wiping an infected computer is best for any OS

Why bother with file forensics on a compromised computer when you can just blow it out and revert it to a known good state? While all the fuss about Microsoft's endorsement of wide scale system imaging is just silly, Microsoft isn't helping their cause by stupidly placing user data in the same logical hard drive partition as the operating system.

A recent article by Ryan Naraine along with a blog from our own Ed Burnette has made a huge fuss about Microsoft's declaration that people should use the nuclear option on any infected PC.  The problem is neither gentleman seems to have a clue as to what the standard best-practice for cleaning any infected computer with any operating system is.  Microsoft should default the "documents and settings" folders to a separate logical hard drive partition... Any security auditor will tell you that if any computer regardless of the operating system is rooted, the only trustworthy way of cleaning that computer is to wipe the hard drive clean and start with a clean installation.  The only exception to this rule is if there was some reliable forensic mechanism in place before the fact that would remotely log the checksums of each and every file on the hard drive.  Then if the damage could be clearly identified and all the altered files could be reverted to their original form, then it would be considered acceptable to not start with a fresh install.  But since most people consider image recovery the easier and more reliable option since file forensics are not required and you can just put the system back in to a known good state, few companies bother remote checksum logging.

With any client or server operating system, the easiest way to deploy a system is to use hard drive images which contain a bit-for-bit representation of the original hard drive.  For large scale server or desktop deployment, "big-bang" image multicasting technology can install hundreds of computer images at once with everything from OS to Applications to Patches fully loaded.  Microsoft is absolutely correct to point out that any Malware infected computer should be wiped out and it's silly for anyone to scoff at this practice since the same rules apply to any operating system.

The one thing Microsoft should be criticized for is the fact that they sure don't make it easy to use system imaging with their insistence on putting user data in to the same logical partition as the operating system.  Microsoft should have defaulted to a separate logical partition with the advent of the "documents and settings" folder since Windows 2000.  "Documents and settings" is currently installed on the OS partition with no easy way of moving it to another partition.  A workaround that I've personally deployed is to manually mount another hard drive volume under the folder that's mixed in with the OS partition but that has its own compatibility issues with certain hard drive imaging software.  Microsoft has added extensive system imaging technology to Windows Vista but if Microsoft wants to be serious about its advice to rely on system imaging, they should default the "documents and settings" folders to a separate logical hard drive partition or at the very least provide an easy way (group policy) to move it to another partition.

With the user data cleanly separated from the OS partition, the OS partition could simply be blown out and imaged over at any time in a matter of minutes and the computer would run as fast as the day the OS was freshly installed.  This would effectively solve any Malware or sluggishness problem in one fell swoop and the user data wouldn't have to be backed up or recovered whenever a system is imaged.  With Microsoft's default configuration of putting everything on one hard drive partition, blowing out the system with a fresh image involves a lengthy backup and recovery option of user data which makes it fairly impractical to deploy on a regular basis.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All