[mike13]

I always thought that running a virus / malware a scan during boot up, before Windows loads everything, is better because the virus / malware is not enabled yet. But I read somewhere that since the virus is not active yet, it is harder to detect by your antivirus. Comments ???? Thanks, Mike

[submix8c]

mike13, on 29 June 2012 - 12:21 PM, said:

But I read somewhere that since the virus is not active yet, it is harder to detect by your antivirus. Comments ????

Got a link to that info? There's variations of viruses/trojans/worms out there. What your referring to (I think) is those that "hide" themselves until placed into Memory.

Viruses have a certain "signature" by which the AntiVirus recognizes it, whether On The HDD or In Memory. If you scan your WHOLE HARD DRIVE off-line, they can usually be found, except those that a smart enough to "self-alter" in order to "hide" and then at StartUp (the Registry RUN/RUNONCE keys) "self-alter" again to Activate. That's why if you DO get one then it MIGHT be a booger to eradicate. In that case, special procedures need to be followed along with sometimes special "eradicator" programs. Nothing (AFAIK) is "failsafe".

Sorry, but your question is rather vague in its context.

[mike13]

Submix8c, Thanks for the reply. I do not know how to give you a link, but if you look at my older post on this site called FRAUD.SECURITY ESSENTIALS, in post number two, Tripredacus talked about scanning a slaved hard drive, and that viruses may not be caught that way. Probably for the same reason as you mentioned, that they hide themselves. I guess I thought the BEST way to scan a hard drive, was to remove it from the computer and slave it to another. Thanks, Mike

[submix8c]

mike13, on 30 June 2012 - 08:47 PM, said:

..slaved hard drive, and that viruses may not be caught that way. Probably for the same reason as you mentioned, that they hide themselves. I guess I thought the BEST way to scan a hard drive, was to remove it from the computer and slave it to another.

That has both a "yes" and "no" answer (as I explained). You have a relatively good chance of catching them "slaved" but some are really smart. Deleting the contents of "TEMP" and "Temporary Internet Files" is also a good idea. Searching for any odd-named files (you need to know what to look for) in Windows Folder and Subfolders (particularly System32) the searching on that name sometimes help to find a "hiding" one.

I personally normally use 4 basic tools - AntiVirus, SpyBot, MalwareBytes, and CCleaner. I do NOT use the "registry cleaner" of CCleaner but include the TEMP folders in the Options and run it pretty much before each shut-down. I've only been almost hit twice by "drive-by's" (MySpace and Facebook one each). Had a booger of a time ensuring the darn things were gone (both cases were bogus ScareWare AntiVirus).

If you DO get hit (badly), do the "slave" trick, download the 3 free softwares I mentioned (in addition to a good AntiVirus), replace the HDD, boot and install/update/run each. Good chance of eliminating it except for boogers which take more research on "how to eradicate"...

HTH

Side note - apparently the latest SpyBot will allow for a Reboot/Rescan-On-Signon (before your user startup but after System Startup) to eliminate anything "in memory". Found that out last night on Daughter's unprotected Laptop...

[Synja]

There is a tradeoff in detection capability.

Most active AV evasion techniques can be defeated with a boot time scan, but anything with a custom cryptor (or at least one without a signature) will not be detected. Heuristic detection is almost entirely useless at boot time, not that most AV offerings even have useful heuristic capabilities. Removal is easier, detection is not in most cases.

It's really academic at this point, with a boot time scan not being prevention or security of any sort, it's just another cleanup method.