Hello,

I'm purchasing Ghost 15 primarily to make restore images in the event of severe infection or other system failure.

1. Will using Ghost 15 really enable me to restore my system in the case of any severe infection?  I emailed Norton tech support with this question and the reply was, "No." But I don't see why not?  By the way, I have also purchased NIS 10, so I'm not planning on relying on ONLY Ghost for malware.

2. I checked the one and two star reviews on Amazon.com for Ghost 15, and a number of reviewers (who seem to be proficient users if not professionals) reported that Ghost could not find the destination drive for back-up.

-Why couldn't Ghost find the destination drives?

-Is there ever a problem with Ghost not recognizing the internal HD at restoration?

-What should I look for when selecting a USB 2.0 external HD to work with Ghost?

(If it makes any difference, the internal HD in my XP pc is an Enhanced IDE (ATA-5) HD.)

Thanks-

Hello,

I'm purchasing Ghost 15 primarily to make restore images in the event of severe infection or other system failure.

1. Will using Ghost 15 really enable me to restore my system in the case of any severe infection?  I emailed Norton tech support with this question and the reply was, "No." But I don't see why not?  By the way, I have also purchased NIS 10, so I'm not planning on relying on ONLY Ghost for malware.

2. I checked the one and two star reviews on Amazon.com for Ghost 15, and a number of reviewers (who seem to be proficient users if not professionals) reported that Ghost could not find the destination drive for back-up.

-Why couldn't Ghost find the destination drives?

-Is there ever a problem with Ghost not recognizing the internal HD at restoration?

-What should I look for when selecting a USB 2.0 external HD to work with Ghost?

(If it makes any difference, the internal HD in my XP pc is an Enhanced IDE (ATA-5) HD.)

Thanks-

Thanks Brian,

Yes, I'm sure the vast majority of users have no hardware issues. Just wanted to check...

Two more quick questions:

1. Do you find many posts on this Forum from users having issues with Restore?

     Would you recommend doing a test-restore (with a 3rd HD)?

2. Is it OK to ask if the Gurus on the various Norton Community Forums are Symantec

    employees? If not, who are you?

Thanks again-

HI clearlight2012,

Welcome to the Norton Community.

I wanted to add just one small note of caution regarding restoring your system drive in the event of a malware infection.

It is very true that 99% of the time this will remove the malware but there is a small percentage of the time, particularly with RootKit infections where this may not work. Rootkits are paticularly nasty infections which bury their roots deep inside the boot sector and go to great lengths to protect themselves. There are unusual cases where basically nothing but knowledgeable and targeted removal or a LOW level format will clear the infection.

I don't say this to cause undue concern but it does happen though it is pretty unusual. So I just wanted you to be aware of this.

I am happy that you are also using NIS 2010 since nothing (including Ghost) is a substitute for good anti-virus software.

Regarding Gurus: Gurus are not Symantec employees but are directly appointed by Symantec as product experts with the  best interest of the end user as the most important thing.

Please see the following post made by a Symantec employee for a bit more details on Gurus and other user levels on the forums.

http://community.norton.com/t5/Forum-Feedback/Gurus-Volunteers-and-other-ranks-to-know/m-p/69823

BTW, you can always recognize Symantec employees as their names are in RED.

Hope this helps.

Allen

Thanks Allen. I don't know whether you are still around, but I just looked up both "LLF"

and "rootkit" on wikipedia. The article on rootkits is brilliant.

I've heard, that as good as NIS10 is, rootkits are still a problem for it.

As the article says, prevention is much better than removal. But rootkits can come in on Trojans and worms.

Do you have any specific advice on prevention?

Thanks-

HI clearlight2012,

Rootkits are particularly dangerous and notoriously hard to get rid of. They typically require explicit expertise to remove them properly and completely.

It is very common that once you get an active rootkit infection, very few anti-virus software will be able to detect them, at least while Windows is running. They actually typically hide themselves even below driver level and can even completely fake out the OS.

There are tools which can be run offline by booting to a recovery CD or USB stick that can detect many rootkits since you are then bypassing the hard drive's boot sector (which is where most rootkits hide themselves). In many but certainly not near all cases these offline tools can effectively clean a rootkit off your system.

The reality is that once you have one, you don't want to tackle the removal job on your own unless you have experience in this sort of thing. BleepingCompueters is one very popular online service and they have people who are extremely good at rootkit removal along with many other types of malware.

Symantec like all AV software companies are constantly making improvements in rootkit removal and most AV companies have offline bootable tools to help in this process.

As far as prevention goes, the best advice I can give is the following general guidelines:

• Safe surfing practices - most everyone has heard this term many times but surprisingly a lot of folks don't really have a true understanding of what this means. Many things come into play here such as.
  1. Norton SafeWeb - these are the green checkmarks or red X's, etc that you see on search results. While most people will avoid websites with a red X, ones with a yellow exlamation point or even a ? should also be avoided. More importantly, even ones with a green checkmark are NOT a guarantee of safety since a website can become compromised at any time. Always click with caution.
  2. IE Trusted Zones (or similar feature in other browsers) - these can be set up through IE in Tools > Internet Options > Security. Websites which are trusted can be allowed privleges like being able to enable scripting and such while non-trusted sites should have some features disabled by default or set to Ask Me first.
  3. Unexpected pop-ups - if you get any unexpected pop-up do NOT ever answer yes to it as doing so may bypass the very AV software you rely on for protection because you have now given permission for that action. If it is unexpected the best thing you can do is be highly suspicious. If you determine that the pop-up is not valid, do NOT even answer NO to it as this can be treated as a YES if there really is malicious intent behind it. The safest thing in this case (though still not a guarantee) is to click the red X in the upper right corner.
  4. Certificates - if you ever get a warning from your browser or NIS software that a security certificate is expired or has some other sort of problem with the digital verification, be SUSPICIOUS. Many people do not treat this warning as a serious issue and get infected as a result. If there is a problem with the security certificate, you are best advised to NOT continue and contact the company involved and have them look into it.
  5. Do not EVER open an attachment in email unless it is expected and is from a trusted sender. If in doubt contact the sender through other known means to confirm that what was sent is valid.
  6. Do not blindly click on URL's included with emails. Treat this the same as unexpected attachments. Only click on the URL if it comes from a known trusted source and is expected. Know that spammers and other criminals out there go to great lengths to make their email spam look like it is from a legitimate source. Once you click on a URL which is questionable it could already be too late to prevent it.

I know this all might sound scary but with proper digilence we can avoid the vast majority of issues. It is about striking the right balance between being cautious but yet not downright paranoid. Obviously if we carry it too far, we would never go online at all for that is the only guarantee of not becoming infected.

In this life there are no guarantees so I say enjoy the web for it has a great wealth of information but at the same time be cautious and cognizant of what is going on.

I truly enjoy surfing myself and do it extensively, yet in almost 20 years I have only gotten one minor infection. (That is not counting my TEST system which I sometimes purposely infect for testing purposes such as testing NIS 2011 BETA, but that is another story altogether. ).

I apologize if I went into too much detail and made it sound too negative because I don't intend it that way.

Hope this helps a bit.

Best wishes.

Allen

Allen,

A few questions because I don't know the answers.

Let's say your OS is clean and you create an image. The next day your OS becomes infected with a rootkit. You restore your clean image. Is the restored OS infected with a rootkit?

Let's say your OS is clean and you create an image. The next day your OS becomes infected with a rootkit. You wipe your HD several times with zeroes. You restore your clean image. Is the restored OS infected with a rootkit?

It is a fascinating topic.

I think I know those but I have one for you as well Allen.

As you said, rootkits are very hidden, they can hide from windows and norton AV since they are "below" the kernal at the "root".

What happens when you use Ghost to do a hot image from within windows.  If a rootkit can hide from windows and NAV it must be hidden from .net framework and Ghost.  If that image was restored would the system still be infected?

---

Brian_K wrote:

Allen,

 

A few questions because I don't know the answers.

 

Let's say your OS is clean and you create an image. The next day your OS becomes infected with a rootkit. You restore your clean image. Is the restored OS infected with a rootkit?

>>There is no cut and dried answer as it depends on the exact rootkit which you are infected with. But some rootkits can survive this process and therefore you could still be infected.

 

Let's say your OS is clean and you create an image. The next day your OS becomes infected with a rootkit. You wipe your HD several times with zeroes. You restore your clean image. Is the restored OS infected with a rootkit?

>> Your chances are much better provided that the utility overwrites the boot sector as well. A Low level format is probably the best option.

 

It is a fascinating topic.

---

Hi Brian,

See above. There are also BIOS virus's, e.g., ones which can actually infect your BIOS. However these are pretty rare and are simply not the target of most malware criminals. This is for the same reason that most malware targets Windows because it is the most widely used OS on the planet. With the BIOS there are too many different vendors and the malware would not spread too as many computers if it was designed to infect the BIOS because it would have to be customized to multiple types of BIOS.

Yes it is a fascinating topic.

Allen

---

DaveH wrote:

I think I know those but I have one for you as well Allen.

 

As you said, rootkits are very hidden, they can hide from windows and norton AV since they are "below" the kernel at the "root".

 

What happens when you use Ghost to do a hot image from within windows.  If a rootkit can hide from windows and NAV it must be hidden from .net framework and Ghost.  If that image was restored would the system still be infected?

 

 

---

Hi Dave,

Interesting question and I can't say for sure but since Ghost backs up at the sector level (blindly) I would have to say there is a significant risk. A virus can be backed up without Ghost ever knowing that it was there in the first place.

Also remember that once you have a rootkit, your computer defenses are pretty much non-existent for all practical purposes. So if you have a rootkit it is a strong possibility that you have secondary malware infections as well. Of course this is true with most other types of malware as well since all of them lower your computer defenses but it is even more true with a rootkit.

As we discussed most AV software cannot detect a rootkit once it is embedded into your system but NIS and other AV software can effectively block a rootkit from getting into your system to start with. But if that rootkit finds a way to sneak in under the radar of your AV protection, all bets are off.

Actually here's a good question for Brian. Brian how much of the boot sector actually gets backed up by Ghost vs it rebuilding the boot sector on restore based on other information available to it?

Geez, I wish we didn't have so many psychopaths to worry about and people who write malware are psychopaths!

Allen

Thanks, I always wondered about that.

But when Ghost is doing a Hot image, it's not really "blindly" doing a sector by sector copy.   It's going by the systems file allocation table to only image the sectors that the system says are being used.  It's not like a forensic copy that is imaging each and every sector and your able to later recover files that were previously deleted.

Thinking about something like the old Sony rootkit, it was completly hidden from the windows api's.

I would have thought that if something is hidden from windows it would also have to be hidden from programs that are running "on top" of windows at a higher level.

I would have thought a cold image would back them up but a hot image would leave some behind.  Not the rootkits that may be hidden inside drivers but the ones hidden from windows.

Hi Dave,

Hence my question to Brian about how much of the boot sector actually gets backed up vs being recreated during restoral based on other information available to it.

When it comes to rootkits it may well not get backed up but I certainly would not want to rely on that, considering the risk involved. A lot of it depends on the answer to the question I posed to Brian.

But then you have a catch 22, since you already have a rootkit whether the rootkit gets backed up or not you have the same problem when it comes to restoral. And that is the distinct possibility that Ghost will not eradicate (no pun intended ) the rootkit during restoral.

For the majority of malware (say non rootkits), they are embedded in files which are listed in the tables and would definitely get backed up.

Allen

No, I wouldn't suggest Ghost as a rootkit removal tool.  I was just curious.

Even if it removed super-hidden files, what remained could be enough to re-install it or do a rootkit-repair.

For Brians questions I would have said that for the first restore it could still be infected ONLY if the virus could be started from the boot sector.  Even when Ghost deletes the partition before the restore, it puts the partition back in the exact same place.

Partition recovery tools used to work on the same principle, if you restored the partition boundries in the exact same place all your data would still be there and recoverable.

The hard part would be that you would have to know exactly where it was and be able to start it from something that didn't get changed in the restore (BIOS, boot sector, etc)

However, overwritting a drive removes everything if your using a proper tool outside of windows.

Nothing will survive and be usable without data recovery tools and a lot of luck.

I just did a quick Google on rootkits and was amazed at the incorrect terminolgy. Boot sectors being confused with the MBR.

The MBR is LBA-0. The first sector in the First Track. A track that is not part of any partition. The First Track is backed up and can be restored by Ghost. Ghost calls it the MBR but it is really the First Track. LBA-0 to LBA-62. The Boot Sector is the first sector inside a partition. All partitions have a boot sector.

So when you restore an image, the Boot Sector is always restored but the MBR is only restored at your request.

So which (or both) do rootkits infect? The MBR or the BS?

Hi Brian,

I am pretty familiar with what a rootkit can do and how difficult it can be to remove and that it can survive a restoral such as Ghost but I am not really versed on all the technical details of how they work or on their removal. That is a bit beyond my expertise. I have removed many types of more conventional virus's but I've never had the displeasure of having to actually remove a rootkit infection.

I do know that they are notoriously hard to get rid of and require targeted removal from someone who really knows the techniques and has the right tools. Some offline tools are able to detect and remove them since you are then booting from an alternate media besides your infected hard drive. But no single offline tool out there can deal with all rootkits, hence the recommendation is always to consult with a rootkit removal specialist.

I know they can easily survive the typical high level format but most likely not a low level format.

You might want to put a couple of these questions to Delphinium or Quads. They are far more versed on rootkit removal than I am.

Allen

---

AllenM wrote:

 

You might want to put a couple of these questions to Delphinium or Quads.

---

Guys,

Any info would be most welcome. I'm particularly interested in how many HD wipes are needed to remove a rootkit. One or many.

One.

One pass will render data unrecoverable.  The whole idea about needing multiple passes is overblown and doesn't apply to modern hard drives.

Even Peter Gutmann who invented the "Gutmann 32 pass" admits that multiple passes on modern drives are overkill.

Interesting article here that also links to extensive reports:

http://itknowledgeexchange.techtarget.com/security-corner/the-great-drive-wiping-controversy-settled-at-last/

Even though it says one pass renders it unrecoverable to an electron microscope, I would say that the capabilities of the US NSA is a lot better than that.

But for everyone else, one pass is enough.  People never believe me so I tell them to go ahead and do more. Once to remove the data and the rest to satisfy yourself and waste lots of time.

That page also links to my favorite tool, Darik's Boot and Nuke ("DBAN") Disk.

http://www.dban.org/about

Dave,

One pass is my understanding too. But I know next to nothing about rootkits and I'd like to be reassured that a single HD wipe is enough to get rid of them. I've heard they can survive a format but I don't know if they can survive an image restore. These questions are important. Maybe those of us with lots of backup images have less to fear from rootkits. If a restore doesn't remove the rootkit then a HD wipe followed by an image restore should do the trick.

I don't know anything at all about how rootkits actually work.

But at one time years ago I spent a whole lot of time recovering data for some people and became interested in how hard drives work and data recovery.

We should invite one of the rootkit experts here to comment.

What little I do know about data stored on hard drives tell me that it's impossible for anything to "survive" a proper removal.

If you are able to actually overwrite the entire drive at least once, all the data will be gone and you would not be able to recover anything through software.

Now days with modern drives having the tracks so close together and the tolerance of the drive head so tight and precise, it's becoming extreamly difficult to use an electron microscope as well.  Older drives it was possible because the drive head never tracked "exactly" over the old data and the small magnetic regions that were "ouside" the overwritting track could be scanned and therefore you could "read a couple layers down" and find data that was imperfectly overwritten.

However, lets say you overwrite an entire drive.  Any virus or rootkit would be gone, simple as that. 

I think the myth that a rootkit can survive a format is because people don't understand that a format does not overwrite a drive.  A quick format only removes the FAT or MFAT table and the files are left untouched on the drive.

Before Vista, even a "full format" really didn't overwrite the entire drive. It did a quick format and file check and would only overwrite about 20 or 30MB of the drive.

If you ever do a proper overwrite of the drive you'll find that it takes a very long time. Make that a very very long time.

It becomes obvious that all the formats you ever did before really were not doing much.

So I only can think of a couple possible ways that a rootkit can survive a format.

1)  The rootkit is in a place that does not get replaced or overwritten  (BIOS, MBR, or Boot sector).

2) A quick format was done (not overwritting the actual files, leaving the rootkit on the drive), and the rootkit gets started from something that was not replaced (little grub-like loader in the MBR or boot sector).

For example 2, there is something similar happening in a popular crack for windows. A small hidden loader that starts a BIOS emulation before calling up bootmgr.

Although a rootkit may be able to hide from Windows API's, I know of no windows virus that can also hide from DOS and Linux. 

Assuming that the data portion of the drive is completly overwritten and the MBR is replaced, I don't see how anything could survive unless it was small enough to fit in the BIOS and I find that equally  hard to believe.

But thats just what I think, I think when people say it can survive a format it's because they don't know how to properly overwrite everything.

Dave

I would think a zero fill of the drive with the drive manufacturer's utility would eradicate everything. If the rootkit, virus, malware, etc. comes back, it isn't from the hard drive. It's from a CD, Flash drive, internet, etc.

There is an area on the drive that you cannot access without special, expensive equipment. It holds the serial number, etc..