Offline virus scanner - what do you use?

Dashrender

LOL nice one @Nic

No virus scanner is fool proof. If a rootkit manages to get in (or even a non root kit) and get under the AV, the AV is no longer effective. Scanning offline though, assuming the scanner knows about whatever bug might be there, should be able to see it and then you decide how to proceed.

Edit - mentioning a rootkit is, as scott would say, a red herring - please ignore that.

dafyre

If Windows will boot, I'd recommend Webroot or Malwarebytes. If Windows won't boot, I'd jump to a Linux Live CD + ClamAV

coliver

@Dashrender said:

LOL nice one @Nic

No virus scanner is fool proof. If a rootkit manages to get in (or even a non root kit) and get under the AV, the AV is no longer effective. Scanning offline though, assuming the scanner knows about whatever bug might be there, should be able to see it and then you decide how to proceed.

Nuke it from orbit. If a rootkit gets below the AV that's the only way to be sure nothing else is hiding in there.

Nic

Makes sense - yeah I'd second the MBAM recommendation in that case. Although if you have a rootkit then you're going to have to boot from some other media to be sure.

Dashrender

Booting from a CD is the plan - that's why it's an offline scan.

Dashrender

@coliver said:

@Dashrender said:

LOL nice one @Nic

No virus scanner is fool proof. If a rootkit manages to get in (or even a non root kit) and get under the AV, the AV is no longer effective. Scanning offline though, assuming the scanner knows about whatever bug might be there, should be able to see it and then you decide how to proceed.

Nuke it from orbit. If a rootkit gets below the AV that's the only way to be sure nothing else is hiding in there.

Agreed, I would nuke a machine I thought even had a chance at a rootkit.

Dashrender

See updated OP.

coliver

Have you checked the IP's they are talking to? When I was running SW it did the same thing and generally they were legitimate IPs that had been flagged by a third party for malicious adware.

travisdh1

You mean nobody has a PXE boot to scanner option setup? What are we coming to? Actually, I'm guessing by the time we're considering an off-line scan it's past time to nuke-it-from-orbit.

Nic

There's a bunch of good recovery CD options out there. Plus it looks like MBAM has a rootkit scanner now:

http://www.techrepublic.com/blog/smb-technologist/two-portable-rootkit-tools-no-smb-should-be-without/
https://www.malwarebytes.org/antirootkit/
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

Dashrender

@coliver said:

Have you checked the IP's they are talking to? When I was running SW it did the same thing and generally they were legitimate IPs that had been flagged by a third party for malicious adware.

Yeah, I'm guessing this is probably the situation, but I figure it's better to be safe than sorry and run an outside of norm scan on them.

scottalanmiller

@Nic said:

What's the use case for scanning offline? Isn't that like asking what brand of condom you like wearing when you aren't having sex?

Quote of the Day right there.

Dashrender

So what's your thought on the issue Scott? Should I not even bother? If my running AV seems clean, just move on?

scottalanmiller

I agree with MBAM as a good secondary scanner. I use that as a "backup" to Webroot. By offline, do you mean booting into a Linux LiveCD and scanning when the Windows kernel is not loaded? If so, yes, that's a good way to go if you are concerned and ClamAV should be fine for that.