I find the comments made this week by Mike Danseglio, program manager in the Security Solutions group at Microsoft, a little disturbing. According to one journalist he said:
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,"
Which is a great quote but sounds like an admission of defeat coming from the company that is getting ready to end the need for third party defenses on its platform (Vista+OneCare+Windows Defender, etc.).
While it is true that it is fairly easy to corrupt a Windows machine into an irrecoverable state most effective spyware and adware are installed systematically and logically. Good research, such as that practiced by most AV and anti-spyware companies involves a thorough comparison between the machine before and after infection to discover what has changed. The more sophisticated malware has to be watched from a process and system call level to make sure you can remove its components in the correct order to avoid:
"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself,"
He sites a government installation that was so infected they had to re-image 2,000 machines. Then he goes on to give advice to CIOs:
He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations.
I can see how re-imaging can be easier than using multiple point products with no central management in a large environment. Is this the sort of solution Microsoft is going to continue to offer? This is what industry pundits were recommending three years ago when the spyware scourge first surfaced inside the enterprise. Today there are very effective managed solutions that can be deployed in Windows environments (back to Win98 in some cases) that do not require re-imaging. My advice to CIOs is ask your fellow CIOs how deployments of those solutions faired in their environments. Don't ask Microsoft for advice on enterprise defense.
Can the best of breed solutions get them all? Can they clean a system after ntdll.dll has been over written? I don’t know. I have been out of the space for five weeks. But knowing how things stood a month ago I can tell you they are much further along than Microsoft is.