Q

Are daily antivirus scans in XP Normal Mode effective?

For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. John Strand reveals some of the others.

What is the point of running a scheduled daily antivirus scan in XP Normal Mode when malware often can't be removed without being in Safe Mode?
The main reason is detection. Remember, awareness is the most powerful security tool. I think this question falls into the same category as the IDS/IPS debate a few years ago. In mid-2003, Gartner Inc. released a report that declared intrusion detection system technology as dead. While the points the report had were valid (i.e. IDS does not stop anything), the report failed to consider the awareness aspect of the technology.

This question, however, must be answered in two parts: detection and removal.

For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. Regularly review IDS logs for indications of a network-level compromise. Finally, start a new regular activity with your security team in which egress and ingress points on the network perform a full packet capture for a specified amount of time. For large networks with high network usage, this may not be for very long. After capturing the traffic, have your team identify the different network connections and check to see if the connections are valid.

The idea is to find multiple points of detection that something is wrong in the environment. This includes antivirus running while the system is in normal mode. For this question, however, I would like to emphasize that some kernel-level rootkits can hide their existence from a running kernel.

Now regarding removal, some versions of malware, like Sality, remove the registry key that allows booting into Safe Mode. So Safe Mode is not always a safe bet. With some viruses or worms, booting into a Linux environment like Helix may be the best option because the Windows operating system can no longer be trusted. Finally, antivirus running in normal mode removes a vast number of malware, so it still has value to the enterprise.

Having multiple options that you and your team are trained in is the best option. Remain flexible, the attackers certainly are.

More information:

  • A SearchSecurity.com reader asks John Strand, "What is the best way to conduct a rootkit-specific risk assessment?"
  • Another asks Michael Cobb, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"
  • This was first published in October 2008

    Dig deeper on Malware, Viruses, Trojans and Spyware

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close