
	Home > Ask the Security Experts > Information Security Threats Questions & Answers > Are daily antivirus scans in XP Normal Mode effective if malware must be removed in Safe Mode?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Are daily antivirus scans in XP Normal Mode effective if malware must be removed in Safe Mode?

EXPERT RESPONSE FROM: John Strand

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 27 August 2008
What is the point of running a scheduled daily antivirus scan in XP Normal Mode when malware often can't be removed without being in Safe Mode?

EXPERT RESPONSE
The main reason is detection. Remember, awareness is the most powerful security tool. I think this question falls into the same category as the IDS/IPS debate a few years ago. In mid-2003, Gartner Inc. released a report that declared intrusion detection system technology as dead. While the points the report had were valid (i.e. IDS does not stop anything), the report failed to consider the awareness aspect of the technology.

This question, however, must be answered in two parts: detection and removal.

For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. Regularly review IDS logs for indications of a network-level compromise. Finally, start a new regular activity with your security team in which egress and ingress points on the network perform a full packet capture for a specified amount of time. For large networks with high network usage, this may not be for very long. After capturing the traffic, have your team identify the different network connections and check to see if the connections are valid.

The idea is to find multiple points of detection that something is wrong in the environment. This includes antivirus running while the system is in normal mode. For this question, however, I would like to emphasize that some kernel-level rootkits can hide their existence from a running kernel.

Now regarding removal, some versions of malware, like Sality, remove the registry key that allows booting into Safe Mode. So Safe Mode is not always a safe bet. With some viruses or worms, booting into a Linux environment like Helix may be the best option because the Windows operating system can no longer be trusted. Finally, antivirus running in normal mode removes a vast number of malware, so it still has value to the enterprise.

Having multiple options that you and your team are trained in is the best option. Remain flexible, the attackers certainly are.

More information:

A SearchSecurity.com reader asks John Strand, "What is the best way to conduct a rootkit-specific risk assessment?"

Another asks Michael Cobb, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Information Security Threats
	What are the basics of a Web browser exploit?
	What is the best way to manually test for buffer overflows?
	Can virtualized applications interact with each other without explicit permission?
	What is the best way to conduct a rootkit-specific risk assessment?
	Does the iPhone SDK effectively increase the risk iPhones pose?
	How can widget malware on social networking sites threaten enterprises?
	Will the new CERT security incident-response project benefit infosec pros?
	How can an enterprise-wide network remain resilient against denial-of-service (DoS) attacks?
	Can "good" botnets fight bad botnets?
	Are there antivirus suites that pick up more than just run-of-the-mill viruses?

Viruses, Worms and Other Malware

McColo shutdown won't stop spam, malware, warn security experts

Web-borne malware targets unexpected industries

The value of application whitelists

New blacklists: Highly predictive or hardly worth it?

New malware exploits Microsoft RPC flaw

Smartphone security: The growing threat of mobile malware

IBM USB banking device stops keyloggers, malware

Malicious program poses as Windows Security Center

Product Review: Sophos Endpoint Security and Control 8.0

Researcher disinfects multimedia Trojans

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

bot worm (SearchSecurity.com)

directory traversal (SearchSecurity.com)

Kraken (SearchSecurity.com)

man in the browser (SearchSecurity.com)

Mytob (SearchSecurity.com)

polymorphic malware (SearchSecurity.com)

RavMonE virus (SearchSecurity.com)

RFID virus (SearchSecurity.com)

Rock Phish (SearchSecurity.com)

Zotob (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy