Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About Live CDs


  • Please log in to reply
6 replies to this topic

#1 nCharge

nCharge

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 20 September 2012 - 10:33 AM

Hi ,

We know that Windows malware are inactive under Linux.
So can running a Linux (antivirus) Live CD be the most effiient way to detect malware ? (In terms of detection rate)

Because booting in a Linux environnement will not start any Windows file , so the Live CD can list every single file in the HDD without OS restriction/malware blocking actions which make invisible rootkits become as a "normal" listed file , and that will improve scanners results.

If that is true , I'd rather say that is a way to have a 100% detection rate ONLY if :
-Malware is already in the viral data base ! If not , have to wait next update.

Why that ?
Because if it is true , I would prefer running a weekly scan with a Live CD (KAV) instead of using Avira Desktop.

Your thoughts please ?

Mod Edit:Moved to more appropriate forum~~ boopme

Edited by boopme, 20 September 2012 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 21 September 2012 - 10:14 AM

A Live CD scanner is unimpeded by rootkit-like malware that tries to hide or disable the AV scanner. Thus it has a better chance of detecting malware by scanning the files.

But modern AV products don't just rely on passive file scanning techniques to detect malware, they also monitor the behavior of running programs to detect malicious behavior. And that is something a Live CD scanner can't do, as no programs (including malware) from the Windows machine are running.

AV scanners also scan the registry to detect malware, and that is something the Live CD scanners don't do. Although in theory they could mount the registry hives to scan them, they don't do this.

Furthermore, a Live CD scanner gives you no active protection. A AV product like Avira Desktop offers you real-time protection: when malware is detected, it is prevented from executing.

I perform scans with a Live CD about once a month, but I also keep my active, real-time AV product on my Windows desktop.

I can't do that for my laptops, because all my laptops have full disk encryption, and a Live CD can't access the encrypted file system.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 21 September 2012 - 03:02 PM

Hello Didier ,

I understand that Live CD are more useful against rootkits , but how about "classic" malwares ? Because some would hide from the AV scanner but not with the same technology as rootkits.

So , can we get better detection rates against malwares excluding rootkits with Live CDs ?

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 03 October 2012 - 04:08 PM

I know that there are evasion techniques used by malware to avoid being detected by AV scanners and that are not considered rootkit-like behavior.

But AFAIK, these are static methods, i.e. they don't require execution of the malware. Thus I see no difference between an AV scanner installed on the OS and an AV scanner of a Live CD.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 06 October 2012 - 09:52 AM

Oh , I see.

I got a last question :
I usually see that it is recommanded to create Live CDs with a malware free computer.My question is why ?
1)Maybe malwares can add themselves in the Live CD , making it unstable/useless (and infected) ?
2)Or malwares won't let us download the file and/or burn it
3)Or .... ?

Thanks

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 08 October 2012 - 05:04 AM

Both cases: 1) and 2)

There is malware that can "infect" CD/DVD images, like .iso and .nrg files. It adds malware to the image.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 09 October 2012 - 07:04 AM

Hmm , I now understand.
Thanks for your help , Didier !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users