[27059] in resnet
Re: Virus removal training
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Tue Nov 22 17:22:06 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec520e875e484c804b25a34d6
Message-ID: <CAEPWjzsoLGQdT9mNAP760FdERhVjc9_4BeHn57FSdFdXCm2gfg@mail.gmail.com>
Date: Tue, 22 Nov 2011 17:20:10 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <4ECBAD92020000AB00015467@gwiaclients.wooster.edu>
--bcaec520e875e484c804b25a34d6
Content-Type: text/plain; charset=ISO-8859-1
Greetings,
I just wrote this up a few weeks ago, it takes virtually ALL of the
'teaching' out of it. Plus, it catches rootkits that antivirus on an
already-infected machine won't.
First, make an x86 Windows PE boot
disk<http://www.windowspcguy.net/?p=71>using the WAIK, then mount it
and drop this into \Program
Files\virusscan.cmd on the mounted WIM:
@ECHO OFF
X:
CD "X:\Program Files"
ECHO Downloading current Microsoft Security Scanner...
curl\curl.exe -o msert.exe
http://definitionupdates.microsoft.com/download/definitionupdates/safetyscanner/x86/msert.exe
ECHO Launching Microsoft Security Scanner in 'full scan, auto-clean' mode...
msert.exe /F:Y
You'll also need to drop
'curl<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCkQFjAA&url=http%3A%2F%2Fcurl.haxx.se%2Fdownload.html&ei=MB_MTtyHBIPs0gG9wOlF&usg=AFQjCNGOA7uUhSy27VWAZHBgnVxpxizMqQ>'
into \Program Files\
For the quick and dirty: This is a script you put on a boot disk that
downloads the latest Security Scanner from Microsoft and runs it in 'full'
mode. Using a read-only boot disk or removing the drive and scanning it on
a known-clean computer are the only ways to really be confident that your
'antivirus sweeps' are removing entrenched rootkits.
To launch it, you boot to the boot disk, then run 'X:\Program
Files\virusscan.cmd'
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Tue, Nov 22, 2011 at 2:11 PM, John Shatzer <jshatzer@wooster.edu> wrote:
> Has anyone developed a way to teach students virus removal by infecting
> a computer and having them pull it off. I was trying to develop a more
> hands on training model.
>
> John Shatzer
> User Support Specialist
> The College of Wooster
>
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520e875e484c804b25a34d6
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0=A0 I just wrote this up a few weeks ago, it takes v=
irtually ALL of the 'teaching' out of it. Plus, it catches rootkits=
that antivirus on an already-infected machine won't.<br>=A0=A0=A0=A0 F=
irst, <a href=3D"http://www.windowspcguy.net/?p=3D71">make an x86 Windows P=
E boot disk</a> using the WAIK, then mount it and drop this into \Program F=
iles\virusscan.cmd on the mounted WIM:<br>
<br><div style=3D"margin-left: 40px;"><span style=3D"font-family: courier n=
ew,monospace;">@ECHO OFF</span><br style=3D"font-family: courier new,monosp=
ace;"><br style=3D"font-family: courier new,monospace;"><span style=3D"font=
-family: courier new,monospace;">X:</span><br style=3D"font-family: courier=
new,monospace;">
<br style=3D"font-family: courier new,monospace;"><span style=3D"font-famil=
y: courier new,monospace;">CD "X:\Program Files"</span><br style=
=3D"font-family: courier new,monospace;"><br style=3D"font-family: courier =
new,monospace;">
<span style=3D"font-family: courier new,monospace;">ECHO Downloading curren=
t Microsoft Security Scanner...</span><br style=3D"font-family: courier new=
,monospace;"><br style=3D"font-family: courier new,monospace;"><span style=
=3D"font-family: courier new,monospace;">curl\curl.exe -o msert.exe <a href=
=3D"http://definitionupdates.microsoft.com/download/definitionupdates/safet=
yscanner/x86/msert.exe">http://definitionupdates.microsoft.com/download/def=
initionupdates/safetyscanner/x86/msert.exe</a></span><br style=3D"font-fami=
ly: courier new,monospace;">
<br style=3D"font-family: courier new,monospace;"><span style=3D"font-famil=
y: courier new,monospace;">ECHO Launching Microsoft Security Scanner in =
9;full scan, auto-clean' mode...</span><br style=3D"font-family: courie=
r new,monospace;">
<span style=3D"font-family: courier new,monospace;">msert.exe /F:Y</span><b=
r></div><br>You'll also need to drop '<a href=3D"http://www.google.=
com/url?sa=3Dt&rct=3Dj&q=3D&esrc=3Ds&source=3Dweb&cd=3D=
1&ved=3D0CCkQFjAA&url=3Dhttp%3A%2F%2Fcurl.haxx.se%2Fdownload.html&a=
mp;ei=3DMB_MTtyHBIPs0gG9wOlF&usg=3DAFQjCNGOA7uUhSy27VWAZHBgnVxpxizMqQ">=
curl</a>' into \Program Files\<br>
<br>For the quick and dirty: This is a script you put on a boot disk that d=
ownloads the latest Security Scanner from Microsoft and runs it in 'ful=
l' mode. Using a read-only boot disk or removing the drive and scanning=
it on a known-clean computer are the only ways to really be confident that=
your 'antivirus sweeps' are removing entrenched rootkits.<br>
<br>To launch it, you boot to the boot disk, then run 'X:\Program Files=
\virusscan.cmd'<br clear=3D"all"><br>- Marc Doughty<br>"If you are=
n't sure who is the give-way vessel, you are the give-way vessel."=
<br>
<br><br><div class=3D"gmail_quote">On Tue, Nov 22, 2011 at 2:11 PM, John Sh=
atzer <span dir=3D"ltr"><<a href=3D"mailto:jshatzer@wooster.edu">jshatze=
r@wooster.edu</a>></span> wrote:<br><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
=20
=20
<div style=3D"margin-right:4px;margin-bottom:1px;margin-left:4px;font-var=
iant:normal;line-height:normal;margin-top:4px">
<p style=3D"margin-bottom:0;margin-top:0">
<font face=3D"Lucida Grande" size=3D"3">Has anyone developed a way to=
teach students virus removal by infecting a computer and having them pull =
it off. =A0I was trying to develop a more hands on training model. =A0</fon=
t>
</p>
<font style=3D"font-size:12pt" face=3D"Lucida Grande"><br>John Shatzer
<br>User Support Specialist=20
<br>The College of Wooster
<br><br><br></font></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520e875e484c804b25a34d6--
