David H. Lipman wrote:
> From: "Daave" <daave@example.com>
>
>> David H. Lipman wrote:
>>> If you scan a suspect hard drive through a surrogate PC, it will
>>> find malware that may well be hidden and protected via RootKit
>>> techniques more readily. But it will do so ONLY at the file level
>>> of the suspect hard drive. any scanning of the Registry is the
>>> Registry of the surrogate PC and not the Registry of the OS the
>>> suspect drive represents.
>
>> This confuses me. If I scan the *entire* drive, am I not by
>> definition scanning the registry on the suspect drive? The registry
>> I'm pretty sure would be here:
>
>> E:\WINDOWS\system32\config
>
>> Data is data, no?
>
>
> No. Infact the User Hive isn't there, it is in the User's Profle.
>
> The OS of the surrogate PC can't tell that the suspect hard disk is
> from another computer or just another drive for the surrugate.
> Therefore the anti malware scanner will scan the surrogate OS'
> Registry and not the Registry of the affected drive.
>
> Example: Take an Outlook PST. The vast majority can not by
> themselves scan a PST. You have to load MS Outlook and a MAPI
> compliant AV scanner and THEN you can scan the contents of the PST.

Didn't know that. Thanks for the explanation.