Asargued in Can You Clean a Virus?, you cannot count on malware removal tools to return a system to a trustworthy state. You must be prepared to reimage a system or have another mechanism at your disposal.
Reimaging / drive cloning applications (comparisons):
- Norton Ghost
- Acronis TrueImage
- Acronis True Image WD Edition
- Paragon Drive Backup Express
- Paragon Hard Disk Manager
- Paragon Backup & Recovery 10 Free
- an implementation of dd (such as the Windows-based implementation in FAU
- Macrium Reflect Free
- DriveImage XML
- Seagate DiscWizard
- more alternatives
Alternatives to reimaging:
- Using system restore points is a convenient but incomplete measure.
- Caution: Installing and uninstalling software creates system restore points. You can exceed disk space available for restore points and age off the working restore points.
- To create a system restore point in Microsoft Windows Vista or 7: Computer, Properties, “Advanced system settings”, “System Protection” tab, “Create” button
- To restore a computer’s system files to a previous state in Microsoft Windows Vista or 7: Computer, Properties, “Advanced system settings”, “System Protection” tab, “System Restore” button
- Windows Recovery Environment (WinRE) is similarly a partial measure.
- Use a virtual machine, hosted within vmware, Microsoft Virtual PC or Sun VirtualBox.
- Use virtual system software, such as Returnil, SandboxIE, Altiris SVS or BufferZone Pro.
- Use a Windows embedded system, based upon Windows XPe, and use its enhanced write filter. A shut down and restart returns the system to its trustworthy state.Caution: This recovery measure is not be confused with preventative or detective measures. Consider the case of a memory-resident worm in a call center, where the devices are based upon XPe and lack preventative (e.g., anti-virus with current signatures) measures. You can expect the worm to saturate the call center quickly. Recovery requires turning of all XPe devices and any other device which may also be running the worm. Every one of them; double-check that you have not missed any. Now power them on in phases, since everyone logging in at once is seldom effective. How did the worm enter your environment? Can you determine how the worm entered your environment? What steps can you take to prevent this from recurring?
- Use Microsoft’s Windows SteadyStatesoftware. “Windows SteadyState can return your computer and hard disk to its exact condition before the user touched it, simply by rebooting.”Caution: The XPe scenario applies here as well. Windows SteadyState is no longer supported.
- Use a repair utility, such as Shardana Antivirus Rescue Disk Utility (SARDU), AVG Rescue CD, The Complete PC Recovery Toolkit, eScan Rescue Disk 12.0.73 DB, or Spotmau PowerSuite Golden.Caution: Repair utilities aim for system stability, not system trustworthiness.
Note: Using a Windows embedded system based upon Windows CE would be a preventive measure. There are very few exploits of Windows CE. On this page I am listing recovery measures; measures you can implement to that will enable you to return a compromised system to a trustworthy state.
For many individuals, the practical alternatives are limited and reimaging is not an option. That makes the use of system restore points an inferior but important measure that is fortunately quite simple.
Backup is not necessarily an alternative to reimaging. Backup is often designed with a “system crash” scenario in mind. BounceBack, for example, advertises:
Creates a duplicate copy of your computer’s hard drive on an external backup drive (including operating system, applications, user data and personal settings). Runs silently in the background to keep your backup drive updated, Set it and Forget it!
In this situation, a restore would return your system to the same untrustworthy state. The goal is to return your system to a trustworthy state, not a previous state.
[…] system to a trustworthy state by reimaging it or using one of the methods described in “Alternatives To Reimaging“. Specifically, do not rely upon virus cleaning measures, for reasons described in Possibly […]
[…] system has been successfully infected the modifications it can make are legion. Plan to reimage or use another measure to return the system to a trustworthy state. Do not plan to be able to clean an infected […]