Are daily antivirus scans in XP Normal Mode effective?

Are daily antivirus scans in XP Normal Mode effective?

What is the point of running a scheduled daily antivirus scan in XP Normal Mode when malware often can't be removed without being in Safe Mode?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The main reason is detection. Remember, awareness is the most powerful security tool. I think this question falls into the same category as the IDS/IPS debate a few years ago. In mid-2003, Gartner Inc. released a report that declared intrusion detection system technology as dead. While the points the report had were valid (i.e. IDS does not stop anything), the report failed to consider the awareness aspect of the technology.

This question, however, must be answered in two parts: detection and removal.

For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. Regularly review IDS logs for indications of a network-level compromise. Finally, start a new regular activity with your security team in which egress and ingress points on the network perform a full packet capture for a specified amount of time. For large networks with high network usage, this may not be for very long. After capturing the traffic, have your team identify the different network connections and check to see if the connections are valid.

The idea is to find multiple points of detection that something is wrong in the environment. This includes antivirus running while the system is in normal mode. For this question, however, I would like to emphasize that some kernel-level rootkits can hide their existence from a running kernel.

Now regarding removal, some versions of malware, like Sality, remove the registry key that allows booting into Safe Mode. So Safe Mode is not always a safe bet. With some viruses or worms, booting into a Linux environment like Helix may be the best option because the Windows operating system can no longer be trusted. Finally, antivirus running in normal mode removes a vast number of malware, so it still has value to the enterprise.

Having multiple options that you and your team are trained in is the best option. Remain flexible, the attackers certainly are.

More information:

  • A SearchSecurity.com reader asks John Strand, "What is the best way to conduct a rootkit-specific risk assessment?"
  • Another asks Michael Cobb, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"

    • This was first published in October 2008

    Back to top