BleepingComputer.com: Dismissing Security Paranoia

Hi everyone,

I just wanted to ask: short of formatting and re-installing, is there a way to be relatively rest assured a computer is clean?

On a computer that has never had any infection (unless you count false positives ), has no problem getting updates for anything, is not running slowly, is not crashing, is not getting popups, or otherwise having any problems...

And when your AV, MABM, and SAS tell you in normal/safe mode, you're clean.

Is it a safe bet that you are indeed clean so you can tell that constantly nagging super paranoia to just bugger off?

Any tips for keeping that paranoia away?

Also: Are there any security programs being recommended currently aside from SAS/MABM/Firefox w/NoScript? If it requires too much technical knowledge it may be beyond me to use, though.

There is a method, but it requires a lot of work and is not 100% reliable.

The idea is that you determine the origin of every executable (i.e. the organization/person that produced the executable) and then decide if you trust each origin. You could, for example, decide that each executable produced by Microsoft is benign (i.e. not malicious). You would also need to ascertain that each executable produced by Microsoft as not been tampered with.

One way to do this is to check digital signatures (AuthentiCode) of executables. AuthentiCode uses PKI signatures to 1) identify the origin and 2) detect modifications to the executable. Sysinternals has a tool to automate this: sigcheck.

But this is a theoretical approach, there are some practical issues that prevent this method from being foolproof.

First issue is that not all executables are signed (not only scripts, but also binary executables).
Second issue is that you have to decide for each origin if you trust it or not. It might be easy to decide to trust Microsoft (which you implicitly do because you use Windows), but it might be less obvious for other origins. Because malware authors have been known to buy code signing certificates to sign their malware. And there is the example of Stuxnet: a component of the Stuxsnet malware was signed with a certificate that was stolen from a Taiwanese company (Realtek). So it was signed with the Realtek certificate because of a compromised key, but did not originate from Realtek.

This post has been edited by Didier Stevens: 31 May 2011 - 05:51 AM

You're right in that does sound like a lot of work... and not practical for me. I guess this means I better get myself a Vista disc sometime soon.

As a side, the computer in the OP - is it reasonable to assume its clean? I have checked every part of it I can and nothing points out an infection. I am thinking any belief is a product of paranoia.

Thank you for the response though. If nothing else I can keep it in mind if I ever have a file raise my suspicions.

It's actually not as much work to do that as you think. just gather information, look up stuff that confuses you, and then understand. That's what I do, but at the same time, I think that the more technical things are, the more informative they are. My opinion, and it's nothing against anyone here, is that no longer can we get away with not understanding computers, and no longer can anyone get away with not venturing into the technical world.

Ragnar Devonin, on 31 May 2011 - 08:11 PM, said:

Who uses this computer? Are you the only user? And would you describe your surfing habits as safe?