"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:i44kh0011hs@news2.newsguy.com:

> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
>| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d@bt.com...
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d@bt.com:
>
>>>>> Dustin wrote:
>>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d@bt.com:
>
>>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>>> all probability, a futile exercise*.
>
>>>>>> LOL, you would certainly be in the minority if you think I was
>>>>>> wrong in the advice I provided concerning malware.
>
>>> [....]
>
>
>>> What FTR actually said .....
>
>>> "True, it could be installed and be kept from accessing certain
>>> areas by a rootkit".
>
>>> Do you *really* disagree with that?
>
>| One thing you are apparently not getting the significance of is
>| that the "installation software" for the proposed AV that you want
>| to install on the "compromised" machine likely has its own
>| detection software for known malware (including some rootkits)
>| *and* rootkit detection software that alerts to inconsistancies in
>| what is presented through APIs to the other tools due to filter
>| drivers and the like.
>
>| It may be impossible to install such AV programs on a "compromised"
>| machine, if the preinstallation detection software is aware of, yet
>| not capable of removing detected malicious activity - it may tell
>| you that you need to address the other issue before attempting to
>| install that software (I'm not aware of this actually happening
>| though).
>
>| The most likely scenario is that the installation goes off smoothly
>| without a hitch on *most* compromised machines (removing the
>| compromise in the process) - which, I believe, is Dustin's point.
>
>
> That a case of an in situ installation of a fully installed AV
> soloution.
>
> That's not the case of of the hard disk being removed and placed
> within a surrogate.

Well, once you remove the host drive and take the suspect bad host out
of the equisation, it does make life easier for hunting malware. :P




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.