Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can virus be active in dismounted / disabled drive ?


  • Please log in to reply
9 replies to this topic

#1 misc00500

misc00500

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 January 2015 - 01:29 AM

Im dual booting 2 copies of windows on 2 different hard drives. One on C:/ and one on G:/. I would like to make sure if I get virus on the G:/windows that it does not spread onto the C:/windows.

So I would like to know if assuming there is virus on G:/ and I booted windows 8 on C:/ but disable G:/ through device manager thus making it disappear under "my computer" This would effectively quarantine virus on G:/ and prevent it from spreading into C:/ correct ? But what if G:/ is a partition and instead of disabling it, I only dismount it by not giving it a letter in disk management, would it be possible for virus be still active even though the partition it resides in has been dismounted but not disabled ?

In short,

Can a virus that is located in a partition that has been dismounted still be active ?

What about a virus that is in a drive that has been disabled in device manager. Can it still be active and spread onto other drives ?

Thanks for any feedback

Edited by Orange Blossom, 06 January 2015 - 01:47 AM.
Moved to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Al1000

Al1000

  • Global Moderator
  • 7,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:49 PM

Posted 06 January 2015 - 06:54 AM

If there is a virus on G: then isn't there a chance that it could infect C: when you reboot the computer, before you unmount or disable G: ?

And supposing you did manage to isolate it, how would you then deal with it?

If you have a suspicious file on your computer and you know where it is, an easy and secure way to delete it, or to upload it to VirusTotal or whatever, is to boot your computer with a "live" Linux CD.

BTW welcome to Bleeping Computer :welcome:

#3 misc00500

misc00500
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 January 2015 - 02:06 PM

Thanks for replying AI1000. I'm starting out with a blank slate with newly installed windows so there are currently no virus in either dual booted windows yet. My question is theoretical. Let's say Im dual booting G:/windows and C:/windows. In both boots, I disable or dismount the other drive. For example, when running G:/windows, C:/ is dismounted. And when running C:/windows, G:/ is dismounted. Let's suppose under this setup, somehow while running G:/windows, G:/ got infected with a virus. So my question is when I exit G:/windows and boot into C:/windows, would it be possible for G:/virus to infect C:/ even though C:/windows environment does not see G:/virus because G:/ has been dismounted in disk management. LBasically, my question is, is it possible for a virus that is on a dismounted drive to still be active ? Like spread itself onto another drive (C:/) ? Does dismounting a drive, make everything on that drive inactive ? Is it possible for a program (virus) to still do things even though it lives on a drive that has been dismounted ?

Edited by misc00500, 06 January 2015 - 02:16 PM.


#4 Al1000

Al1000

  • Global Moderator
  • 7,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:49 PM

Posted 06 January 2015 - 02:31 PM

Basically, my question is, is it possible for a virus that is on a dismounted drive to still be active ?


If the virus is isolated on G: then it won't infect C: while G: is dismounted. But how would you prevent Windows from mounting G: and potentially infecting C: the next time you reboot?

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 06 January 2015 - 03:36 PM

No, in your example the malware will not become active.

 

But that is for malware that resides in files. You also have malware that infects your Master Boot Record (MBR).

Example: say you run Windows C:\ and that you infect your machine with MBR malware.

That malware will infect your MBR and Windows C:\

Now when you boot Windows G:\, the malware will become active via the MBR and also infect Windows G:\


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 misc00500

misc00500
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 January 2015 - 03:50 PM

Ai1000 : "But how would you prevent Windows from mounting G: ?"

Reply : easily done in disk management via remove disk or disable in device manager.

Thanks for response didier Stevens. To prevent MBR virus, How effective would it be to disable the drive thru device manager as oppose to just dismounting it ? Or what about disabling the drive in bios ? And what is the best way to scan specifically for MBR virus ?

Edited by misc00500, 06 January 2015 - 03:52 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 06 January 2015 - 03:55 PM

Yes, disabling the drive in the BIOS would prevent the malware from infecting the MBR.

Most AV products also scan the MBR when you scan a disk.

And if you're very technical, there are tools that let you dump the MBR.


Edited by Didier Stevens, 06 January 2015 - 03:55 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 06 January 2015 - 03:58 PM

BTW, if you use Windows 8, your disks are most likely formatted with the new GPT standard, and thus have no MBR.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 misc00500

misc00500
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 January 2015 - 04:05 PM

Thanks a lot for your feedback didier Stevens. Yes you're right, both disks are GPT. Is GPT new enough that no virus can infect it yet ? Or is it just as vulnerable as the MBR ?

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 06 January 2015 - 04:28 PM

MBR can be infected because it can contain executable code.

AFAIK, GPT can not contain executable code, except for the protective MBR. But if your machine has UEFI (which would be normal when your disks are GPT), it does not use the protective MBR.

 

So no, GPT is not as vulnerable as MBR. But of course, I can't exclude that some day, someone will find a way.

 

I have UEFI and GPT, and I don't worry about the GPT getting infected.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users