2012年7月26日 下午 07:51
We are trying to test the DART 7.0 and make it our standard for offline scanning and removal of malicious software, malware, trojans, etc. We had an infected Win 7 32 bit box that DART cleaned Medfosgen!A, Karagany.I, and Winwebsec from. We then scanned the PC with malwarebytes and it found in %appdata%\local\XXXXXXXXXXXXX(rootkit.0Access). This PC is in a Win 2008 R2 domain and is set up so end users have standard user access not admin access. There were no associated reg keys just this file in user profile and one other file malwarebytes found in %appdata\local\temp\XXXXXXXXX(Affiliate.Downloader). Are these threats that differ from what was found and cleaned by DART? Why didn't DART find them and clean them if they are a threat. Just as a note I did update the signatures for System sweeper before scanning and the scan was performed on 7\25\2012. Thanks for your help with this.
2012年7月26日 下午 08:11You mention the PC is in a domain with end users having std user access. Did you run it under the user account? If so, try running under a local Admin account and see if that picks it up.
2012年7月26日 下午 08:21You do not run DART under any user accounts it runs off a flash drive in a WINPE? DART does not operate through the OS that is comprimised but runs with it's own OS. Maybe you are not familiar with DART but thanks for trying.
2012年7月26日 下午 09:19
The only thing that I can remember - and please keep in mind it's been a few years since I've done DSS - it used to be possible that the user files were inaccessible except to either a local admin or the user, even in a WinPE environment. While my memory is rusty it seems either this or a variant of it could easily explain the problems you're having.
*Edit* Again, it's been a while but isn't it common to add network & domain support in the WinPE build to handle this case?
- 已編輯 garwynn 2012年7月26日 下午 09:24
2012年7月27日 下午 01:10
I do appriciate you trying to help but things have changed drastically on how to properly combat Malware. The tool purposely is not integrated with AD and the tool scans the drive offline, meaning everything relating to the files sysetm and and the files and the drive are under the control of the recovery console and Diagnostic and Recovery toolset running off the thumb drive, not the OS or it's ACL's or DACL's. The pupose and reason behind this approach is multi-layered:
1. All files are totally accessible and not locked by the OS that is installed on the drive and comprimised already
2. The Environment in charge of doing the work has no chance of being comprimised. ie. (DART in WinPE environment)
3. This is a licensed tool available only to software assurance customers and paid Technet subscriptions which makes it more difficult for the reverse-engineer community to get a hold of it and try to comprimise the tool
4. The tool employs a microsoft technology that is called System sweeper Standalone which can get new definitions and signatures daily
5. The Microsoft Spynet community is behind the research and future updating and success of this tool which is a fairly large community that continues to grow
Anyway, this may not be the correct forum for my questions and problems. Thanks for your help though!
2012年8月3日 上午 02:45版主
Please understand that Microsoft Diagnostics and Recovery Toolset is used to help you quickly troubleshoot and repair Windows®-based desktops by providing tools. In my opinion, it may not be able to use to scan for virus instead of the special antivirus programs.
Please refer to this document.
TechNet Community Support
2012年8月3日 上午 08:53
From my experience Malwarebytes AntiMalware in general do a better job at cleaning out things that other MS and non-MS antivirus/malware software cannot find and or deal with. I cannot say that the files found by Malwarebytes AntiMalware is related to what was cleaned out by System Sweeper in DaRT in the first scan but as with all antivirus/antimalware products the signature files differ and that could be an explanation to why System Sweeper did not find all malware or related files.
Blogging about Windows for IT pros at www.theexperienceblog.com
- 已標示為解答 Alex ZhaozxMicrosoft Contingent Staff, Moderator 2012年8月7日 上午 01:57