... by not only Robert Spotswood but our happy colleagues from the Czech Republic and the Russian Federation was experienced by all at Saturday's meeting. I brought a pre-virused XP machine (infected basically by turning off all protection and heading for any address with .cz or .ru on the end) and technician Spotswood proceeded to examine it via a novel method I'd never seen demonstrated. As opposed to my earlier descriptions of the method (I didn't quite understand it), he indeed brought Linux into the picture but not via a second machine. He booted a Linux live CD (Knoppix? Mepis? I've forgotten) on the stricken machine and then used it to bring in (from a USB thumb drive) an application called Clam Antivirus. Clam is an open-source AV product maintained at http://www.clamav.org (we used the Linux version in this case, although I hear there's a somewhat limited Windows version as well).
Robert's writeup (current version) is located on his page:
http://www.spotswood-computer.net/
- and just scroll to the bottom and click on the title "Cleaning Windows With ClamAV"; it's PDF only last time I was there but HTML may be on the way.
Bottom line: assuming that your Windows machine is still OK hardware-wise, booting from the CD and using the antivirus app on the USB drive provides a protected point from which to first observe and control the internal drive (location of infections) and then from which to run the definitions comparison. Remember that this process indeed depends upon a definitions file (shit list of filenames or descriptions), so if somebody paid somebody to write a custom day-zero attack, this method wouldn't see it. It would, however, see common rootkits and malapps on which such an attack could depend.
Coming up next meeting (second Saturday of April) will be Robert Carlile's show that I've dubbed "A Trip Down Memory Lane", which exhumes various lost programs that still work today, either in Nix environments or something virtualized (he has a faster computer than me so he can do such things...)
