Remote Offline Malware Scan
October 20, 2011 9:43 PM Subscribe
Remote offline malware scan; What would be the best tool / technique to complete such a scan correctly & completely?
Overview:
I'm currently managing the IT for a small business (system administration, web design, etc). And I find myself needing to take at least one computer in the office offline on a weekly basis to do an offline (ClamAV) malware scan. It had been rooted in the past and I'm unable to do a reinstall at this time (they've had no IT person for at least ~6 years, don't know where their install disks are, etc).
For the past several months I've been doing triage (getting backups running, cleaning computers, getting their web site out of the 90's, etc) and am planning to make a move to the south (several hundred miles) and won't be available to do the in person maintenance.
I have them setup with my favorite remote management tool (LogMeIn, thank you metafilter!) on their machines. So the day-to-day concerns (verifying backups, installing / uninstalling software, verifying updates, etc) can be completed remotely. The owner has okay'd going "completely remote" if I can demonstrate that I can complete an offline scan remotely on the effected computer going forward.
So, how would I complete this tasks with the least effort / danger of a non-bootable machine?
Current Efforts:
There are quite a few strong contenders for offline scanning above and beyond Clam:
Microsoft Malware Removal Starter Kit
Secured2k BootCD - Malware/Rootkit Removal
avast! Linux Home Edition
And others.
A method I've found that would work, would be local server, running a PXE server, the computer's support WOL (Wake On LAN) so they could be remotely "woken" and booted into a PXE image of "something" that would do an offline scan.
Each of the above solutions supports at least SSH (being linux), I could also remotely manage both the server and the booted clients via NoMachine.
This would be even better if there's a reasonable hardware / software work-a-like:
Intel Shows RealVNC Embedded In the BIOS
Overview:
I'm currently managing the IT for a small business (system administration, web design, etc). And I find myself needing to take at least one computer in the office offline on a weekly basis to do an offline (ClamAV) malware scan. It had been rooted in the past and I'm unable to do a reinstall at this time (they've had no IT person for at least ~6 years, don't know where their install disks are, etc).
For the past several months I've been doing triage (getting backups running, cleaning computers, getting their web site out of the 90's, etc) and am planning to make a move to the south (several hundred miles) and won't be available to do the in person maintenance.
I have them setup with my favorite remote management tool (LogMeIn, thank you metafilter!) on their machines. So the day-to-day concerns (verifying backups, installing / uninstalling software, verifying updates, etc) can be completed remotely. The owner has okay'd going "completely remote" if I can demonstrate that I can complete an offline scan remotely on the effected computer going forward.
So, how would I complete this tasks with the least effort / danger of a non-bootable machine?
Current Efforts:
There are quite a few strong contenders for offline scanning above and beyond Clam:
Microsoft Malware Removal Starter Kit
Secured2k BootCD - Malware/Rootkit Removal
avast! Linux Home Edition
And others.
A method I've found that would work, would be local server, running a PXE server, the computer's support WOL (Wake On LAN) so they could be remotely "woken" and booted into a PXE image of "something" that would do an offline scan.
Each of the above solutions supports at least SSH (being linux), I could also remotely manage both the server and the booted clients via NoMachine.
This would be even better if there's a reasonable hardware / software work-a-like:
Intel Shows RealVNC Embedded In the BIOS
The Trinity Rescue Kit is a command-line live CD with a bunch of virus scanners, a ssh server, and support for running from RAM, booting secondary copies of itself via PXE built in.
It's not distributed with the virus scanners, most of which are free to use but not redistributable; instead, it comes with a script to collect the scanners from their own distribution servers, then incorporate them into a custom ISO for your own use. If you tweak syslinux.cfg before running that script, you can make the resulting custom ISO boot up using any set of menu options you like.
So provided you're not using network boot for anything else, and you can set up your problematic server's BIOS to try a PXE boot first, all you'd need to do to take it down for an offline scan (or any other maintenance via ssh) is turn on another machine somewhere on your network that boots from your customized TRK live CD, then restart the target server.
posted by flabdablet at 11:27 PM on October 20, 2011
It's not distributed with the virus scanners, most of which are free to use but not redistributable; instead, it comes with a script to collect the scanners from their own distribution servers, then incorporate them into a custom ISO for your own use. If you tweak syslinux.cfg before running that script, you can make the resulting custom ISO boot up using any set of menu options you like.
So provided you're not using network boot for anything else, and you can set up your problematic server's BIOS to try a PXE boot first, all you'd need to do to take it down for an offline scan (or any other maintenance via ssh) is turn on another machine somewhere on your network that boots from your customized TRK live CD, then restart the target server.
posted by flabdablet at 11:27 PM on October 20, 2011
I'm all for flabdablet's sage advice, because it supports your goal of going 100% remote at no out of pocket cost, if you're lucky enough to have a PXE compatible BIOS, and some network available image to re-install, if your TRK scanners don't fix your issues.
But if you've never rebuilt the offending machine from bare metal, because of lack of Windows license materials and known service packs/security update materials, you simply can't say, for sure, that you've got a trustworthy, much less a trusted, machine. 'Twere me, with future money and long term client relationships at stake, I'd probably just buy a Windows client license key and application license key (if needed) off a reliable Internet sales site, and put it all on a fresh, known good HD. Altogether, this is, at most, $150 and 2 hours of your time, for 100% known result. Less than you'll pay to get any new client, I'm pretty sure...
posted by paulsc at 12:36 AM on October 21, 2011
But if you've never rebuilt the offending machine from bare metal, because of lack of Windows license materials and known service packs/security update materials, you simply can't say, for sure, that you've got a trustworthy, much less a trusted, machine. 'Twere me, with future money and long term client relationships at stake, I'd probably just buy a Windows client license key and application license key (if needed) off a reliable Internet sales site, and put it all on a fresh, known good HD. Altogether, this is, at most, $150 and 2 hours of your time, for 100% known result. Less than you'll pay to get any new client, I'm pretty sure...
posted by paulsc at 12:36 AM on October 21, 2011
Response by poster: @flabdablet
"The Trinity Rescue Kit..."
Yep, exactly what I use. Can't really beat it for what I use at the office. It's a little buggy at the moment with updating and rebuilding itself; Thus why I was going to attempt those other offline scanners as well, to see if something more stable would be helpful.
@paulsc
"...if you're lucky enough to have a PXE compatible BIOS, and some network available image to re-install, if your TRK scanners don't fix your issues."
PXE bios and WOL BIOS capable, rather nice mid range Dell's.
Bless you ddrescue. I do an image to our 2TB share on the network before doing any major cleaning, just in case something breaks. This too can be done remotely, just have to configure the smbclient calls from bootable OS to mount the share and rip it over the network.
"...you simply can't say, for sure, that you've got a trustworthy..."
I know that for a fact as I occasionally find the odd nasty in the pagefile, or similar (which I never fail to bring up to the owner: privacy concerns, malware is not good for business, your data is at risk! etc, etc).
"Altogether, this is, at most, $150 and 2 hours of your time..."
A bit more expensive than that, their applications aren't cheap and they use quite a few of them: Wordperfect, Microsoft Word, EzFile, etc. I'd need those to remake the computer to be usable for their office at the very least. They don't have money for much, paying me is quite a burden and I come cheap!
posted by Pontifex at 1:13 AM on October 21, 2011
"The Trinity Rescue Kit..."
Yep, exactly what I use. Can't really beat it for what I use at the office. It's a little buggy at the moment with updating and rebuilding itself; Thus why I was going to attempt those other offline scanners as well, to see if something more stable would be helpful.
@paulsc
"...if you're lucky enough to have a PXE compatible BIOS, and some network available image to re-install, if your TRK scanners don't fix your issues."
PXE bios and WOL BIOS capable, rather nice mid range Dell's.
Bless you ddrescue. I do an image to our 2TB share on the network before doing any major cleaning, just in case something breaks. This too can be done remotely, just have to configure the smbclient calls from bootable OS to mount the share and rip it over the network.
"...you simply can't say, for sure, that you've got a trustworthy..."
I know that for a fact as I occasionally find the odd nasty in the pagefile, or similar (which I never fail to bring up to the owner: privacy concerns, malware is not good for business, your data is at risk! etc, etc).
"Altogether, this is, at most, $150 and 2 hours of your time..."
A bit more expensive than that, their applications aren't cheap and they use quite a few of them: Wordperfect, Microsoft Word, EzFile, etc. I'd need those to remake the computer to be usable for their office at the very least. They don't have money for much, paying me is quite a burden and I come cheap!
posted by Pontifex at 1:13 AM on October 21, 2011
Kaperky's Rescue CD might be something handy to have ready to use at their site. It's one of the more straight forward anti-virus rescue CDs I've come across (read: user friendly).
I also wanted to mention that you're probably fighting this fire from the wrong end of the hose (eg. remediation instead of prevention). Are you in a position to help limit rights on these PCs so they're not administrators by default? Also, is this a Windows 7 environment? (lots of good recovery options for this OS).
If you're interested in securing down these PCs and making them MUCH less prone to malware, I've written a guide in my profile that may be helpful in your situation. (yea yea, I know, shameless plug...but it beats having to rewrite it all in a post response!)
posted by samsara at 12:40 PM on October 21, 2011
I also wanted to mention that you're probably fighting this fire from the wrong end of the hose (eg. remediation instead of prevention). Are you in a position to help limit rights on these PCs so they're not administrators by default? Also, is this a Windows 7 environment? (lots of good recovery options for this OS).
If you're interested in securing down these PCs and making them MUCH less prone to malware, I've written a guide in my profile that may be helpful in your situation. (yea yea, I know, shameless plug...but it beats having to rewrite it all in a post response!)
posted by samsara at 12:40 PM on October 21, 2011
Best answer: Answered here with remote management tools:
Remote Computer Management: "Computer Shim"?
aka
Out-of-band management
aka
KVM IP.
Most support mounting "removable media" in an emulated optical drive, which can then be leveraged into booting in a Live File System to do the offline scanning here.
posted by Pontifex at 7:02 PM on December 22, 2011
Remote Computer Management: "Computer Shim"?
aka
Out-of-band management
aka
KVM IP.
Most support mounting "removable media" in an emulated optical drive, which can then be leveraged into booting in a Live File System to do the offline scanning here.
posted by Pontifex at 7:02 PM on December 22, 2011
This thread is closed to new comments.
Now all that said, the company makes its money with enterprise and network tools, including remote management and anti-malware tools. So if you're looking around and shopping anyway, I'd suggest taking a look at Emco. I've been a user for years and years and have always been happy with the products and the service.
posted by sardonyx at 10:16 PM on October 20, 2011