oiaohm wrote: > James McKenzie > > > >> Actually, if a Linux or Windows system gets 'infected' it gets 'blown >> away'. That is because you cannot ever be certain that all affected >> files were removed, no matter what OS. Now, you can image any OS and >> 'blow' it onto an empty hard drive. This is done all the time in >> industry. The point is that there is a complete product suite to >> monitor Windows systems, called SCCM/SCOM. I don't know of a similar >> product for Linux, but there has to be one. This is where money is >> really made.... >> > > > Myths again. There is more than 1 way to clear a system ie blow it away. Linux you can compare all application files install on a system to packages they came from and user data to backups and user data threw executable code clearing. Ie only stuff without macros scripts... left. It kinda impossible to sneak past a binary compare audit. This can be done due to Linux's package management. This is boot loaders kernels libs everything. > > I'm not disputing what you are saying. I'm studying for my CISSP and I have over 20 years of playing around with computers (try 29 to be exact). However, the ONLY sure way to entirely remove a virus is to junk the computer and get another one. That being said, you really don't expect a company with 500+ computers to do this. The next best thing is to hit up the computer stores and get enough hard drives to replace those in the infected machines and swap them out and build new systems. > All altered files from the infected system can be archived. Ie the reduces the size of the data to backup from an infected system to prevent the infection causing data loss. > HUH? You should NEVER backup an infected file. However what you are suggesting is NOT a best practice, by far. You replace the drive, reload and recover from a non-infected backup. Best practice is to pull the hard drive from a live system (this can be done.) Then you replace the drive, build on top and restore, restore, restore. This is what I did when I was infected. Sadly, I had to run through three backups before all was well. And yes, you can figure out what files belong to what application. When you are talking industry, we don't have the time. If you fail, you have less than 24 hours to be back up. Otherwise and unless you occupy a real niche, you might as well close down completely. 9/11/2001 taught a lot of companies this lesson. As to using Wine, it is not a sandbox. Thus you can get a Windows virus or worm infection and keep on keeping on. Thus some sort of Windows based AV is necessary until the solution you stated is ready, tested and accepted. The OP does and continues to have a valid point. What good is Wine if it emulates WindowsXP too good and it cannot stop the bad guys from continuing to spread their 'badness'? The simple explanation is that we are dealing with a broken operating system that is like a good sieve. It stops only the big chunks of food, but the 'water' will flow through. The best program is user education. That stops 99% of the badness from getting through. Sort of like adding several layers of cheesecloth to the sieve. BTW, in the early 1990s, NSA rated Window NT 3.51 SP 2 as safe. All you had to do is remove the NIC, floppy and CD drives. No USB transmission was allowed, No modems. Basically no outside connections of any kind. In this day, this would not be a very productive machine. Very respectfully, James McKenzie
