Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Factory State Format Reliability


  • Please log in to reply
24 replies to this topic

#1 Remag VII

Remag VII

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 23 November 2013 - 01:04 PM

If I was worried about a malware infection on my laptop, would a full factory state format take care of any and all threats I might have? In other words, is there malware that can survive a format like that?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 23 November 2013 - 03:27 PM


A "factory restore (reset)" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore". Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.

With that said, infections and severity of damage will vary and there are some types of malware which may resist reformatting. For example, there are some infections (rootkits and bootkits) which can create a hidden partition table and alter (overwrite) the Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code and the MBR would need to be repaired. In these cases, FDISK or similar software utility is typically used to delete the boot partition where the MBR is located and repartition/format a given volume...a separate function. If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.

Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive hard disk wiping and reinfected a clean disk. This type of malware is very rare, exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS.

This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


These articles explain the complexity of the UEFI (Unified Extensible Firmware Interface), secure boot protocol and exploitation.Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for cyber-criminals to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 23 November 2013 - 04:47 PM

Your thorough and quick response is extremely appreciated! I spent an entire evening yesterday trying to search for a solid answer, but all the forums I skimmed through were full of weak and questionable answers. Thanks a ton quietman!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 23 November 2013 - 04:57 PM

Not a problem.

I forgot to mention...if the recovery partition has become infected, you can always contact the computer manufacturer, explain what happened and ask them to send full recovery (factory restore) disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacement disks as part of their support or charge a small fee.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 23 November 2013 - 05:06 PM

I have the manufacterers format disk, thankfully. Do you have a donation box?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 23 November 2013 - 05:11 PM

I appreciate your generous offer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 24 November 2013 - 10:45 PM

WWP it is! I actually just joined the Army National Guard about a month ago. =)


Edited by Remag VII, 24 November 2013 - 10:48 PM.


#8 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:09:19 PM

Posted 25 November 2013 - 11:15 AM

quietman7

 

Thanks for a very informative post about this topic.

 

I'm a routine cloner and I also run periodic full-disk images.  I've been reading about this subject recently, ie, does a format (and/or removing all partitions) completely remove all previous malware/virus objects on a HDD.

 

I've been affected a couple of times the past couple of years with malware/virus but recovered fast with my cloned HDD that I keep on the shelf.  After I was running on my replacement HDD for a while, I deleted the partitions on the infected HDD, reformatted, and re-cloned back to it.  The HDD tested ok, booted up, etc.  I returned the HDD to the shelf for my next spare.  In both instances, a removal of the partitions and a reformat removed the malicious objects.

 

The question I have is regarding one of your provided links referring to the MBR.

 

I'm running Windows 7 x64 Home Premium with a standard install with the 2 common partitions, the "System Reserved" partition and the main partition.

 

The question that I have is, where dose the MBR reside on a Windows 7 standard-install HDD?  Until recently, I had thought that all boot objects, MBR, Boot Mgr, etc, were located within the 100Mb "System Reservd" partition.

 

I've since read articles that seem to indicate that the MBR isn't located in any partition.  It's located in the first sector of the HDD, "sector 0", whereas the first partition in a standard Windows 7 HDD starts at Sector 2048.

 

If I have this part right, that means that if the user removes all partitions on the HDD, the original MBR is still present on the HDD.

 

Is that right?

 

If so, I'm assuming that a complete disk wipe, using "DBAN" or another HDD wipe tool, would remove all traces of any remaining malicious objects residing in the MBR, which would then allow the user to reformat and use the HDD for a cloned spare, restoring it into one's backup use.


Edited by Scoop8, 25 November 2013 - 11:23 AM.


#9 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:19 PM

Posted 25 November 2013 - 07:39 PM

If you restore a full hard drive image it will replace the MBR. All full hard drive imaging software clones the MBR also.

Tools to view and backup your MBR. http://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 26 November 2013 - 08:37 AM


The master boot record is always located at cylinder 0, head 0, and sector 1, the first sector on the disk. This is the consistent starting point that the disk will always use. When a computer starts and the BIOS boots the machine, it will always look at this first sector for instructions and information on how to proceed with the boot process and load the operating system.

The Master Boot Record (MBR) and Why it is Necessary?
Master Boot Record (MBR)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:09:19 PM

Posted 26 November 2013 - 09:04 AM

If you restore a full hard drive image it will replace the MBR. All full hard drive imaging software clones the MBR also.

Tools to view and backup your MBR. http://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/

 

Thanks for the MBR tool link :)

 

From what you mentioned about cloning and full-disk imaging, the MBR gets restored with each approach if the original HDD's MBR was infected by malicious code.

 

I think I'll back up the MBR anyway since it appears to be an easy step after reading some info about those freeware tools.

 

 

The master boot record is always located at cylinder 0, head 0, and sector 1, the first sector on the disk. This is the consistent starting point that the disk will always use. When a computer starts and the BIOS boots the machine, it will always look at this first sector for instructions and information on how to proceed with the boot process and load the operating system.

The Master Boot Record (MBR) and Why it is Necessary?
Master Boot Record (MBR)

 

 

Thanks again for this info :).  If I'm understanding this right, there's no need to run a disk wipe tool if the original HDD's MBR was infected since the cloning and/or full-disk image recovery process (with the target HDD being the originally infected HDD) will restore the MBR along with the entire HDD.


Edited by Scoop8, 26 November 2013 - 09:04 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 26 November 2013 - 05:18 PM

Disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) allows you to take a complete snapshot (image file) of your hard disk contents which can be used for system recovery in case of a hard disk disaster or malware resistant to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

It is a safer practice to create the system image on a removable external hard drive, which can be disconnected and placed in a safe area for use when needed. CDs and DVDs are not as reliable as they can more easily be misplaced/lost, damaged or may not work if the CD/DVD-ROM drive does not function properly when you need it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:09:19 PM

Posted 26 November 2013 - 05:41 PM

Disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) allows you to take a complete snapshot (image file) of your hard disk contents which can be used for system recovery in case of a hard disk disaster or malware resistant to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

It is a safer practice to create the system image on a removable external hard drive, which can be disconnected and placed in a safe area for use when needed. CDs and DVDs are not as reliable as they can more easily be misplaced/lost, damaged or may not work if the CD/DVD-ROM drive does not function properly when you need it.

 

Thanks again for the info :).  I do the same, my cloned HDD is on the shelf and gets cloned every 4 weeks.

 

I also have a 2nd HDD that I use as a backup image/clone HDD and to test image recovery with various imaging programs.

 

This forum's a great place to learn new info.  I'd never understood the MBR and where it resides on the HDD until reading your posts and links.

 

Crazy Cat

 

I read about one of the MBR backup/recovery tools from the link you provided.  In the writeup for "MBR Wizard" tool, the reviewer wrote this:

 

MBRwizard is quite a powerful utility and can be helpful in dealing with all sorts of MBR related problems. It was originally designed to repair the damage left on occasion by disk imaging applications such as Symantec Ghost and Acronis True Image, but has matured into a program to repair all sorts of MBR related issues.

 

 

The underlined part caught my eye.  I'm guessing that the reference was to earlier versions of imaging programs but was curious about it (imaging programs damaging the MBR?).

 

Do you have a preference with these MBR programs?  From what I've read so far, I like 'MBRtool' since I can burn its ISO to a CD and boot from there.



#14 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:19 PM

Posted 26 November 2013 - 09:34 PM

@ Scoop8

Do you have a preference with these MBR programs? From what I've read so far, I like 'MBRtool' since I can burn its ISO to a CD and boot from there.

I've used all of them, but these I use regularly.

MBRtool: The program comes with its own bootable media builder where you can write an image to floppy, burn it to a CD or extract the MBRTool executable to be used on the command line or in scripts.

HDHacker: Although it will probably look like a mixed up mess in the viewing pane to most people, others may be able to trace problems or even possible boot sector viruses from the information.

MBR Backup: Simply start the portable executable and it will display the MBR of disk in Hex, the drive can be changed from the drop down. Then all you have to do is click on Save or Print MBR to back it up, and choose the Restore option to put the Boot Record back again.

 
I use Image for Windows by TeraByte. http://www.terabyteunlimited.com/image-for-windows.htm
I burn an image to dual-layer DVD (9Gb), and also an image file to a 32Gb (or 64Gb) USB flash drive. Some very large HDD images I burn an image to BluRay disk and another image to USB HDD.

Why do I burn a disk and USB flask drive as well you ask? Fail-safe reasons; disk remains on site where PC/Servers are, and USB Flash/HDD go to another location in a fire-proof safe.

I also suggest Clonezilla. http://clonezilla.org/

Edited by Crazy Cat, 26 November 2013 - 09:52 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 27 November 2013 - 05:13 AM

aswMBR.exe by avast! upon the first run, will also back up the MBR and save it to the Desktop.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users