Interesting MBAM and SAS scanning results.

[rurbaniak]

Had a user bring a desktop that was highly infected with spyware, and I wasn't able to work inside of windows, so slaved it up and began the trek of removal.

SuperAntiSpyware removed:

0 Memory
68 Files
4922 Registry


Malwarebytes:

52 Files.

Reattached the drive to the computer and booted up and was able to work again. Everything was definatley better, as first no sight of anything suspicious. So I installed SAS and MBAM on the computer because the guy has kids and told him I'd leave a couple of apps on it.

So normally I'd run through all the other apps AutoRuns, Hijackthis, etc. But decided to Run SAS again.

The results:

SAS finds an additional:

1 Memory
42 Files
165 registry


then MBAM found an additional:

20 registry
6 files


And this took about 4 hours of scanning time. Obviously when possible I'll install in windows and scan. BUT that being said, I am very very surprised that I'm needing to RESCAN once it's back in windows. Years of Antivirus scanning with slaved drives has always taken care of the problems completely.

In these cases, it's really going to extend the amount to fix, and HOPEFULLY everything comes out peachy cause if not, then your going into a reinstall and you've put way too many hours on it.

Any comments on this guys?

 

[MHCG]

I'd say that when you had it slaved, you didn't have permissions on the folders so MBAM wasn't able to scan a lot of it.

 

[rurbaniak]

I'd say that when you had it slaved, you didn't have permissions on the folders so MBAM wasn't able to scan a lot of it.

NTFS permissions don't apply on a system that isn't mounted. I could see if the files or folders were encrypted or protected by another means, but they are not.

 

[arrow_runner]

That's exactly the issue I'm having w/ laptop. Slaved drive but permissions wouldn't let me scan the profile folder. I've got a thread open on it, but I haven't had a chance to re-try the suggestions. I've got a feeling it's not as simple as suggested...

 

[arrow_runner]

NTFS permissions don't apply on a system that isn't mounted. I could see if the files or folders were encrypted or protected by another means, but they are not.

No. Trust me, NTFS permission work fine when the drive is removed and connected to another PC.

 

[rurbaniak]

No. Trust me, NTFS permission work fine when the drive is removed and connected to another PC.

I suppose if their applied, but it's not the case here, I can access everything.

 

[arrow_runner]

Okay, probably not a permissions issue then. Here's what I would do. Hook up the drive as slave again and do a windows file search for ALL files modified w/in the last year. When it's finished, sort it by date and start looking at the most recently modified system32 and "program files" files.

 

[supertech365]

when i have to slave a hard drive in another system to do scans, once it is replaced and scanned in original system, i've always found more viruses. Especially in the registry. The same applies when i've used a live cd such as avira or ubcd4

 

[rurbaniak]

I got a response from MBAM on this:

MBAM was not designed to scan remote drives and this has been discussed many times on this site.
Mainly due to environment variables and registry locations that are not LIVE when you're in a slaved or PE enviornment.

From my understanding there currently is no plan to change this behavior.

I suppose SAS is probably the same way.