So I was skimming Slashdot the other day and found this gem: Seems a program manager in Microsoft’s Security Solutions Center came out and said that recovering from the newest breed of malware may be impossible. You know, time and again, I’ve asked those Redmond folks to be upfront and honest, and now here’s one doing just that, and I’m still nauseated.
The gentleman was referring to the new spyware darlings, namely rootkits. You know, the things recently made so popular by the graces of visionary companies such as Sony. Thank you so much -- I’m boycotting the PS3 just for that (if it ever sees the light of day). These infestations don’t hide in a piece of the PST file or duck into the bowels of IE. They dig just a bit deeper and hide themselves right in the OS kernel -- hence the "root" moniker.
For some of the more popularly known, and thus unsuccessful, rootkits, Microsoft and other companies have come up with specific removal tools, although sometimes they, too, have nasty side effects because of how deep the infection has managed to burrow. Unfortunately, the unknown rootkit infections far outnumber the known ones, so waiting for a removal tool for your particular kernel malaise may be an exercise in futility.
So Microsoft offers the next logical solution: Wipe the OS and start over. Yeah, made me see red for a minute, too; but after thinking about it, I’m only seeing … let’s say pink. The tools to automate an OS rebuild are neither new nor difficult to come by. Altiris, CA, IBM, LANDesk, SMS, and a host of other companies provide desktop management platforms with tools that will save specific OS and application images on the network. They can push those images out to specific groups of clients or even a single machine. After that, you just reload that user’s personal data off the network and he or she is good to go.
Only thing is, even with the right tools, that’s much easier said than done. To make this effective, you must provide for client-side network backup, at the very least, daily and more likely several times during the day. That creates overhead for the client and is a strain on the network. Additionally, even backup solutions with open file managers work best if you target them at only a portion of the client disk -- and that means training your users to make sure all data is saved in those target folders only; not, for example, on their desktops. Not always easy.
Another way might be to provide for personal backup at every client station, I suppose. Maxtor OneTouch boxes only go for $200 and would allow each station to have its own backup device right there. But that still requires user intervention -- which is never a good idea. Also, as Bob Garza has pointed out about the Seagate Mirra (a networkable OneTouch competitor), keeping these solutions running in constant backup mode tends to slow client performance to a point of severe frustration -- like with tufts of hair floating around the office.