Preparing for the worst with Windows 11...how do I use sysprep and restore client data?

[britechguy]

@alexsmith2709

Microsoft has withdrawn it's own PC Health Check tool until it can be appropriately updated. I saw the official announcement via a post by an admin named Corinne on Sysnative.

It's a false positive. There are far too many who've been using it that are of "some sophistication" when it comes to security issues and there has been no raising of any red flags. Also, and I'll say it again, if only 2 of 68 scanners flag something, regardless of the 2, I've never seen a single circumstance where that condition does not indicate a false positive. It's one of the things that makes VirusTotal such a powerful tool that you can see "who flags and who doesn't."

 

[nlinecomputers]

I trust Emsisoft. False positive or not.
It flagged as Trojan.GenericKD.37158995 (B)

I dont need the file that bad that I risk compromising mine, or my clients PC's.
I'm not going to disable security to download it just to see what Virus Total says.

I'm sure MS will have something like the Update Readiness Tool for this soon enough.

Interesting because virustotal reports Emisisoft as passing on it.

 

[pctechforhire]

Still dodgy even from whynotwin11.org and redirected to Github


View attachment 12988

Only because it's not signed. The program is written in AutoIt, a great windows scripting program. That's the only reason why AV/browsers freak out. Downloading the au3 file avoids all of that, and you can check the code to make sure it really isn't malware. But I'll probably just use the one MS has instead of this.

But AutoIt is great, and I wish AV wouldn't freak out when a program is compiled with it.

 

[britechguy]

Only because it's not signed

Exactly. And anyone who expects that these sorts of utilities, crafted by individuals for themselves (most likely) and then kindly offered to the rest of us, to be signed is kidding themselves.

Unsigned and unsafe are not, and never have been, synonymous. Those of us who haunt this venue should know this better than many.

 

[mikeroq]

When I downloaded it from the shady .com site it was blocked as malicious. When I downloaded the exe from the github page it was not blocked and ran just fine.

 

[fabs]

Unsigned and unsafe are not, and never have been, synonymous. Those of us who haunt this venue should know this better than many.

Unfortunately, in real world, it does not work like that. I had to digitally sign Fabs just because of Norton always flagging it as trojan. Not a big deal now but it's been a pain as I wasn't used to do that.

 

[britechguy]

Unfortunately, in real world, it does not work like that. I had to digitally sign Fabs just because of Norton always flagging it as trojan. Not a big deal now but it's been a pain as I wasn't used to do that.

I don't get how what you've said contradicts what I did, as I said nothing about whether various security suites consider something unsafe or not.

Your code was safe, by its design, before you digitally signed it. The digital signature is not what made it safe versus not safe. The presence of a digital signature is what made Norton, in this example, "change its mind."

The reality is that while digital signatures definitely have value, and I understand why they're desirable, unsigned and unsafe are not and have never been equivalent. Though even I'll admit that most malicious code is unsigned, but recent news shows there are exceptions to that, too.

 

[fabs]

I don't get how what you've said contradicts what I did, as I said nothing about whether various security suites consider something unsafe or not.

Your code was safe, by its design, before you digitally signed it. The digital signature is not what made it safe versus not safe. The presence of a digital signature is what made Norton, in this example, "change its mind."

The reality is that while digital signatures definitely have value, and I understand why they're desirable, unsigned and unsafe are not and have never been equivalent. Though even I'll admit that most malicious code is unsigned, but recent news shows there are exceptions to that, too.

In fact, there's no contradiction. that's just a fact. Apps get flagged if they're unsigned. AV editors just don't look further so unsigned = evil in people's mind

 

[sapphirescales]

Unfortunately, in real world, it does not work like that. I had to digitally sign Fabs just because of Norton always flagging it as trojan. Not a big deal now but it's been a pain as I wasn't used to do that.

The difference is, you're selling a commercial product. Many, many pieces of software out there aren't sold as commercial products and therefore aren't worth going through the time and money to get signed. I use a lot of free software designed by one-man devs who don't sign their software. It's a good idea to run this kind of software in a VM the first time just to make sure it's not malicious, but it's not reasonable to expect every hobby developer to sign their software when it's just a volunteer project.

 

[nlinecomputers]

It’s an absolute necessity these days, because it’s not like developers haven’t been targeted by hackers who break into the server that distributes the software and replace it with a trojan. Signed software and published hash numbers help prevent that. Well until you let your keys get into the hands of hackers (looks at SolarWinds and Microsoft).

 

[britechguy]

It’s an absolute necessity these days,

Sorry, but I'm with @sapphirescales on this one. There are millions of one-man/woman shows who put together a "throw together" utility for their own use, with a finite shelf life, that they're never going to bother to digitally sign.

WhyNotWindows11 is the perfect example of this.

It's up to individuals to decide whether the risk is worth it or not. But if I download something that's unsigned, and it passes muster with my security suite (and this does with Windows Security/Defender) then I'm confident that it will be OK. I know that I'm going to get a warning from SmartScreen when I try to run this sort of stuff, but if it wasn't flagged as malicious when downloaded, then I run.

It's not like I, or anyone, really, uses these kinds of things that are short term utilities on a constant basis. If something is long term, like the stuff put out by Nirsoft, that's a different story. But a "throw together" hosted on GitHub, I expect unsigned.

 

[nlinecomputers]

I’m speaking of commercial products. If you are going to charge me money it better be signed.

 

[britechguy]

I’m speaking of commercial products. If you are going to charge me money it better be signed.

On that we have zero disagreement. The discussion has been weaving between comments about Fabs, which I'd expect should be signed these days as a commercial product, and stuff in the class I described.

 

[nlinecomputers]

On that we have zero disagreement. The discussion has been weaving between comments about Fabs, which I'd expect should be signed these days as a commercial product, and stuff in the class I described.

Even free software should consider being signed. For example most Linux distros, where everything is free, requires you to sign your software in order to be submitted to the repository.

Considering the buzz caused by Windows 11, and criminals being attracted to such things, signing the software is probably a good idea. I’ve already seen spam and phishing emails referring to Windows 11. The idea that someone might try and punk his github account isn’t far-fetched.

 

[britechguy]

The idea that someone might try and punk his github account isn’t far-fetched.

I think we're talking past each other, somewhat.

It's not that I disagree with anything you've said, but what you've said applies to an ideal world that we don't, and won't, have. It's just not going to happen for a certain class of throwaway software.

 

[nlinecomputers]

I think we're talking past each other, somewhat.

It's not that I disagree with anything you've said, but what you've said applies to an ideal world that we don't, and won't, have. It's just not going to happen for a certain class of throwaway software.

To point I agree. But I too have downloaded this software. And in hindsight that was probably a bad idea. This really is the kind of situation that will attract hackers. Lots of software like this is low key and little use. Not here. This guy’s web address has already had squatters hit the .com and .net versions. So with this software, signed versions are probably wise because he is being targeted for spoofing.

 

[sapphirescales]

@nlinecomputers Oh how people forget the wild west days of the internet and old operating systems. We didn't worry about BS like this back in the Windows 9x/XP days. Unsigned software really isn't that big of a deal. Just accept that there are risks installing non-commercial software from strange sources, but also realize that most unsigned software isn't malicious either.

 

[britechguy]

Just accept that there are risks installing non-commercial software from strange sources, but also realize that most unsigned software isn't malicious either.

Heaven forbid, we're in full agreement twice in one day.

While I applaud the fact that Windows, and most other operating systems, have put great focus into protecting the vast majority of their user base from "unfortunate accidents" (and with varying and limited success), those of us who haunt this venue are not your average, unsophisticated user. We should be able to make an accurate risk assessment regarding any "home grown" software we might consider using which could include submitting it for scanning at Virustotal before ever running it.

But expecting those "home growers" to ever begin acting like commercial vendors is unrealistic, and imposes burdens they just don't want to take on. By analogy, the same thing happens in the screen reader world with what get called scripts (for JAWS) and add-ons (for NVDA). Though there is not a digital signing, there is a vetting process. Some developers elect to undergo the vetting process and have their work listed in "official repositories" for lack of a better generic description. Others, who've developed all sorts of really handy tools, usually originally only intended for their own use, do not want to engage in the formal vetting process, but still offer their stuff to others who want to use it. It's up to those who want to use "unofficial" stuff to learn how to do the appropriate vetting on their own. Those who want to use "home grown" software, regardless of platform or specific type, must learn how to perform appropriate vetting on their own. It's not up to all the home growers to go beyond being just that.

 

[nlinecomputers]

@nlinecomputers Oh how people forget the wild west days of the internet and old operating systems. We didn't worry about BS like this back in the Windows 9x/XP days. Unsigned software really isn't that big of a deal. Just accept that there are risks installing non-commercial software from strange sources, but also realize that most unsigned software isn't malicious either.

Really? Viruses were everywhere back in those days. Most of us techs made the bulk of our money killing viruses.

 

[britechguy]

Viruses were everywhere back in those days. Most of us techs made the bulk of our money killing viruses.

And they still are "everywhere." It's just that detection and blocking mechanisms have become so very much more efficient and sophisticated.

I need to remember when doing client visits to take occasional looks at the various security suite logs just to get a sense of how much is actually being blocked these days. It does no good to look at my own, because even if you count all of the "Wild West" days, I can count on less than one hand the number of times that I, personally, had any sort of infection.

And that's the killer, for me, is that it is just so darned simple to avoid infection by following just a few, very simple, rules. Most attacks, then and now, succeed only because the end user does something that, quite literally, opens the door and invites them in. And these days they often have warnings before doing so that they might want to think twice, but don't. You really can't cure stupid.