On MovieTome: The 10 worst movies of 2009 so far!
BNET Business Network:
BNET
TechRepublic
ZDNet

April 4th, 2006

Wiping an infected computer is best for any OS

Posted by George Ou @ 11:54 pm

Categories: Infrastructure, Security, Servers

Tags:

A recent article by Ryan Naraine along with a blog from our own Ed Burnette has made a huge fuss about Microsoft’s declaration that people should use the nuclear option on any infected PC.  The problem is neither gentleman seems to have a clue as to what the standard best-practice for cleaning any infected computer with any operating system is.  Microsoft should default the "documents and settings" folders to a separate logical hard drive partition… Any security auditor will tell you that if any computer regardless of the operating system is rooted, the only trustworthy way of cleaning that computer is to wipe the hard drive clean and start with a clean installation.  The only exception to this rule is if there was some reliable forensic mechanism in place before the fact that would remotely log the checksums of each and every file on the hard drive.  Then if the damage could be clearly identified and all the altered files could be reverted to their original form, then it would be considered acceptable to not start with a fresh install.  But since most people consider image recovery the easier and more reliable option since file forensics are not required and you can just put the system back in to a known good state, few companies bother remote checksum logging.

With any client or server operating system, the easiest way to deploy a system is to use hard drive images which contain a bit-for-bit representation of the original hard drive.  For large scale server or desktop deployment, "big-bang" image multicasting technology can install hundreds of computer images at once with everything from OS to Applications to Patches fully loaded.  Microsoft is absolutely correct to point out that any Malware infected computer should be wiped out and it’s silly for anyone to scoff at this practice since the same rules apply to any operating system.

The one thing Microsoft should be criticized for is the fact that they sure don’t make it easy to use system imaging with their insistence on putting user data in to the same logical partition as the operating system.  Microsoft should have defaulted to a separate logical partition with the advent of the "documents and settings" folder since Windows 2000.  "Documents and settings" is currently installed on the OS partition with no easy way of moving it to another partition.  A workaround that I’ve personally deployed is to manually mount another hard drive volume under the folder that’s mixed in with the OS partition but that has its own compatibility issues with certain hard drive imaging software.  Microsoft has added extensive system imaging technology to Windows Vista but if Microsoft wants to be serious about its advice to rely on system imaging, they should default the "documents and settings" folders to a separate logical hard drive partition or at the very least provide an easy way (group policy) to move it to another partition.

With the user data cleanly separated from the OS partition, the OS partition could simply be blown out and imaged over at any time in a matter of minutes and the computer would run as fast as the day the OS was freshly installed.  This would effectively solve any Malware or sluggishness problem in one fell swoop and the user data wouldn’t have to be backed up or recovered whenever a system is imaged.  With Microsoft’s default configuration of putting everything on one hard drive partition, blowing out the system with a fresh image involves a lengthy backup and recovery option of user data which makes it fairly impractical to deploy on a regular basis.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 140 Talkback(s)
Just makes things worse
Actually that configuration is much more insecure than a standard Windows install.

1) FAT has *no protection*. Repeat: *no protection*. It's there only for compatibility reasons. Never, never i... (Read the rest)
Posted by: ldsandon Posted on: 08/02/06 You are currently: a Guest | | Terms of Use
One small remark  tombalablomba | 04/05/06
One small remark....  windy@... | 04/05/06
True... however with Microsoft...  nucrash | 04/05/06
Actually  tombalablomba | 04/06/06
User data on a different drive? PLEASE NO!  HVITALE@... | 04/07/06
Microsoft shouldn't dictate...  Tony Agudo | 04/07/06
Documents & Settings" to be on the main drive "C:\",  HVITALE@... | 04/07/06
Documents & Settings  Jxn | 06/07/06
The Microsoft security person is dead wrong  toadlife | 04/05/06
As Limited Users?  ~1iota | 04/05/06
We started out with power user  toadlife | 04/05/06
power management setting in domain?  itdaddy69 | 05/06/06
You are so right here.  Jxn | 06/07/06
Gosh I remember doing this years ago  Mark Miller | 04/05/06
A datum here and a datum there  phrubin | 04/05/06
There is a solution to this happy  Jxn | 06/07/06
OE backups  (``-_-´´) | 04/07/06
Get the horse before the cart, not the other way round  bportlock | 04/05/06
The design is there - but no one uses it  toadlife | 04/05/06
So it's official  tracy anne | 04/05/06
so its official....  windy@... | 04/05/06
Don't waste time with this thread  george_ou | 04/05/06
Nonsense?  billallyn@... | 04/05/06
Yes, Nonsense.  Jxn | 06/07/06
A couple of things  Roger Ramjet | 04/05/06
Couple of things  richardc_z | 04/10/06
Imaging  Roger Ramjet | 04/11/06
Imaging is BAD  Jxn | 06/07/06
System Migration Tools are a plus  nucrash | 04/05/06
Knoppix Hack #78  D. T. Schmitz | 04/05/06
Knoppix Hack #79  D. T. Schmitz | 04/05/06
Knoppix hacks  handydan918 | 04/05/06
Surely you can't  D. T. Schmitz | 04/05/06
A few common FAQs  D. T. Schmitz | 04/05/06
there is a lot of truth to this  zdnet reader | 04/07/06
You CAN put Docs&Settings on D:  bmgoodman | 04/05/06
Yeah, I figured there was a way  george_ou | 04/05/06
I agree 100%  bmgoodman | 04/05/06
The registry isn't the problem  toadlife | 04/05/06
%WHAT?%  (``-_-´´) | 04/07/06
I definitely agree!  Tony Agudo | 04/05/06
I don't know  george_ou | 04/05/06
GUI for profile management  diane wilson | 04/05/06
No, that's for a home network share  george_ou | 04/05/06
doesnt that just....  richvball44 | 06/07/06
Ummm a question  Linux User 147560 | 04/05/06
Like I said, My Docs are NOT enough  george_ou | 04/05/06
Got it  Linux User 147560 | 04/05/06
can't separate user data from Windows C:\  diane wilson | 04/05/06
Yes, ALL data should be separate by default  george_ou | 04/05/06
dude, decades behind  richvball44 | 06/07/06
separate partition  zclayton2 | 04/06/06
I had to do a wipe recently.  Mr. Roboto | 04/05/06
It's called TripWire  Yagotta B. Kidding | 04/05/06
I know what it's called, doesn't change the fact  george_ou | 04/07/06
Oversimplification. Big time. And missed the point.  gregry | 04/05/06
Nice suicide advice  george_ou | 04/05/06
Apple did it and they survived  Linux User 147560 | 04/05/06
LOL, you think Microsoft should adopt Apple's business plan  george_ou | 04/05/06
.  Linux Guy 1000 | 04/05/06
BUT!  Linux Guy 1000 | 04/05/06
Is that the first, second, or third times?  george_ou | 04/06/06
A few correcttions  toadlife | 04/05/06
youre on!!!!  richvball44 | 06/07/06
restore stinks  rtreitner | 04/05/06
Relocating "My Documents" is Easy in W2K/WXP  BillyWho | 04/05/06
Still leaves your mailbox & other things exposed  bmgoodman | 04/05/06
Not what I'm talking about  george_ou | 04/05/06
(un)common sense might also help  dlmeyer@... | 04/05/06
ummmh, (un)common sense?  ~1iota | 04/05/06
wiping infected PC's  Adam Timmons | 04/05/06
Not talking about 'last known good' function  george_ou | 04/05/06
Best recovery method I've found  mreilly19 | 04/05/06
Great Idea  remoulton | 06/07/06
Interesting Thread--two cents from a hardware guy  WinnebagoBoy | 04/05/06
Often its the ONLY (cost effective) way  remoulton | 06/07/06
It seems to me...  JDThompson | 04/05/06
not my area of expertise, but. . .  WinnebagoBoy | 04/05/06
so...  JDThompson | 04/05/06
Sorry, you misunderstood my point  WinnebagoBoy | 04/06/06
Amen!!!  remoulton | 06/07/06
in reguards to data partitions  jimiznhb | 04/05/06
in reguards to data partitions  misceng | 04/06/06
Does not compute  gsteele531@... | 04/11/06
Well again the Nix method wins  Linux User 147560 | 04/05/06
I'm a Mac user...  MacGeek2121 | 04/05/06
Mac  ebayironman | 06/07/06
Moving Documents and Settings  DDXHome | 04/05/06
Death Penalty  billallyn@... | 04/05/06
You're right....  rabscuttle | 06/07/06
A little harsh, but not much!  shushu | 06/07/06
On to something  Richard Flude | 04/05/06
System Recovery....  CharlesProoth | 04/05/06
BootIt NG  Ipsenol | 04/06/06
Moving My Documents Folder in XP  vangough@... | 04/05/06
Read the blog and ALL the other posts  george_ou | 04/06/06
"Cleanly" is the opposite of MS' business plan  critic-at-arms | 04/06/06
Can I get an AAAA-MEN?!?  Robert Crocker | 04/06/06
Outlook and OE is worse!  george_ou | 04/06/06
George...Outlook or Outlook Express?  cglrcng@... | 06/07/06
Yup, and Apple could learn  george_ou | 04/06/06
Wrong again, George  V-Train | 04/06/06
They fix it, I stop calling them on it  george_ou | 04/06/06
How about admitting you're wrong?  V-Train | 04/07/06
Sour grapes?  george_ou | 04/07/06
Wrong again  V-Train | 04/07/06
But it is possible to use image files without extensions  george_ou | 04/07/06
If it's an executable, it has an extension  V-Train | 04/07/06
I'm thinking pre-OS X then  george_ou | 04/08/06
One of the biggest failings with Windows over its short lifetime  zdnet reader | 04/06/06
system settings  WinnebagoBoy | 04/06/06
lots of possibilities  zdnet reader | 04/07/06
Nonsense  WinnebagoBoy | 04/08/06
Nice touch above George!  cglrcng@... | 06/07/06
I love your idea  Redondo5000 | 04/07/06
People tend to stick with what they know  george_ou | 04/07/06
Which idea?  WinnebagoBoy | 04/07/06
I won't knock the idea...  cglrcng@... | 06/07/06
Wipe out and Partition  Aaron A Baker | 04/07/06
Fat32 is bad  george_ou | 04/07/06
Must have missed something  Aaron A Baker | 04/07/06
Important in the home too  george_ou | 04/08/06
Defenitely Food For Thought  Aaron A Baker | 04/09/06
Someday George  Aaron A Baker | 04/11/06
Privacy?  cglrcng@... | 06/07/06
Depends on the use.  D-cat | 04/08/06
Depends on the use is correct!  cglrcng@... | 06/07/06
If it's an executable, it has an extension  V-Train | 04/07/06
Whoops, wrong place  V-Train | 04/07/06
Thank You George!  D-cat | 04/08/06
I'm not sure about not restoring program files  george_ou | 04/09/06
Nothing wrong with that.  D-cat | 04/09/06
Get this...  cglrcng@... | 06/07/06
They often do just that...  cglrcng@... | 06/07/06
Great Idea  JusB@... | 06/07/06
It is the ONLY solution  Ian Sedwell | 06/07/06
Documents saved on different drive.  JohnPaulJones | 06/07/06
Sense and sensiblity  shushu | 06/07/06
Restoring OS after Virus  ZZZ1 | 06/15/06
Just makes things worse  ldsandon | 08/02/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
    • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
    • Smart People The best and worst moves in the management and strategy trenches. Learn More