From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Imaging Operating Systems

Michael Schaefer <mbs@...trealm.com> wrote:

> We are building a Windows test system, to try out tool bars, spy ware,
> malware and trojans on.
> 
> Once we learn what we need to know, we obviously want to get rid of the
> junk quickly and cleanly.
> 
> I keep hearing suggestions about having a "clean image" to transfer onto
> the computer.
> 
> Can anyone send some details?

The most common approaches to this are the use of virtual machines 
(VMWare, Virtual PC, etc) and drive image backups (Ghost, etc).  There 
are pros and cons to each and common pitfalls and issues to consider 
carefully when setting this all up...

Depending on the Windows OS version(s) you wish to use and the number 
of "identical" machines you may want to run at once, using imaging 
software and multiple PCs will likely run into issues with software 
activation because although you may use machines with "identical" 
hardware configurations, the activation system will still detect the 
differences (e.g. IDE drive serial numbers) and complain, may stop 
running after the grace period, etc.  With emulation, multiple virtual 
machines using the same image should actually seem to be the same to 
the activation system and thus avoid these kinds of problems (at least, 
that is, until an upgrade to the VM product also "upgrades" the 
emulated hardware...).

Of course, virtualization has a performance penalty, so unless you have 
reasonably hefty machines on which to run your test VMs, you may find 
it all a bit clunky.  Virtualization is also detectable (much like 
running the code under a debugger is) and some of the stuff you may 
want to look at is now detecting at least VMWare and acting differently 
if it detects it is running under VMWare.

> Is there an official Microsoft way to do this?

Offhand I don't recall any MS drive imaging backup software, but MS 
recently (in the last year?) bought Connectix (makers of Virtual PC) so 
if the pros and cons of both approaches do not prevent you considering 
virtual machine technology, I guess Virtual PC is the "official" MS way 
for doing this stuff.  (From a very recent demonstration I saw at a 
conference, I'd say it is a fair bet that PSS analysts use Virtual PC 
for a lot of their diagnosis of customer problems involving spyware, 
adware and other suspect-ware.)

> Is some sort of over the network OS installation script in order here?

This is another option I did not specifically consider above as it will 
almost always (especially with Windows!) result in slower "re-imaging" 
times than copying "clean" VM image files or restoring a compressed 
image backup (even over the network.  Further, it does not give you 
"the same disk image" as the starting point for your next analysis or 
for starting over if you scr*w something up.  PCs "re-imaged" this way 
should be functionally equivalent, but the actual location of stuff on 
disk and some of the starting config values and so on will be subtly 
different.  In fact, the latter may even be advisable as two machine re-
imaged from the same image backup will have certain registry values the 
same which would normally not happen.  This approach also side-steps 
the "activation dance" (for OSes affected by such) that true imaging 
approaches can suffer.

Regardless of which way you decide to go, carefully consider bandwidth 
and image/install directory storage issues and network connectivity.

> Are there other vendors that do a better job?

Than MS?  Do you really have to ask??   8-)

(Actually, I've not done comparative tests of VMWare -- which I use -- 
against Virtual PC and the latter was originally not developed by 
MS...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists