Spybot 2.0: cleaning concepts

With the rising of rootkits and professional malware, cleaning those away got more and more important and should earn a more prominent position next to scanning.

The cleaning concept in Spybot-S&D 1.x is already doing a lot, like for example trying more than a dozen methods to get rid of files. It's a bit one-dimensional though, and one of its worst disadvantages is the need to do sometimes do a complete rescan on boot to cleanup some files. Cleaning in Spybot 2.0 will therefore be separated into multiple stages, of which only the necessary ones will be performed of course:

  1. Direct Cleaning (stage 1): right after an on-demand scan, you will be able to remove malware much as you're already used to. Items that cannot be removed because they're in use by sensitive parts of the Operating System and cannot even be unloaded are queued for removal after a reboot.
  2. Elevated Cleaning (stage 2): the first new part is that if you are not an administrator, or, on Vista, have scanned without elevating, Spybot will offer you to elevate or log in as administrator and continue cleaning with full privileges and without the need to rescan. This separate cleaner module will to clean up the results of your last scan at any given time, for example at boot time.
  3. After Login Cleaning (stage 5): an attempt at removing files through the "old" methods of running removal after login still exists, though no longer using the command interpreter, but our dedicated cleaner, making it more transparent what has been done. This is still necessary to deal with stuff that is not available in stage 3 or 4, e.g. user specific registry entries.
  4. Before Login Cleaning (stage 4): malware sometimes loads even before the user logs in, and since removing malware should take place before malware loads, this is a place where we've put another, silent stage of the cleaning process. Whenever there are unprocessed scan results still open, another attempt of removal takes place here.
  5. Early Reboot Cleaning (stage 3): what is the earliest place one could start removing malware? You might have noticed Microsofts disk checking takes places while Windows still loads - simple text on a blue or black background. This is not the Windows you know at all, but the pure Operating System. For really heavy cases, we start here removing malware.
    In case you wonder if this does not make stage 4 surplus: for performance reasons, this stage does contain only the most important cleaning routines.
Again, this all should happen with the goal that things should get easier than more complicated for the user, which for example is one reason why stage 4 happens silently and the confusing short flashing of the command prompt in the predecessor of stage 5 needed to be gone.
 
Click to expand...
I like theese concepts, sounds good to me. ;) Nothing I can add here.

P.S.: I hope that xpsunny is happy now that I answered in English and not in German. :D:
 
How will it decide which cleaning stage to use, if it does a bad decision (selects 3 instead of 4 or 5) and ends up unable to delete something you end up rescanning the whole system again as the malware reinstalls itself very likely and under some other random name. And how about malware, that creates new randomly named files at system restart and deletes it's old entries?
 
The Stages all happen (in the order of their numbers), except that those not necessary are silent :) In each stage, it'll check if an entry has been marked as cleared before, checks if it is visible (if it is not but has not been cleared either, visibility cannot be used as a clean-argument later), and then goes for it.

Malware that creates new random names at startup should be countered through the early stages that should run before the malware is able to do anything on restart. But the cleaning instruction mechanism does indeed include options for using more than a file name to identify files. Not that this would be much more than a miniature scan ;)

And then there's this feature request that solves the issue you've addressed better I think.
 
How about temporary locking the drive for removal of malware....something similar to what is done when you create a System Restore point...
 
Nice idea...

I'm not really sure if system restore points do lock the system. With system restore points, the important issue is to access files even if they're opened and flagged as "share none" - no other app should be allowed to access them. Accessing them is done through VSS, something we already support as well, but that helps only in accessing files in a specified state, not locking the system for changes.
 
Another Idea....

Using the VSS mode get the properties of the malware file, now somehow create a dummy harmless file that resembles the malware. Somehow redirect the malware execution path to the dummy file......now the original malware would be unloaded....and then delete the malware....
 
You must log in or register to reply here.
Back
Top