Microsoft’s New Tool Goes After Viruses Buried Deep in the OS

Coal Miner

We often discover viruses on our PCs when they materialize as fake anti-spyware, where a pop-up says you’ve been infected and points you to a website which, for $49, will cure it. But these FakeAVs account for only about 20 percent of all viruses circulating. Most viruses are hidden, often in rootkits where they’re not detectable by conventional AV software.

Coal MinerRootkits are hidden files in a directory structure. They’re difficult to detect when the OS has been compromised. AV software is helpless against them because it looks for viruses in plain sight. To see them, you need a clean version of Windows to scan the directory structure.

In May, Microsoft released a beta version of Standalone System Sweeper, which runs a PXE version of Windows. This stripped down version of the OS has better success scanning the directory for rootkits because it’s like attaching your PC to another machine’s AV. Standalone System Sweeper comes in 32 and 64 bit flavors, and boots from a CD, DVD or thumb drive.

In my test, the scan took about 40 minutes on a 32 bit version of Windows XP with Office 2003. It offered choices (like extensions to skip) and offered to download the latest signatures.

In the enterprise it’s common to reimage or replace a machine that’s infected, but this tool is effective for scanning the image itself for hidden viruses.  All you need is a PC that can boot to a USB or static drive and an Internet connection. For home users or smaller companies, it’s best when used on a regular basis to check for and remove rootkits and viruses, saving a day’s worth of work of having to reinstall the OS, the applications and settings.

Photo: New York Public Library


4 Responses to “Microsoft’s New Tool Goes After Viruses Buried Deep in the OS”

June 16, 2011 at 2:00 pm, Dan said:

So? You run a test, what are the conclusions? Did your test produce any results, such as viruses?

You left us hanging in there for some idea on its practical usefulness.


June 16, 2011 at 10:13 pm, Hanan said:

And… what happens? Can this version be downloaded for free? how is it different than rootkits tools such as combofix?


June 17, 2011 at 6:34 am, Dino said:

I found nothing on my machine, so I tried it on two or three other PCs where I work where I had a strong suspision and was surprised to find nothing.


June 17, 2011 at 8:20 am, Dino Londis said:

@Hanan, most rootkits run withing the operating system. This one is an operating system of it’s own that the PC boots to. It’s a complement to other tools MS has released: Security Essentials, and the Malicious Software Removal tool, which comes via Windows update.

I wrote that you can boot to a USB, but you may want to burn a disk because nothing can write to a disk.


Post a Comment

Your email address will not be published.