Microsoft’s New Tool Goes After Viruses Buried Deep in the OS

We often discover viruses on our PCs when they materialize as fake anti-spyware, where a pop-up says you’ve been infected and points you to a website which, for $49, will cure it. But these FakeAVs account for only about 20 percent of all viruses circulating. Most viruses are hidden, often in rootkits where they’re not detectable by conventional AV software.

Coal MinerRootkits are hidden files in a directory structure. They’re difficult to detect when the OS has been compromised. AV software is helpless against them because it looks for viruses in plain sight. To see them, you need a clean version of Windows to scan the directory structure.

In May, Microsoft released a beta version of Standalone System Sweeper, which runs a PXE version of Windows. This stripped down version of the OS has better success scanning the directory for rootkits because it’s like attaching your PC to another machine’s AV. Standalone System Sweeper comes in 32 and 64 bit flavors, and boots from a CD, DVD or thumb drive.

In my test, the scan took about 40 minutes on a 32 bit version of Windows XP with Office 2003. It offered choices (like extensions to skip) and offered to download the latest signatures.

In the enterprise it’s common to reimage or replace a machine that’s infected, but this tool is effective for scanning the image itself for hidden viruses.  All you need is a PC that can boot to a USB or static drive and an Internet connection. For home users or smaller companies, it’s best when used on a regular basis to check for and remove rootkits and viruses, saving a day’s worth of work of having to reinstall the OS, the applications and settings.

Photo: New York Public Library

Comments

  1. BY Dan says:

    So? You run a test, what are the conclusions? Did your test produce any results, such as viruses?

    You left us hanging in there for some idea on its practical usefulness.

  2. BY Hanan says:

    And… what happens? Can this version be downloaded for free? how is it different than rootkits tools such as combofix?

  3. BY Dino says:

    I found nothing on my machine, so I tried it on two or three other PCs where I work where I had a strong suspision and was surprised to find nothing.

  4. BY Dino Londis says:

    @Hanan, most rootkits run withing the operating system. This one is an operating system of it’s own that the PC boots to. It’s a complement to other tools MS has released: Security Essentials, and the Malicious Software Removal tool, which comes via Windows update.

    I wrote that you can boot to a USB, but you may want to burn a disk because nothing can write to a disk.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>