Before you read anything else in this section, it's
important to understand that most versions of Windows don't provide a
virus checker in the purest sense of the term, but the Malicious
[Software] Removal Tool (MRT) comes very close. You won't find any
utility to block spyware or adware in earlier versions of Windows
either. Server Core does provide rudimentary virus, spyware, and adware
protection.
In addition, even though
Windows XP SP2 and above do provide a firewall, some industry pundits
consider it weak at the very least. For one thing, the firewall doesn't
do a good job checking both incoming and outgoing data. The firewall in
Server Core is significantly stronger and includes two-way protection.
In some people's minds,
these three items are the end of any virus and intrusion protection
requirement on a system and they'll stop reading this section
immediately. However, virus and intrusion protection only begins with
these three types of utilities; you really do need more protection and
you need to perform some tasks manually if you want to keep your system
safe, rather than constantly cleaning up the aftermath of a successful
attack.
The utilities in the
sections that follow represent a next step. They aren't the final word
in virus and external intrusion detection, but they help. You'll want to
combine these utilities with other utilities described throughout the
book. The point of these particular utilities is that they specialize in
helping you maintain better control over your system. These utilities
are relatively easy to use and complement the functionality of the three
major applications that most people rely on exclusively to safeguard
their systems.
|
Many people aren't
overly concerned about the unsigned drivers on their systems. After all,
the driver seems to do its job. However, drivers work at the lowest
level of the operating system and you can't judge their performance
solely on how they work from a user perspective. You must hold drivers
to a higher standard than applications if you want to keep your system
safe. A signed driver might not provide absolute safety from the
vagaries of viruses and external intrusion, but it's generally better
equipped to keep your system safe. At least a third party has verified
that the driver meets specific standards of construction.
The SigVerif utility
helps you locate drivers that lack a signature. It uses a graphical
interface, so you won't find detailed coverage of it in this book.
However, you can start this utility at the command prompt and store the
results in a file for later analysis. The point is that this utility
locates any unsigned driver on your system so you can request signed
versions from the hardware vendors that put your system together. You
can read more about this utility at http://www.windowsitpro.com/Article/ArticleID/7918/7918.html.
|
1. Removing
Viruses with the BlastCln Utility
The Blast Clean
(BlastCln) utility helps you locate and remove two common viruses on
your system, Blaster and Nachi. Microsoft updates the BlastCln utility
monthly through the Windows Update service. In fact, you've probably run
this utility every time you visited Windows Update without really
knowing it because this utility appears on the list every month.
However, you might want to check your machine more often than once a
month to ensure it remains clean. In addition, running the utility as
part of Windows Update doesn't provide you with a detailed report of any
potential infestations on your system. Running the utility from the
command prompt using the /V command
line switch does provide additional information. You can learn a little
more about this utility from the Knowledge Base article at http://support.microsoft.com/?kbid=833330. This utility uses the following syntax:
BlastCln [/v] [/u] [/f] [/z] [/q]
The following list
describes each of the command line arguments.
/v
Displays
additional information about the virus checking process. Generally, the
output tells you that the utility is checking services, processes, the
registry, and the hard drive for specific filenames. When the utility
doesn't find any evidence of either Blaster or Nachi, it tells you that
it's stopping the tool.
/u
Performs the virus
check using unattended mode. The user doesn't see any evidence that the
utility is running.
/f
Forces other
applications to quit when the computer shuts down after the utility has
cleaned up either a Blaster or Nachi infection.
/z
Prevents a
restart of the system after the BlastCln utility installation is
complete.
/q
Performs the
virus check using quiet mode. The user doesn't see any evidence that the
utility is running and the utility doesn't request any user interaction
when it detects a virus.
2. Detecting
and Removing Malicious Software with the MRT Utility
The MRT helps you remove
common malicious software from your system. You can find a description
of this utility in the Knowledge Base article at http://support.microsoft.com/?id=890830. It's important to review this Knowledge
Base article relatively often because Microsoft updates it each month
with the list of viruses that MRT can detect. If you're an
administrator, make sure you check the deployment instructions in the
Knowledge Base article at http://support.microsoft.com/kb/891716. When used alone, the MRT utility displays a
graphical interface the user can use to clean a system. This utility
uses the following syntax:
MRT [/Q] [/N] [/F] [/F:Y]
The following list
describes each of the command line arguments.
/Q
Forces the utility to
run in quiet mode, which means the user won't see the usual graphical
interface.
/N
Performs virus
detection only; the utility doesn't clean up any viruses that it finds.
/F
Forces the
utility to perform an extended scan of the system. The extended scan
requires considerably more time, but can help you locate virus files,
registry settings, and hidden directories in addition to the usual
memory check.
/F:Y
Forces the
utility to perform an extended scan of the system. In addition, the
utility automatically cleans up any viruses that it finds.
