OT - Virus and External Drives

BrianAK wrote on 2/28/2008, 9:52 AM
As tapes go away and we use more and more external drives, I thought Id share a recent bad experience I just had.

An editor I work with got a virus on his PC, he was aware of it and tried to remove it to no avail. Eventually he had to reformat and reinstall windows to clear it (Vundo type virus).

As we were discussing this he hooked one of his external drives to my editing PC to do some work and transfer some files, and then started to mention that my PC was running really slow.

Thats when it hit me, his virus had transferred to his external drive, which had transferred to my PC. I have up to date virus software, and it did come up and say it had detected the virus, but it apparently was not able to contain and delete it.

I spent 4-5 hours trying to clean the virus, but eventually had to reformat the harddrive, start over with a clean windows install, and reinstall all of the applications. Yes, quite a bummer and lots of lost time.

This raises the question of how to best manage the workflow as more and more external drives get shipped around.

One idea I had was to pick up an older, or bare bones, inexpensive computer that just has a virus checker on it. It would act as an external drive prescreener for virus detection, and then if one is detected, at least it would only infect that machine, and I would only have to reinstall windows instead of all the applications.

Im curious what others are doing to protect themselves.

Comments

fausseplanete wrote on 2/28/2008, 10:17 AM
Very good point - I knew it but needed reminding. Not only for viruses but also as a defence against bloatware and poorly-coded software that writes over de-facto standard system DLLs (as one free NLE did to me once, trashing GIMP, taking hours to figure out). Incidentally I'm soon to try out Office 2007...

I wonder if simply having some kind of multi-boot preloader would do, then one could boot to a Windows-Play configuration to do the test (or indeed to try any new software) or to a Windows-Work configuration for the production environment. For this to be effective I guess the installation of Windows-Play would have to be made unable to access any partition other than its own one. Likewise, for safety, no other configurations (such as but not limited to Windows-Work) should be able to access the Windows-Play partition.

Is there a hole in this idea? What's the best way to set it up? Use a multi-boot add-on such as System Commander? I have also heard of virtual windows within windows applications, negating the need to reboot, but we're looking for cost effectiveness and efficiency suitable for running video apps here.
johnmeyer wrote on 2/28/2008, 10:31 AM
I don't use any anti-virus software. I have a pretty good idea of how viruses propagate, and they need to have some willing participant in order to take hold. The key is to defeat the stupid features built into Windows that permit a virus to take hold without your doing anything.

If you really got a virus from this external drive, my strong suspicion is that you have "Autoplay" enabled. When you attach a drive (one without a virus), does windows bring up an autoplay window? If so, that's a problem. A big problem. Turn off that feature!

A virus doesn't just "jump over" to your PC from an external drive.

Obviously if you execute any program on the external drive, all bets are off. Also, if you play WMV files, but haven't updated your windows media player, it is possible to get viruses.
Chienworks wrote on 2/28/2008, 11:52 AM
John's precisely correct. Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever (did i say that enough? nahhh, a few more ...) ever ever ever ever ever ever ever allow autoplay. Heck, without autoplay all those SONY commercial CDs would never have infected so many computers with their DRM virus!

I do have Grisoft AVG installed. If there was an infected file on an external hard drive then AVG would discover that as soon as the computer accessed the file and would NOT allow the file to be used until you answered the "repair/quarantine/delete/ignore" question.
BrianAK wrote on 2/28/2008, 12:23 PM
Yes, I did have autoplay enabled. That alone is probably what got me.

Also, when researching the virus, I found a couple of notes that it often uses a vulnerability in Java, and that you should remove any current versions of Java and be sure to install the latest version.

One other suggestion by an IT friend was to use a program (he suggested True Image http://www.acronis.com/homecomputing/products/trueimage/ ) to create periodic hard drive images. At least it would make for a faster recovery.

On a positive note, after reinstalling everything, I think my PC is running a little smoother. It may be good idea to start over every once in a while!
R0cky wrote on 2/28/2008, 1:09 PM
I use Acronis religiously to back up all of my system drives. It's saved me a couple of times after hard disk crashes.

It has an add on option called "Universal Restore" where you can restore to different hardware. It replaces the windows drivers with ones for the new mobo etc. during the restore. My wife's machine failed and in 24 hours I built her a new machine and restored her entire system and 50 GBytes of data (I use Retrospect for data b/u).

It is not entirely bug free. My problems were when booting from a CD for a bare metal restore and not recognizing my drives or network card properly on one machine. I also bought priority support and that gets you 24-48 hour response and they've solved my issues for me.

Among my many roles I'm the IT dept. for my wife's business and business continuity is an extremely high priority. I have 5 machines that are critical and 4 more that are an inconvenience if they fail. I can't afford the time to rebuild from scratch very often. I used to rebuild every machine every year to keep away windows rot. I'm up to 3 years on some and never on others.
4eyes wrote on 2/28/2008, 3:35 PM
Im curious what others are doing to protect themselves.One pitfall of windows has been most persons run windows (including myself) at the administrative privilege level. So this always leave the system open for viruses & poorly coded programs to take advantage of.

When you run a Mac or Linux computer you normally run as a user. In user mode you do not have any rights to modify or get to the boot sector or system files. System critical files you don't even have the rights to read them at all, you can't run system executables or programs unless they are flagged to do so. That's why they say Mac's don't get viruses as much.
Mac's & Linux computers can get viruses though, on a Linux machine much of the software is free. That is where a virus can dig in, when it's installed with administrative privileges.

Vista also has this user level built in much better than XP. So if your running Vista as a standard user I don't see how a virus could have affected system files.

If your running a windows computer with administrative privileges and connect an external device the operating system has to read the boot sector, file allocation tables & other. You can have an infected boot/read sector of the floppy, harddisk etc. It will and can infect your system.
If the virus can see your harddisk & OS files it will love that, because your system is open by running windows as administrator with administrative privileges, or running as a user with administrative privileges.

So to answer your original question/post I try not to run any operating system at the administrative privilege level. I do not run Vista as administrator, only user level access control.
johnmeyer wrote on 2/28/2008, 3:58 PM
One other suggestion by an IT friend was to use a program (he suggested True Image

Absolutely correct. I have had to use this once or twice, in order to recover from my own stupidity.

The ideal setup is to partition your drive into the C: drive and some other letter. Put your O/S and programs on the C: drive, and nothing else. I have a huge number of programs on my main PC, and those, along with the hidden System Restore files (which is a good first-level defense against the kind of problems you had) take up 7.5GB. I partition the C: drive to have 12 GBytes. I then have a second drive letter for the same physical disk (this is the D: drive in my case) and I put all the remaining space (about 102 GBytes, since it is a 120 GB disk) on this partition. I then "right-drag" the My Documents folder and other special folders to the new partition. This ensures that all my data files are on the big partition.

When all this is done, I can quickly and efficiently get an "image" of the C: drive (still fits on one DVD, if I want to use that media). In the event of a disaster, this is extremely fast and easy to restore. I then do backups of the data files as needed.

If you don't do the partitioning, then you have to create an image of the ENTIRE disk drive, and if it is full and is a 300 GByte drive, then it takes a LONG time to do the backup and also a long time to do the restore, measured in many hours instead of just a few minutes.

It's the only way to fly ...
Cheno wrote on 2/28/2008, 5:08 PM
"It's the only way to fly ..."

And as Superman would say "Statistically speaking, it's still the safest way to travel."