Six emergency CDs from antivirus manufacturers

Life Jacket

ESET SysRescue Live

For almost 30 years, Slovakia's ESET [5], based in Bratislava, has been developing various security solutions for Microsoft operating systems that can also be used with very old Windows installations. The free ESET SysRescue Live [6] distribution is available from the provider as an ISO image for optical media and as an IMG image for USB removable media. The USB IMG, at around 740MB, will also fit on smaller storage media.

Tools

The central tool for repairing a compromised Windows system is the ESET SysRescue tool, which launches automatically after booting the Ubuntu-based Linux derivative. After confirming the license, the main SysRescue tool window opens (Figure 6). Start by updating the signatures for the virus databases by clicking Update in the left vertical bar.

Figure 6: The ESET SysRescue program takes care of scanning and repairing Windows partitions.

Next, press On-demand scan to start scanning the Windows system (Figure 7). A settings dialog opens on the right of the window and you can decide whether you want to run a Smart Scan or a Custom Scan of the system. If you select the user-defined variant, you can then modify numerous settings in another window to influence the scope of the check.

Figure 7: ESET SysRescue visualizes the progress of the scan in a progress bar.

During the subsequent scan, the software continuously states the number of scanned objects and displays a progress bar. The scan window also tells you how many threats have been detected. The routine distinguishes between infected and cleaned objects after the scan is complete.

ThreatSense

ESET SysRescue Live uses what is referred to as ThreatSense parameterization to detect infected files and objects. You can set the parameters in several groups in the ThreatSense parameters section of the Advanced setup dialog.

The ThreatSense checking module bundles various threat detection methods. You define both the objects the tool includes in each scan and whether you want to detect potentially insecure or undesirable applications. You can then specify how the routine should deal with this content. Optionally, the software offers to repair infected objects (i.e., rid them of dangerous code or remove them from the system). You can use a slider to specify the sensitivity of the program.

In another dialog, you can specify the maximum size of individual objects. In the same dialog, you can also specify the nesting depth up to which the check scan archives, with 10 levels as the default. Once you have completed the settings, you can initiate another run by pressing the New scan link.

Additional Options

In the main window of the application, you are taken to additional options after selecting Tools on the left. The Log files option lets you view the logfiles created during the test run and filter them by various categories (e.g., information, errors, and warnings). The Quarantine option lets you restore objects from or move objects into quarantine. For this purpose, the software displays a corresponding file selection dialog. In Security report , you can trace the different threat scenarios on your computer system in a chart. The Submit sample for analysis option gives you the option of submitting a suspicious file to ESET for evaluation.

On Linux

The check routine in the ThreatSense module can also check Linux systems for various threats. Because the corresponding dialogs explicitly allow scanning email files for malware, the application is suitable for use on Linux-based mail servers. However, the malware hidden in mail files does not typically unleash its effect on the mail server itself, but on the mail clients running on Windows.

The GParted graphical partitioning tool is also available for use with Linux clients and can be used to fix mass storage problems. It supports a variety of filesystems and is thus also suitable for use in multiplatform environments. For efficient work with files and directories, the rescue distribution also has Midnight Commander and its graphical counterpart PCManFM on board.

Kaspersky Rescue Disk

The Rescue Disk [7] released by the Russian security specialist Kaspersky Lab [8] is available for download free of charge from the company's website. The hybrid ISO image with a size of around 610MB is based on Gentoo Linux. After downloading and transferring it to a bootable medium, the operating system first opens the GRUB graphical boot manager, where you can choose between the English and Russian localizations. After that, you will find various boot options in another dialog. Because of its lean design, the system boots very quickly to a visually unobtrusive Xfce 4.12.2 desktop.

The Kaspersky Rescue Disk feature set primarily focuses on repairing Windows systems, but it is much more broadly positioned than many other solutions: Linux systems can also be checked with the built-in Rescue Tool, and additional software such as Midnight Commander, htop, and a hardware detection tool support flexible use of the suite.

After booting, the Rescue Tool automatically comes up to perform a system scan. If you don't have a network connection, the system first pauses the initialization routine to give you the opportunity to configure WiFi access. Once the network connection is established, the software displays the dialog for scanning the system after initializing the scan engine. If necessary, you can include boot sectors and the EFI system partition in the scan. The Rescue Tool quarantines any malware it finds to render it harmless. For documentation purposes, you can also generate a report of the scan after it is complete (Figure 8).

Figure 8: The Kaspersky Rescue Tool comes with a plain interface.

On Windows

For Windows systems, the scan runs as for Linux systems, but the Rescue Tool only performs a quick scan by default. To scan the Windows system completely, you need to check the boxes for the drives in the dialog that comes up after choosing the Change parameters link. In the scan window, you will notice the Tools link that is not present when scanning Linux systems. Clicking on it opens a dialog window that offers a Registry Editor , a Windows Unlocker , and the USB Recover icons (Figure 9).

Figure 9: Kaspersky offers some additional tools on its Rescue Disk for Windows.

Whereas the Unlocker combats ransomware, the USB Recover tool restores the function of USB devices that were accidentally removed from Windows by mistake. For this purpose, it is also necessary to edit corresponding keys in the Windows registry (Figure 10).

Figure 10: Kaspersky's rescue system also lets you edit the infamous Windows registry.

Norton Bootable Recovery Tool

The Norton Bootable Recovery Tool (NBRT [9]) offered by US vendor Symantec is also a Linux-based Live system, which the manufacturer offers for download as a hybrid ISO image. At 850MB or so, the recovery distribution looks reasonably up to date after the first boot (Figure 11), but a look under the hood reveals plenty of antiquated components: NBRT is based on Red Hat Enterprise Linux 6, which was released at the end of 2010, although still supported. The 32-bit system therefore still uses kernel 2.6.32.

Figure 11: Scan complete Windows systems with the NBRT tool.

When booting, NBRT enables a wizard as the central element of the rescue system; the Start menu has been banished from the panel. The only other utilities available are the Opera web browser and a terminal, which can be launched directly from the panel. Opera is also anything but new: The 12.16 version integrated into NBRT was released on July 4, 2013.

Toolbox

The wizard, which launches automatically after booting the system from a removable disk, can only be used to repair Windows systems. After selecting the language (if needed) and confirming the license, NBRT updates all the malware definition files. This process can take a long time and is accompanied by the message Updating definitions .

If the software finds an installed Windows system, it automatically starts a scan of the entire mass storage, otherwise it aborts with an error message. NBRT cannot be used for safeguarding Linux systems. The tool lists problematic files found during the scan in a table, indicating a threat level in addition to the file name. You can then define in the Action column what to do with the respective file.

NBRT automatically enables a delete function for dangerous files; you might have to disable this function explicitly by unchecking the box to the left of the respective entry. If you do not make any changes to the entries in the table, the listed files are either deleted or repaired after clicking Fix top right in the window after a further prompt. This process may make a blocked Windows system workable again.

Data Backup

After updating the signature data, NBRT can save important files from the corrupted Windows installation, even before starting the system scan. For this purpose, NBRT has a special save dialog that you enable with Retrieve Files . A file manager opens with the system partitions from the mass storage (Figure 12), in which you select the desired files for backup by checking the boxes, before backing them up to a removable USB drive.

Figure 12: NBRT also lets you back up individual folders and files.

If your machine does not have a USB storage device attached to the system, the application points out this shortcoming with a corresponding error message and lets you connect a device to the Windows computer before backing up the files. If possible, you should not save any Windows system files, only personal files, to the removable medium because it is not possible to rule out the possibility of malware infecting system files.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus