Jump to content

Spyware Choices

JoDad

By JoDad
in Windows PE

 Share

Recommended Posts

JoDad

JoDad

Posted
Posted

Quick newbie question on best way (and products) to check and clean spyware. From previous postings I see ad aware and spybot worked for Barts but does it also work for MS WinPE? Does it make the best sense to run these from WINPE or from within the Desktop OS where they can access live registry? Or is best approach a combination?

I am thinking about running anti-spyware programs then running first step to check for root hacks on Desk OS then restarting with WINPE to check again and run second step of root hack check comparing results.

Input from anyone else that's done/doing/researching would be appreciated.

Thanks,

Jodad

Link to comment
Share on other sites

Martin Zugec

Martin Zugec

Posted
Posted

Hi JoDad! BartPE is more universal tool - WinPE is designed for deployment purposes and it was not developed for purposes you would like it to use.

About offline/online - I assume you are talking about rootkits. The best method for detecting rootkits is comparison (high-level vs. low-level scan like RootkitRevealer from SysInternals works). Really easy, but still powerfull detector is Ghostbuster research from Microsoft. You will scan your filesystem from windows (and save it to file), then boot to PE medium, scan your filesystem (and save results to file) and finally compare this two files.

Link to comment
Share on other sites
JoDad

JoDad

Posted
  • Author
Posted

Hi Soulin, Thanks for input. I have gathered that Barts has more people writing to it so it will do more at this time but the licensing is totally different if I am reading it correctly. We are licensed for Winpe and I am trying to add tool functionality along with installations. Kind of a one stop shop thing. It seems that others are doing this also for various reasons so I am assuming that it can all be done on both platforms. It seems Barts took off because MS gave their version a very small target market and gave it a much smaller functional OS base in the earliest versions. I readily admit my ignorance though so If I am mistaken please let me know. If I try to deploy a tools disk to my helpdesk using BartsPE do I need a seperate XP license for each cd I create? I already have most of the tool licenses I see plug ins for that I would be using.

My question was more on the lines of theory vs reality. For example, a scan for viruses is better done offline so all files can be accessed and any viruses cannot mask through OS. Do the spy ware scans work the same way or do they perform better within the OS? Knowing this would help me target my research and development towards the better path.

Link to comment
Share on other sites
Siginet

Siginet

Posted
Posted

It depends on the plugin you are using to scan.

I know there is a plugin for adaware that uses another plugin called runscanner which allows the registry to be pulled off of the system so that you scan it instead of the PE disks registry. Sometimes within PE you can get rid of spyware that won't delete within the OS because of permissions. So sometimes it is better done inside of the PE environment. But it is still good to do a scan inside of the OS aftwards... just incase something was missed.

I find that some things tend to be buggy in the PE environment sometimes. So it is always good to be careful. But I belive that the PE environment is definatly a good way to scan. Especially if the computer is inaccessibale due to spyware/viruses that stop it from booting all the way. There are also many other tools which are useful in the BArtPE Arsenal.

Link to comment
Share on other sites
getwired

getwired

Posted
Posted
...It seems Barts took off because MS gave their version a very small target market and gave it a much smaller functional OS base in the earliest versions.  I readily admit my ignorance though so If I am mistaken please let me know.  If I try to deploy a tools disk to my helpdesk using BartsPE do I need a seperate XP license for each cd I create?  I already have most of the tool licenses I see plug ins for that I would be using. 

All BartPE was/is is a reverse engineered version of WinPE with a different build process (that others have hacked new bits into)... I wouldn't even bother with Bart's if you are using this within your company - you are walking a fine legal line with Microsoft... Anyone who advises you on how many/what kind of licenses you need to stay in compliance with is pulling advice out of their bum... Unless they work for Microsoft licensing.

BTW, you can accomplish what you want from WinPE...

Link to comment
Share on other sites
JoDad

JoDad

Posted
  • Author
Posted

Thanks for the feedback. I will be staying with MS Winpe to avoid even approaching the line of quasi legal since it is for company use.

On my original question I think I will try the dual appraoch in which we will

1. run a local scan on the pc using the desktop OS

2. Run the dir to text from the desktop os (rootkit check step 1)

3. boot into winpe and run the scans again

4. Run the dir to text from WInPE (rootkit check step 2)

5. Compare the two result files using windiff (rootkit check step3)

I appreciate the tips on different scanners and will be checking them out to see what will work best for our environment. I am hoping that if I run into snags on implementation I can look at how people solved it using BArts and see the processes used as well as the excellent assistance on this forum.

Link to comment
Share on other sites
getwired

getwired

Posted
Posted
BartPE is legal to use though, as long as you use your own copy of Windows XP/2003

That is an assumption Bart made and has repeated. I don't believe he is a lawyer, and I don't believe his statement has been endorsed or validated by Microsoft in any way... Frankly while BartPE does have a better process for adding in additional components, it's still not as smooth as Windows XP Embedded if one is trying to actually build an embedded operating system - which WinPE was never designed to be - though it seems many on this board want to try and make it.

Link to comment
Share on other sites
getwired

getwired

Posted
Posted
2getwired: Microsoft is taking BartPE as serious "enemy". If it would be illegal, they would fight against it.

The problem with XP Embedded is it is too expensive for antispyware tool :(

Find where in the EULA for XP it says it is acceptable, and then I'll stop saying that. It isn't within the bounds of the XP EULA.

The problem with XP Embedded isn't the price, it's that it was never designed to be a multi-platform (white box) solution. It was designed for embedded single source (black box) devices. WinPE is the solution that was designed for multi-system booting for deployment, and later licensed to ISV's for recovery, backup, deployment, and could be for spyware as well - but I have not seen that done so far.

Link to comment
Share on other sites
Jazkal

Jazkal

Posted
Posted
Find where in the EULA for XP it says it is acceptable

I may be mistaken, but it doesn't have to be in the EULA. It’s a little bit of Federal law called "Fair Use". As far as the EULA is concerned, it hasn't been tested in court about whether or not it's even legally binding.

Fair Use and the right of first purchase have been around for a while and are proven in court. Can't say the same for the EULA.

If you followed BartsPE when it first came out, Microsoft did attack it, and quickly I might add. All they came up with was copyright violations. These have since been addressed, and Microsoft isn't doing anything towards BartsPE now.

Link to comment
Share on other sites
getwired

getwired

Posted
Posted
Find where in the EULA for XP it says it is acceptable

I may be mistaken, but it doesn't have to be in the EULA. It’s a little bit of Federal law called "Fair Use". As far as the EULA is concerned, it hasn't been tested in court about whether or not it's even legally binding.

Fair Use and the right of first purchase have been around for a while and are proven in court. Can't say the same for the EULA.

If you followed BartsPE when it first came out, Microsoft did attack it, and quickly I might add. All they came up with was copyright violations. These have since been addressed, and Microsoft isn't doing anything towards BartsPE now.

When it comes to software, unless it is in the EULA, it is a hazy gray area. Fair use has been proven when it comes to video content. It has not been proven with software.

It's not rocket science to take a 64-bit copy of Windows XP and twist it into 64-bit Server 2003. You're still using the same binaries - and the EULA likely doesn't say anything to that point - but do you think that's legal? That is exactly what is done with BartPE - it's a reverse engineering of a Microsoft product, end-arounding a licensing avenue Microsoft has in place.

I did follow BartPE from the beginning - and I believe that it is still a gray area - but Microsoft is standing off for now. Personally I don't think they're keen to create the melee about it that the RIAA has done over recorded music. I believe any company that uses BartPE to any significant extent is potentially putting themselves in an uncomfortable place, legally.

Link to comment
Share on other sites
JoDad

JoDad

Posted
  • Author
Posted
:o Sorry, I did not intend for this to be a Bart version VS MS version debate. I have to say though that I do not think MS will mind to much if the Bart build is used/created the way Bart post says it is supposed to be used. I mean if you buy a new copy of the XP or 2003 license for each cd you generate then I think you are proving intent is not to defraud MS but to expand the utility or usage of their products.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...