[41516] in Resnet-Forum
Re: Malware Live CD removal anyone?
daemon@ATHENA.MIT.EDU (Mike King)
Fri Jan 13 21:39:09 2017
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=94eb2c18fcd074d86d05460197d1
Message-ID: <CANtPpk4YZM=6T8WP4K316C5jswCT2JwckXugu1UsHSeXjE9now@mail.gmail.com>
Date: Fri, 13 Jan 2017 22:45:22 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Mike King <me@MPKING.COM>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CA+5+GYC8JunUpLfz_idttLxuKWXRmPxVAs6FHHow8is6q6BmUg@mail.gmail.com>
--94eb2c18fcd074d86d05460197d1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Thanks guys.
We ended up with Bitdefender offline, it removed it quickly.
We're recreating the lab image, and scripting the software install. The
"cleaned"lab will do while we prepare the correct way.
On Fri, Jan 13, 2017, 2:01 PM Al Poracky <al.poracky@valpo.edu> wrote:
> Just want to throw this out there for the folks downloading Malwarebytes
> free version. I copied this from the MWB site.
>
> Thanks
>
> *(a) Malwarebytes for Home =E2=80=93 Free & Paid.*
> If you are a Malwarebytes for Home user, and whether you have a free or
> paid license, this Section 2(a) applies. Your license permits you to use
> the Software solely for your personal, non-commercial purposes; the
> Software may not be used on any Device that is used in a business or for
> business purposes. Once Executed on a Device, you may transfer the Softwa=
re
> to a different Device, provided that you uninstall and remove the Softwar=
e
> from the first Device. You may not combine the Software with any third
> party script, application, hardware or tools which would cause it to run =
on
> an automated or unattended basis. You may not transfer the Software to a
> different user, except that once installed onto a Device, the Software ma=
y
> be operated by any person directly using the Device (i.e., not remotely),
> provided that you are responsible for each such person's operation of the
> Software. You may make one copy of the Software for back-up or archival
> purposes, or copy the Software onto the hard disk of your Device and reta=
in
> the original for back-up or archival purposes.
>
>
>
> On Fri, Jan 13, 2017 at 7:02 AM, Hall, Rand <hallr@merrimack.edu> wrote:
>
> Hi Mike,
>
> Go with your true gut and nuke those machines. Use it as the basis for a
> few good discussions. Leverage the rebuild pain and you'll come away with
> much more than a lab full of machines the *might *be clean.
>
> 1) Why is it that we usually nuke machines? (because we can't guaranty
> cleanliness)
> 2) Why is it that we have that opinion for single machines but are willin=
g
> to compromise on a whole lab full?
> 3) What does "cleaning" do for your credibility (on that and other issues=
)
> with all of the people you've been preaching "nuke" to?
> 4) How'd the image get compromised? (Maybe the most important question)
> 5) How do we know other images are not compromised?
> 6) Is the current deployment method still workable or does it need to be
> revisited? (thin, layered, virtualized apps, etc)
> 7) Is all of the software necessary? (not a question that is usually easy
> to ask politically but you may be able to get some mercy from fence-sitte=
rs
> who might say, "Well, I guess I don't need that anymore")
>
> Sounds good in theory, I know! :-)
>
> Hard work. Good luck to you.
>
>
> Rand
>
> Rand P. Hall
> Director, Network Services askIT!
> Merrimack College
> 978-837-3532 <(978)%20837-3532>
> rand.hall@merrimack.edu
>
> If I had an hour to save the world, I would spend 55 minutes defining the
> problem and five minutes finding solutions. =E2=80=93 Einstein
>
> On Thu, Jan 12, 2017 at 11:36 AM, Mike King <me@mpking.com> wrote:
>
> So we've just had something happen that hasn't happen in a long time.
>
> We had a lab image have a virus on it, and a very large lab was deployed
> with the image.
>
> Of course, the lab has alot of custom software that was not scripted, but
> hand installed, so the usual answer of Nuke it and rebuild is going to be
> extrememly painful.
>
> We haven't tried to clean boxes in along time, what's is everyone's
> favorite tool set?
>
> (I don't have the exact virus right now)
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
>
>
>
> --
> *Albert M. Poracky *
> *Manager of Technical Support*
> *Office of Information Technology*
> *Valparaiso University*
> *Staff Employee Advocacy Council*
> *al.poracky@valpo.edu* <al.poracky@valpo.edu>
> *219-464-6650*
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--94eb2c18fcd074d86d05460197d1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">Thanks guys.<br>
We ended up with Bitdefender offline, it removed it quickly. <br>
We're recreating the lab image, and scripting the software install. The=
"cleaned"lab will do while we prepare the correct way.</p>
<br><div class=3D"gmail_quote"><div dir=3D"ltr">On Fri, Jan 13, 2017, 2:01 =
PM Al Poracky <<a href=3D"mailto:al.poracky@valpo.edu">al.poracky@valpo.=
edu</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"=
class=3D"gmail_msg"><div class=3D"gmail_default gmail_msg" style=3D"font-s=
ize:small">Just want to throw this out there for the folks downloading Malw=
arebytes free version.=C2=A0 I copied this from the MWB site.</div><div cla=
ss=3D"gmail_default gmail_msg" style=3D"font-size:small"><br class=3D"gmail=
_msg"></div><div class=3D"gmail_default gmail_msg" style=3D"font-size:small=
">Thanks</div><div class=3D"gmail_default gmail_msg" style=3D"font-size:sma=
ll"><br class=3D"gmail_msg"></div><div class=3D"gmail_default gmail_msg"><b=
style=3D"box-sizing:border-box;color:rgb(65,64,66);font-family:locator,&qu=
ot;helvetica neue",helvetica,arial,sans-serif" class=3D"gmail_msg">(a)=
Malwarebytes for Home =E2=80=93 Free & Paid.</b><span style=3D"color:r=
gb(65,64,66);font-family:locator,"helvetica neue",helvetica,arial=
,sans-serif" class=3D"gmail_msg">=C2=A0</span><br style=3D"box-sizing:borde=
r-box;color:rgb(65,64,66);font-family:locator,"helvetica neue",he=
lvetica,arial,sans-serif" class=3D"gmail_msg"><span style=3D"color:rgb(65,6=
4,66);font-family:locator,"helvetica neue",helvetica,arial,sans-s=
erif" class=3D"gmail_msg">=C2=A0If you are a Malwarebytes for Home user, an=
d whether you have a free or paid license, this Section 2(a) applies. Your =
license permits you to use the Software solely for your personal, non-comme=
rcial purposes; the Software may not be used on any Device that is used in =
a business or for business purposes. Once Executed on a Device, you may tra=
nsfer the Software to a different Device, provided that you uninstall and r=
emove the Software from the first Device. You may not combine the Software =
with any third party script, application, hardware or tools which would cau=
se it to run on an automated or unattended basis. You may not transfer the =
Software to a different user, except that once installed onto a Device, the=
Software may be operated by any person directly using the Device (i.e., no=
t remotely), provided that you are responsible for each such person's o=
peration of the Software. You may make one copy of the Software for back-up=
or archival purposes, or copy the Software onto the hard disk of your Devi=
ce and retain the original for back-up or archival purposes.</span><br clas=
s=3D"gmail_msg"></div><div class=3D"gmail_default gmail_msg" style=3D"font-=
size:small"><br class=3D"gmail_msg"></div><div class=3D"gmail_default gmail=
_msg" style=3D"font-size:small"><br class=3D"gmail_msg"></div></div><div cl=
ass=3D"gmail_extra gmail_msg"></div><div class=3D"gmail_extra gmail_msg"><b=
r class=3D"gmail_msg"><div class=3D"gmail_quote gmail_msg">On Fri, Jan 13, =
2017 at 7:02 AM, Hall, Rand <span dir=3D"ltr" class=3D"gmail_msg"><<a hr=
ef=3D"mailto:hallr@merrimack.edu" class=3D"gmail_msg" target=3D"_blank">hal=
lr@merrimack.edu</a>></span> wrote:<br class=3D"gmail_msg"><blockquote c=
lass=3D"gmail_quote gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div dir=3D"ltr" class=3D"gmail_msg"><div class=
=3D"gmail_msg">Hi Mike,</div><div class=3D"gmail_msg"><br class=3D"gmail_ms=
g"></div><div class=3D"gmail_msg">Go with your true gut and nuke those mach=
ines. Use it as the basis for a few good discussions. Leverage the rebuild =
pain and you'll come away with much more than a lab full of machines th=
e <i class=3D"gmail_msg">might </i>be clean.</div><div class=3D"gmail_msg">=
<br class=3D"gmail_msg"></div><div class=3D"gmail_msg">1) Why is it that we=
usually nuke machines? (because we can't guaranty cleanliness)</div><d=
iv class=3D"gmail_msg">2) Why is it that we have that opinion for single ma=
chines but are willing to compromise on a whole lab full?</div><div class=
=3D"gmail_msg">3) What does "cleaning" do for your credibility (o=
n that and other issues) with all of the people you've been preaching &=
quot;nuke" to?</div><div class=3D"gmail_msg">4) How'd the image ge=
t compromised? (Maybe the most important question)</div><div class=3D"gmail=
_msg">5) How do we know other images are not compromised?</div><div class=
=3D"gmail_msg">6) Is the current deployment method still workable or does i=
t need to be revisited? (thin, layered, virtualized apps, etc)</div><div cl=
ass=3D"gmail_msg">7) Is all of the software necessary? (not a question that=
is usually easy to ask politically but you may be able to get some mercy f=
rom fence-sitters who might say, "Well, I guess I don't need that =
anymore")</div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div>=
<div class=3D"gmail_msg">Sounds good in theory, I know! :-)</div><div class=
=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">Hard =
work. Good luck to you.</div></div><div class=3D"gmail_extra gmail_msg"><br=
clear=3D"all" class=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"m=
_1398760066590637190m_1547291795119638067gmail_signature gmail_msg" data-sm=
artmail=3D"gmail_signature"><div dir=3D"ltr" class=3D"gmail_msg"><div class=
=3D"gmail_msg"> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0</div><div class=
=3D"gmail_msg">Rand</div><div class=3D"gmail_msg">=C2=A0</div><div class=3D=
"gmail_msg">Rand P. Hall</div><div class=3D"gmail_msg">Director, Network Se=
rvices=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 askIT!</div><div class=3D"gmail_msg">Merrimack =
College</div><div class=3D"gmail_msg"><a href=3D"tel:(978)%20837-3532" valu=
e=3D"+19788373532" class=3D"gmail_msg" target=3D"_blank">978-837-3532</a></=
div><div class=3D"gmail_msg"><a href=3D"mailto:rand.hall@merrimack.edu" cla=
ss=3D"gmail_msg" target=3D"_blank">rand.hall@merrimack.edu</a></div><div cl=
ass=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg"><s=
pan style=3D"color:rgb(85,85,85);font-family:Verdana,'BitStream vera Sa=
ns',Helvetica,sans-serif;font-size:12px;line-height:17px;background-col=
or:rgb(255,255,255)" class=3D"gmail_msg">If I had an hour to save the world=
, I would spend 55 minutes defining the problem and five minutes finding so=
lutions. =E2=80=93 Einstein</span>
</div></div></div></div><div class=3D"gmail_msg"><div class=3D"m_1398760066=
590637190h5 gmail_msg">
<br class=3D"gmail_msg"><div class=3D"gmail_quote gmail_msg">On Thu, Jan 12=
, 2017 at 11:36 AM, Mike King <span dir=3D"ltr" class=3D"gmail_msg"><<a =
href=3D"mailto:me@mpking.com" class=3D"gmail_msg" target=3D"_blank">me@mpki=
ng.com</a>></span> wrote:<br class=3D"gmail_msg"><blockquote class=3D"gm=
ail_quote gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex"><div dir=3D"ltr" class=3D"gmail_msg">So we've just ha=
d something happen that hasn't happen in a long time.<div class=3D"gmai=
l_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">We had a lab =
image have a virus on it, and a very large lab was deployed with the image.=
=C2=A0</div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div cl=
ass=3D"gmail_msg">Of course, the lab has alot of custom software that was n=
ot scripted, but hand installed, so the usual answer of Nuke it and rebuild=
is going to be extrememly painful.</div><div class=3D"gmail_msg"><br class=
=3D"gmail_msg"></div><div class=3D"gmail_msg">We haven't tried to clean=
boxes in along time, what's is everyone's favorite tool set?</div>=
<div class=3D"gmail_msg"><br class=3D"gmail_msg">(I don't have the exac=
t virus right now)</div></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p class=3D"gmail_msg">
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" class=3D"gm=
ail_msg" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a=
>
___________________________________________________
</p></blockquote></div><br class=3D"gmail_msg"></div></div></div><div class=
=3D"m_1398760066590637190HOEnZb gmail_msg"><div class=3D"m_1398760066590637=
190h5 gmail_msg">
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p class=3D"gmail_msg">
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" class=3D"gm=
ail_msg" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a=
>
___________________________________________________
</p></div></div></blockquote></div><br class=3D"gmail_msg"><br clear=3D"all=
" class=3D"gmail_msg"><div class=3D"gmail_msg"><br class=3D"gmail_msg"></di=
v></div><div class=3D"gmail_extra gmail_msg">-- <br class=3D"gmail_msg"><di=
v class=3D"m_1398760066590637190gmail_signature gmail_msg" data-smartmail=
=3D"gmail_signature"><div dir=3D"ltr" class=3D"gmail_msg"><div class=3D"gma=
il_msg"><div dir=3D"ltr" class=3D"gmail_msg"><div class=3D"gmail_msg"><div =
dir=3D"ltr" class=3D"gmail_msg"><div class=3D"gmail_msg"><div dir=3D"ltr" c=
lass=3D"gmail_msg"><div dir=3D"ltr" class=3D"gmail_msg"><div class=3D"gmail=
_msg"><strong class=3D"gmail_msg"><font face=3D"arial, helvetica, sans-seri=
f" class=3D"gmail_msg">Albert M. Poracky=C2=A0</font></strong></div><div cl=
ass=3D"gmail_msg"><font face=3D"arial, helvetica, sans-serif" class=3D"gmai=
l_msg"><b class=3D"gmail_msg">Manager of Technical Support</b></font></div>
<div class=3D"gmail_msg"><strong class=3D"gmail_msg"><font face=3D"arial, h=
elvetica, sans-serif" class=3D"gmail_msg">Office of Information Technology<=
/font></strong></div>
<div class=3D"gmail_msg"><strong class=3D"gmail_msg"><font face=3D"arial, h=
elvetica, sans-serif" class=3D"gmail_msg">Valparaiso University</font></str=
ong></div><div class=3D"gmail_msg"><font face=3D"arial, helvetica, sans-ser=
if" class=3D"gmail_msg"><b class=3D"gmail_msg">Staff Employee Advocacy Coun=
cil</b></font></div>
<div class=3D"gmail_msg"><a href=3D"mailto:al.poracky@valpo.edu" class=3D"g=
mail_msg" target=3D"_blank"><strong class=3D"gmail_msg"><font face=3D"arial=
, helvetica, sans-serif" class=3D"gmail_msg">al.poracky@valpo.edu</font></s=
trong></a></div>
<div class=3D"gmail_msg"><strong class=3D"gmail_msg"><font face=3D"arial, h=
elvetica, sans-serif" class=3D"gmail_msg">219-464-6650</font></strong></div=
></div></div></div></div></div></div></div></div></div>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p class=3D"gmail_msg">
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" class=3D"gm=
ail_msg" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a=
>
___________________________________________________
</p></blockquote></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--94eb2c18fcd074d86d05460197d1--
