Offline virus scanner - what do you use?
-
If Windows will boot, I'd recommend Webroot or Malwarebytes. If Windows won't boot, I'd jump to a Linux Live CD + ClamAV
-
@Dashrender said:
LOL nice one @Nic
No virus scanner is fool proof. If a rootkit manages to get in (or even a non root kit) and get under the AV, the AV is no longer effective. Scanning offline though, assuming the scanner knows about whatever bug might be there, should be able to see it and then you decide how to proceed.
Nuke it from orbit. If a rootkit gets below the AV that's the only way to be sure nothing else is hiding in there.
-
Makes sense - yeah I'd second the MBAM recommendation in that case. Although if you have a rootkit then you're going to have to boot from some other media to be sure.
-
Booting from a CD is the plan - that's why it's an offline scan.
-
@coliver said:
@Dashrender said:
LOL nice one @Nic
No virus scanner is fool proof. If a rootkit manages to get in (or even a non root kit) and get under the AV, the AV is no longer effective. Scanning offline though, assuming the scanner knows about whatever bug might be there, should be able to see it and then you decide how to proceed.
Nuke it from orbit. If a rootkit gets below the AV that's the only way to be sure nothing else is hiding in there.
Agreed, I would nuke a machine I thought even had a chance at a rootkit.
-
See updated OP.
-
Have you checked the IP's they are talking to? When I was running SW it did the same thing and generally they were legitimate IPs that had been flagged by a third party for malicious adware.
-
You mean nobody has a PXE boot to scanner option setup? What are we coming to? Actually, I'm guessing by the time we're considering an off-line scan it's past time to nuke-it-from-orbit.
-
There's a bunch of good recovery CD options out there. Plus it looks like MBAM has a rootkit scanner now:
http://www.techrepublic.com/blog/smb-technologist/two-portable-rootkit-tools-no-smb-should-be-without/
https://www.malwarebytes.org/antirootkit/
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm -
@coliver said:
Have you checked the IP's they are talking to? When I was running SW it did the same thing and generally they were legitimate IPs that had been flagged by a third party for malicious adware.
Yeah, I'm guessing this is probably the situation, but I figure it's better to be safe than sorry and run an outside of norm scan on them.
-
@Nic said:
What's the use case for scanning offline? Isn't that like asking what brand of condom you like wearing when you aren't having sex?
Quote of the Day right there.
-
So what's your thought on the issue Scott? Should I not even bother? If my running AV seems clean, just move on?
-
I agree with MBAM as a good secondary scanner. I use that as a "backup" to Webroot. By offline, do you mean booting into a Linux LiveCD and scanning when the Windows kernel is not loaded? If so, yes, that's a good way to go if you are concerned and ClamAV should be fine for that.
-
OK wow, no love for Defender offline here.
I guess I'll have to get a live CD with Clam AV on it.
-
@Dashrender said:
OK wow, no love for Defender offline here.
I guess I'll have to get a live CD with Clam AV on it.
You mean BitDefender?
-
@dafyre said:
@Dashrender said:
OK wow, no love for Defender offline here.
I guess I'll have to get a live CD with Clam AV on it.
You mean BitDefender?
No, MS Defender offline.
windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
-
@Dashrender Never heard of it.... runs off to read
-
@dafyre said:
@Dashrender Never heard of it.... runs off to read
I've been using it for at least 2 years, if not more like 4.
-
@Dashrender said:
@dafyre said:
@Dashrender Never heard of it.... runs off to read
I've been using it for at least 2 years, if not more like 4.
Does it work well?
-
@dafyre said:
@Dashrender said:
@dafyre said:
@Dashrender Never heard of it.... runs off to read
I've been using it for at least 2 years, if not more like 4.
Does it work well?
It does find things from time to time. I will have to do double scans for the next few times, once with Clam and again with Defender Offline and see if they show different things - though now that i think about that.. that won't work.. as the first AV should get rid of any badies on there.