[41515] in Resnet-Forum
Re: Malware Live CD removal anyone?
daemon@ATHENA.MIT.EDU (Al Poracky)
Fri Jan 13 14:01:47 2017
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=001a114dd4cc30ee810545fcc119
Message-ID: <CA+5+GYC8JunUpLfz_idttLxuKWXRmPxVAs6FHHow8is6q6BmUg@mail.gmail.com>
Date: Fri, 13 Jan 2017 10:58:38 -0600
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Al Poracky <al.poracky@VALPO.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CANajV=MgEtxtGzNEKQ2DeuSue2of4_ZeEBLpQN03o2vOO9TspA@mail.gmail.com>
--001a114dd4cc30ee810545fcc119
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Just want to throw this out there for the folks downloading Malwarebytes
free version. I copied this from the MWB site.
Thanks
*(a) Malwarebytes for Home =E2=80=93 Free & Paid.*
If you are a Malwarebytes for Home user, and whether you have a free or
paid license, this Section 2(a) applies. Your license permits you to use
the Software solely for your personal, non-commercial purposes; the
Software may not be used on any Device that is used in a business or for
business purposes. Once Executed on a Device, you may transfer the Software
to a different Device, provided that you uninstall and remove the Software
from the first Device. You may not combine the Software with any third
party script, application, hardware or tools which would cause it to run on
an automated or unattended basis. You may not transfer the Software to a
different user, except that once installed onto a Device, the Software may
be operated by any person directly using the Device (i.e., not remotely),
provided that you are responsible for each such person's operation of the
Software. You may make one copy of the Software for back-up or archival
purposes, or copy the Software onto the hard disk of your Device and retain
the original for back-up or archival purposes.
On Fri, Jan 13, 2017 at 7:02 AM, Hall, Rand <hallr@merrimack.edu> wrote:
> Hi Mike,
>
> Go with your true gut and nuke those machines. Use it as the basis for a
> few good discussions. Leverage the rebuild pain and you'll come away with
> much more than a lab full of machines the *might *be clean.
>
> 1) Why is it that we usually nuke machines? (because we can't guaranty
> cleanliness)
> 2) Why is it that we have that opinion for single machines but are willin=
g
> to compromise on a whole lab full?
> 3) What does "cleaning" do for your credibility (on that and other issues=
)
> with all of the people you've been preaching "nuke" to?
> 4) How'd the image get compromised? (Maybe the most important question)
> 5) How do we know other images are not compromised?
> 6) Is the current deployment method still workable or does it need to be
> revisited? (thin, layered, virtualized apps, etc)
> 7) Is all of the software necessary? (not a question that is usually easy
> to ask politically but you may be able to get some mercy from fence-sitte=
rs
> who might say, "Well, I guess I don't need that anymore")
>
> Sounds good in theory, I know! :-)
>
> Hard work. Good luck to you.
>
>
> Rand
>
> Rand P. Hall
> Director, Network Services askIT!
> Merrimack College
> 978-837-3532 <(978)%20837-3532>
> rand.hall@merrimack.edu
>
> If I had an hour to save the world, I would spend 55 minutes defining the
> problem and five minutes finding solutions. =E2=80=93 Einstein
>
> On Thu, Jan 12, 2017 at 11:36 AM, Mike King <me@mpking.com> wrote:
>
>> So we've just had something happen that hasn't happen in a long time.
>>
>> We had a lab image have a virus on it, and a very large lab was deployed
>> with the image.
>>
>> Of course, the lab has alot of custom software that was not scripted, bu=
t
>> hand installed, so the usual answer of Nuke it and rebuild is going to b=
e
>> extrememly painful.
>>
>> We haven't tried to clean boxes in along time, what's is everyone's
>> favorite tool set?
>>
>> (I don't have the exact virus right now)
>> ___________________________________________________ You are subscribed
>> to the ResNet-L mailing list.
>>
>> To subscribe, unsubscribe or search the archives, go to
>> http://LISTSERV.ND.EDU/archives/resnet-l.html
>> ___________________________________________________
>>
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
--=20
*Albert M. Poracky *
*Manager of Technical Support*
*Office of Information Technology*
*Valparaiso University*
*Staff Employee Advocacy Council*
*al.poracky@valpo.edu* <al.poracky@valpo.edu>
*219-464-6650*
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--001a114dd4cc30ee810545fcc119
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-size:small">Jus=
t want to throw this out there for the folks downloading Malwarebytes free =
version.=C2=A0 I copied this from the MWB site.</div><div class=3D"gmail_de=
fault" style=3D"font-size:small"><br></div><div class=3D"gmail_default" sty=
le=3D"font-size:small">Thanks</div><div class=3D"gmail_default" style=3D"fo=
nt-size:small"><br></div><div class=3D"gmail_default"><b style=3D"box-sizin=
g:border-box;color:rgb(65,64,66);font-family:locator,"helvetica neue&q=
uot;,helvetica,arial,sans-serif">(a) Malwarebytes for Home =E2=80=93 Free &=
amp; Paid.</b><span style=3D"color:rgb(65,64,66);font-family:locator,"=
helvetica neue",helvetica,arial,sans-serif">=C2=A0</span><br style=3D"=
box-sizing:border-box;color:rgb(65,64,66);font-family:locator,"helveti=
ca neue",helvetica,arial,sans-serif"><span style=3D"color:rgb(65,64,66=
);font-family:locator,"helvetica neue",helvetica,arial,sans-serif=
">=C2=A0If you are a Malwarebytes for Home user, and whether you have a fre=
e or paid license, this Section 2(a) applies. Your license permits you to u=
se the Software solely for your personal, non-commercial purposes; the Soft=
ware may not be used on any Device that is used in a business or for busine=
ss purposes. Once Executed on a Device, you may transfer the Software to a =
different Device, provided that you uninstall and remove the Software from =
the first Device. You may not combine the Software with any third party scr=
ipt, application, hardware or tools which would cause it to run on an autom=
ated or unattended basis. You may not transfer the Software to a different =
user, except that once installed onto a Device, the Software may be operate=
d by any person directly using the Device (i.e., not remotely), provided th=
at you are responsible for each such person's operation of the Software=
. You may make one copy of the Software for back-up or archival purposes, o=
r copy the Software onto the hard disk of your Device and retain the origin=
al for back-up or archival purposes.</span><br></div><div class=3D"gmail_de=
fault" style=3D"font-size:small"><br></div><div class=3D"gmail_default" sty=
le=3D"font-size:small"><br></div></div><div class=3D"gmail_extra"><br><div =
class=3D"gmail_quote">On Fri, Jan 13, 2017 at 7:02 AM, Hall, Rand <span dir=
=3D"ltr"><<a href=3D"mailto:hallr@merrimack.edu" target=3D"_blank">hallr=
@merrimack.edu</a>></span> wrote:<br><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div=
dir=3D"ltr"><div>Hi Mike,</div><div><br></div><div>Go with your true gut a=
nd nuke those machines. Use it as the basis for a few good discussions. Lev=
erage the rebuild pain and you'll come away with much more than a lab f=
ull of machines the <i>might </i>be clean.</div><div><br></div><div>1) Why =
is it that we usually nuke machines? (because we can't guaranty cleanli=
ness)</div><div>2) Why is it that we have that opinion for single machines =
but are willing to compromise on a whole lab full?</div><div>3) What does &=
quot;cleaning" do for your credibility (on that and other issues) with=
all of the people you've been preaching "nuke" to?</div><div=
>4) How'd the image get compromised? (Maybe the most important question=
)</div><div>5) How do we know other images are not compromised?</div><div>6=
) Is the current deployment method still workable or does it need to be rev=
isited? (thin, layered, virtualized apps, etc)</div><div>7) Is all of the s=
oftware necessary? (not a question that is usually easy to ask politically =
but you may be able to get some mercy from fence-sitters who might say, &qu=
ot;Well, I guess I don't need that anymore")</div><div><br></div><=
div>Sounds good in theory, I know! :-)</div><div><br></div><div>Hard work. =
Good luck to you.</div></div><div class=3D"gmail_extra"><br clear=3D"all"><=
div><div class=3D"m_1547291795119638067gmail_signature" data-smartmail=3D"g=
mail_signature"><div dir=3D"ltr"><div> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0</div><div>Rand</div><div>=C2=A0</div><div>Rand P. Hall</div><div>Dir=
ector, Network Services=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 askIT!</div><div>Merrimack Co=
llege</div><div><a href=3D"tel:(978)%20837-3532" value=3D"+19788373532" tar=
get=3D"_blank">978-837-3532</a></div><div><a href=3D"mailto:rand.hall@merri=
mack.edu" target=3D"_blank">rand.hall@merrimack.edu</a></div><div><br></div=
><div><span style=3D"color:rgb(85,85,85);font-family:Verdana,'BitStream=
vera Sans',Helvetica,sans-serif;font-size:12px;line-height:17px;backgr=
ound-color:rgb(255,255,255)">If I had an hour to save the world, I would sp=
end 55 minutes defining the problem and five minutes finding solutions. =E2=
=80=93 Einstein</span>
</div></div></div></div><div><div class=3D"h5">
<br><div class=3D"gmail_quote">On Thu, Jan 12, 2017 at 11:36 AM, Mike King =
<span dir=3D"ltr"><<a href=3D"mailto:me@mpking.com" target=3D"_blank">me=
@mpking.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div di=
r=3D"ltr">So we've just had something happen that hasn't happen in =
a long time.<div><br></div><div>We had a lab image have a virus on it, and =
a very large lab was deployed with the image. =C2=A0</div><div><br></div><d=
iv>Of course, the lab has alot of custom software that was not scripted, bu=
t hand installed, so the usual answer of Nuke it and rebuild is going to be=
extrememly painful.</div><div><br></div><div>We haven't tried to clean=
boxes in along time, what's is everyone's favorite tool set?</div>=
<div><br>(I don't have the exact virus right now)</div></div>
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archive<wbr>s/resnet-l.html</a>
______________________________<wbr>_____________________
</p></blockquote></div><br></div></div></div><div class=3D"HOEnZb"><div cla=
ss=3D"h5">
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/<wbr>archives/resnet-l.html</a>
______________________________<wbr>_____________________
</p></div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- =
<br><div class=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div =
dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"lt=
r"><div dir=3D"ltr"><div><strong><font face=3D"arial, helvetica, sans-serif=
">Albert M. Poracky=C2=A0</font></strong></div><div><font face=3D"arial, he=
lvetica, sans-serif"><b>Manager of Technical Support</b></font></div>
<div><strong><font face=3D"arial, helvetica, sans-serif">Office of Informat=
ion Technology</font></strong></div>
<div><strong><font face=3D"arial, helvetica, sans-serif">Valparaiso Univers=
ity</font></strong></div><div><font face=3D"arial, helvetica, sans-serif"><=
b>Staff Employee Advocacy Council</b></font></div>
<div><a href=3D"mailto:al.poracky@valpo.edu" target=3D"_blank"><strong><fon=
t face=3D"arial, helvetica, sans-serif">al.poracky@valpo.edu</font></strong=
></a></div>
<div><strong><font face=3D"arial, helvetica, sans-serif">219-464-6650</font=
></strong></div></div></div></div></div></div></div></div></div></div>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--001a114dd4cc30ee810545fcc119--
