Tuesday, November 27, 2007

With enough null bytes...

With enough null bytes, you can trick _any_ antivirus. Just FYI. But viruses are what I am going to talk about this post. Scanning for viruses on Windows is (almost) completely pointless. Windows locks many system files that are commonly infected with viruses, so antivirus programs like Norton and AVG can't scan the file and remove the virus (then the virus spreads during the very beginning of boot when the system files are still vulnerable). One of these files is pagefile.sys. Even taking the hard drive out and putting it in another computer (also running Windows) won't work. More systems files are vulnerable, but you still cannot scan ~30% of them. That, coupled with passworded accounts (if your account is passworded, then the hard drive is moved from one computer to another, if you try to view the files, you will get a permission denied error), it is virtually impossible to remove all the viruses. We have an Ubuntu server set up in the shop that we use to scan hard drives (as well as the CD I made for the shop, but that is _very_ slow) and use KlamAV to do antivirus scanning. Ubuntu is absolutely amazing for any diagnostics and repair (all it is missing is a proper NTFS chkdsk utility, but you can force the hard drive to chkdsk itself by resetting the NTFS journal with ntfsfix). Data recovery (testdisk, photorec, ntfsundelete), virus removal (clamav, f-prot, avast!), windows password recovery and removal (john, chntpw, bkhive, samdump2), even data destruction (wipe). With ntfs-3g, the 3rd generation NTFS drivers for Linux, you can back up any and all data on a NTFS partition, even the data protected by Windows. Other really neat programs I have used are fcrackzip and pdfcrack for cracking passworded zips and PDFs. I am going to start writing the documentation for the LiveCD this week(end) and will do one page for each tool that I use personally, which is quite a few, so that users of the CD have a reference if they are new to Linux. I will post each page here as well as on the site and the CD.

No comments:

Post a Comment