Wiping an infected computer is best for any OS

Wiping an infected computer is best for any OS

Summary: Why bother with file forensics on a compromised computer when you can just blow it out and revert it to a known good state? While all the fuss about Microsoft's endorsement of wide scale system imaging is just silly, Microsoft isn't helping their cause by stupidly placing user data in the same logical hard drive partition as the operating system.

TOPICS: Hardware

A recent article by Ryan Naraine along with a blog from our own Ed Burnette has made a huge fuss about Microsoft's declaration that people should use the nuclear option on any infected PC.  The problem is neither gentleman seems to have a clue as to what the standard best-practice for cleaning any infected computer with any operating system is.  Microsoft should default the "documents and settings" folders to a separate logical hard drive partition... Any security auditor will tell you that if any computer regardless of the operating system is rooted, the only trustworthy way of cleaning that computer is to wipe the hard drive clean and start with a clean installation.  The only exception to this rule is if there was some reliable forensic mechanism in place before the fact that would remotely log the checksums of each and every file on the hard drive.  Then if the damage could be clearly identified and all the altered files could be reverted to their original form, then it would be considered acceptable to not start with a fresh install.  But since most people consider image recovery the easier and more reliable option since file forensics are not required and you can just put the system back in to a known good state, few companies bother remote checksum logging.

With any client or server operating system, the easiest way to deploy a system is to use hard drive images which contain a bit-for-bit representation of the original hard drive.  For large scale server or desktop deployment, "big-bang" image multicasting technology can install hundreds of computer images at once with everything from OS to Applications to Patches fully loaded.  Microsoft is absolutely correct to point out that any Malware infected computer should be wiped out and it's silly for anyone to scoff at this practice since the same rules apply to any operating system.

The one thing Microsoft should be criticized for is the fact that they sure don't make it easy to use system imaging with their insistence on putting user data in to the same logical partition as the operating system.  Microsoft should have defaulted to a separate logical partition with the advent of the "documents and settings" folder since Windows 2000.  "Documents and settings" is currently installed on the OS partition with no easy way of moving it to another partition.  A workaround that I've personally deployed is to manually mount another hard drive volume under the folder that's mixed in with the OS partition but that has its own compatibility issues with certain hard drive imaging software.  Microsoft has added extensive system imaging technology to Windows Vista but if Microsoft wants to be serious about its advice to rely on system imaging, they should default the "documents and settings" folders to a separate logical hard drive partition or at the very least provide an easy way (group policy) to move it to another partition.

With the user data cleanly separated from the OS partition, the OS partition could simply be blown out and imaged over at any time in a matter of minutes and the computer would run as fast as the day the OS was freshly installed.  This would effectively solve any Malware or sluggishness problem in one fell swoop and the user data wouldn't have to be backed up or recovered whenever a system is imaged.  With Microsoft's default configuration of putting everything on one hard drive partition, blowing out the system with a fresh image involves a lengthy backup and recovery option of user data which makes it fairly impractical to deploy on a regular basis.

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • One small remark


    You're absolutely correct that the one and only remedy indeed is just nuke the drive and do a reinstall.

    The only stuff you missed is that it's possible that the mallware has infected personall files, and when there's no ensurance that the files are not infected they indeed need to be blasted as well.

    It would indeed be very nice if it would be possible upon install to put personall documents in antoher paratition, as most linux distro's are capable off, but after infection it doesn't guarantee that these files haven't been infected as well. Best to hope for is that people have a decent backup on another server and hope that the network hasn't been infected.
    • One small remark....

      anybody who hasn't learned how to put personal documents on partitions other than C, or even to create partitions other than C, doesn't have a clue as to how best to work their computer and richly deserves all the bad things that might accrue because of it. Partitioning and storing files is one of the basic computer skills.

      What? You want to store YOUR PERSONAL DATA on someone else's HD somewhere else in the world. A HD storage which is a prime target for hackers simply because of all the diverse data it holds? Why don't you just go out on a city street corner and hold up a big sign - "Hey, I'm Ready. Steal My ID. Here it is for the taking" and then hand it out to the first taker!

      Best you first learn how to partition your HD and keep it secure. Windy
      • True... however with Microsoft...

        Partitioning of a hard drive is awkward at best. You have to go through hoops to get Documents and Settings in the right area of the PC, as opposed to Linux or even Mac, where you can easily set this up.

        Microsoft just wanted everyone to be able to consume the base hard drive right off the bat. UNIX Admins rarely do this. Linux Admins should know better. Apple Admins... Well I don't know if they exist.
      • Actually

        Partitioning your HD won't stop you from being infected by some virusses. It's a nice feature, but won't get you anywhere when you're infected by the some of the worst viri and mallware.

        Did i ever talk about putting data on the internet? No, i was talking about a home server, which definately is protected by various means from intrusion by the outside.

        As i primarily run Linux, i know how to partition HD, and have been doing it for ages, especially because it's damn easy to do and facilitates putting your home directory upon another partition or even drive.

        Keeping this secure is a lot easier than under Windows, just by plain design.
        • User data on a different drive? PLEASE NO!

          The general idea, that Microsoft splits the drives and puts user data on another partition scares me. As long as user data are stored on the main drive, every hacker or virus will expect them to be there. The moment Microsoft puts them somewhere else, the bad boys will start looking for them. With the status quo, it is fairly simple to move them somewhere else and nobody will bother to search for them, ergo they are fairly safe.
          One of the easiest things is to install an additional drive (rather then just partitioning the main drive) and use that one for data only.
          • Microsoft shouldn't dictate...

            which partition your user data gets stored, </b>you</b> should. One of the things about Linux(the OS I use) is that with installation, you're given the freedom to put nearly whatever on different partitions, and the system is okay with that. Microsoft ought to encourage that same flexibility with Vista, as it's really not that scary or hard as it might sound.

            Your proposed solution, using and additional drive for data, has a drawback or two. Windows XP expects the folder "Documents &amp; Settings" to be on the main drive "C:\", and strictly adheres to that. And, if you take a look at this post: http://www.zdnet.com/5208-10533-0.html?forumID=1&threadID=19624&messageID=377093&start=-1, you see that moving Documents &amp; Settings is not an easy task in Windows, to say the least.

            The idea George is suggesting that Microsoft encourage users to physically separate user data and settings from the OS via partitioning, that way when it comes down to nuking the system, you need only to nuke the OS partition, and keep your data partition(s) even after reinstallation.
            Tony Agudo
          • Documents & Settings" to be on the main drive "C:\",

            It is easy to change those settings in windows.
            Open Win Explorer, right click my douments, open properties, change the target folder and you are done.
            Takes about 30 seconds.
          • Documents & Settings

            It only moves your data. Not program settings which is one level higher (last time I looked when I installed Gaim). Those (which corrensponds to ~/.gaim etc in Unix) is still on C:
            You shouldn'y have devices either. You shold work with a logical file system, where disks and partitions are placed where they are needed. That is, mounting points as Unix.
            And you should have logical partitions, look at LVM under Linux. It's SO sweet to be abel to make a file system larger WHILE you still run. With modern file systems (like reiserfs or xfs etc) you don't even need to reboot to make a partition and file system larger (or smaller). And that with only two-three commands.
            MS Windows (all versions) has been broken by design long now...
  • The Microsoft security person is dead wrong

    Not wrong that a rooted machine should probably be re-imaged - I won't argue with you one that. Where he is wrong is his advice that companies should accept defeat and spend time and money planning for it.

    Microsoft's security spokespeople should promoting the practice of least privilege instead. Least privilege works well on Windows. Yes, with XP/2K it can be a slight PITA to implement, but it's far from impossible, and the benefits in the long run are huge.

    I know this from experience because a little over two years ago, after having to reload several machines because of viral adware, I got fed up. We took away admin rights from all of our users, and I've [b]never had reload a machine because of malware since[/b].
    • As Limited Users?

      Are you running them all as limited users then? Or do you let them be power users? Or does that still give them too much capability? Thanks.
      • We started out with power user

        But later realized that giving them power user was still slightly dangerous and moving everyone down to regular users was not any harder than moving them to power user. Right now everyone runs as a regular old user. Even I, a domain admin log on to my PC as a regular user with a regular domain account, so I get to 'suffer' along with all of the other employees.

        Besides it being the sane thing to do, "practicing what I preach" has been beneficial in that it has allowed me to experience the little issues the users have first hand. As a result I've deployed small permission tweaks to all of the computers (Like the right for users to change power management settings).
        • power management setting in domain?

          hey dude
          i think it is cool that you take on the role of user. cool.
          but how did you in a domain enable say a script to change when when a user logs on to domain PC it PM settings? i run a script with powercfg /XX
          but it works at home in my domain but at work; crap go figure something is locking it down and i cannot figure it out. i have worked the ntuser.dat file over on the local PCs no avail!
          what did you do share the wealth man! ahah
          email my rvandyke@charter.net address thanks if you can also in addition to posting it here.
          i need an answer soon or i will bust!
        • You are so right here.

          It's the way to go, and MS should have done that with MS Windows XP as default from the start.
          It's the way Unix, Linux and MacOS X has it, and look how many viruses there are in those words.
          And no, it's not becouse there are fewer installations of them. It's becouse it's easier to make a virus to work and spread on MS Windows.
          If you was going to break into a car and i has a bliking red light in the window, you would go to an easier target (the next car). There you have why MS Windows has such big trouble with security.
          And mostly becouse crapy defaults (like making default user Administrator and not a plain user).
  • Gosh I remember doing this years ago

    This was back in the days of Win95, when people learned quickly that there came a time when it was necessary to reinstall the OS. In all the Windows machines I've used, except for my laptop, I have at least one separate data partition. The idea behind it always was that if I needed to wipe out the OS partition, it was a pain, but at least I didn't have to worry too much about losing my data. Still, there have been some instances where software insists on saving data to the OS partition. One I can think of right off is OE. Data backups still matter.
    Mark Miller
    • A datum here and a datum there

      I have almost given up. There are many programs that put the data in a subdirectory of the program itself, and won't look anywhere else. Even if you "import" data, it puts that data in the same subdirectory, and that subdirectory is the only place with up to date data.

      As one who has used DOS, windows 3.1, 3.11, win95, win98, win XP and win nt4 I've had to reinstall the OS more than once on each computer except the company owned Win NT4 unit on my desk at work.

      It has always been a devil of a time to find all the places data is hidden when doing a backup. I made my own "My Documents" folder going all the way back to win 95. Of course with only 8.3 character file names, I chose to name it "Paul", but there were always data sprinkled all over the drive.

      • There is a solution to this :)

        Change to Unix, Linux or MacOS X...
    • OE backups

      u can easyly save OE profile on another partition!
      I do it all the time!
      Still, every time I have to reinstall my systems I make a FULL HD backup, so I can recover any lost data.
      Several times I've lost documents or configurations, but now I know best!
  • Get the horse before the cart, not the other way round

    George - using images to reload the O/S in its pristine state is NOT a clever solution.

    The clever solution is to remove the vulnerabilities from the design of the O/S in the first place. Microsoft is improving somewhat. They need to improve a LOT more.

    On mainframes, AS/400s, etc, no one and no application is EVER allowed to install its files in system directories. No one gets access to the equivalent of "C:\Windows or C:\Windows\System".

    System code should be updatable only by a system CD stuck in by the user. Patches can be MD5 signed and placed in a patch directory where they are easily added, removed or disabled.

    Better still supply O/S on the ROM equivalent of a pen drive. It would cut casual piracy and the machine would boot nearly instantly.
    • The design is there - but no one uses it

      [i]"On mainframes, AS/400s, etc, no one and no application is EVER allowed to install its files in system directories. No one gets access to the equivalent of "C:\Windows or C:\Windows\System"."[/i]

      On the Windows machines I roll out at work, what you've descibed is the case. Users can not write anywhere but their own profile. The problem with Windows is not in the design - it's in the defaults.

      See my post above.
  • so its official....

    What Microsoft doesn't tell you is that Win 2000 is still better than Win XP SP2+. So we have the first lie - if MS said it it must be true. NO WAY! If MS said it, its just the "MS way of doing it"!

    With XP and esp. SP2, MS now has the tool to format a new HD and partition it at least C & D with C limited to 15 GB, and "default all functions - web pages, personal files, etc" to the D partition.

    MS's "default filing presets" are why we do not use MS Office, Outlook, IE, etc, as "default". We partition our HD's, we "direct" file creation and saving, and the ONLY thing that goes on C is the OS and installation of operating programs. Everything else goes on D, E, F, G, H and etc.

    D is an unpartitioned HD which carries a backup of all essential data on E, F, G and H. Each partition is named for the type of data it.

    In an emergency the C partition can be formatted and re-installed with no loss of data.