Ask the Expert

Are daily antivirus scans in XP Normal Mode effective?

What is the point of running a scheduled daily antivirus scan in XP Normal Mode when malware often can't be removed without being in Safe Mode?

    Requires Free Membership to View

The main reason is detection. Remember, awareness is the most powerful security tool. I think this question falls into the same category as the IDS/IPS debate a few years ago. In mid-2003, Gartner Inc. released a report that declared intrusion detection system technology as dead. While the points the report had were valid (i.e. IDS does not stop anything), the report failed to consider the awareness aspect of the technology.

This question, however, must be answered in two parts: detection and removal.

For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. Regularly review IDS logs for indications of a network-level compromise. Finally, start a new regular activity with your security team in which egress and ingress points on the network perform a full packet capture for a specified amount of time. For large networks with high network usage, this may not be for very long. After capturing the traffic, have your team identify the different network connections and check to see if the connections are valid.

The idea is to find multiple points of detection that something is wrong in the environment. This includes antivirus running while the system is in normal mode. For this question, however, I would like to emphasize that some kernel-level rootkits can hide their existence from a running kernel.

Now regarding removal, some versions of malware, like Sality, remove the registry key that allows booting into Safe Mode. So Safe Mode is not always a safe bet. With some viruses or worms, booting into a Linux environment like Helix may be the best option because the Windows operating system can no longer be trusted. Finally, antivirus running in normal mode removes a vast number of malware, so it still has value to the enterprise.

Having multiple options that you and your team are trained in is the best option. Remain flexible, the attackers certainly are.

More information:

  • A reader asks John Strand, "What is the best way to conduct a rootkit-specific risk assessment?"
  • Another asks Michael Cobb, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"
  • This was first published in October 2008

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: