Open Source

Rescue CDs: Tips for fighting malware

Using rescue CDs to ferret out malware is a great idea, in theory at least. Getting them to actually work is another story. Don't make the same mistakes I did.

Using rescue CDs to ferret out malware is a great idea, in theory at least. Getting them to actually work is another story. Don't make the same mistakes I did.

————————————————————————————————————————————-

Malware is sophisticated enough to manipulate the host computer's operating system to help it hide. That's why rescue CDs are becoming the go-to malware detection and removal technology.

What is a rescue CD

Anti-malware rescue CDs are bootable operating systems that take control of a computer's hardware. Since the computer's operating system is inactive, so is any installed malware. That's where we get the upper hand; malware can't activate any defense to avoid being detected by the anti-malware program installed on the rescue CD.

A stumbling block

Before I present the rescue CDs I reviewed, I want to point out some mistakes I made when using rescue CDs. One embarrassing mistake happened during a visit to a client. It was the wrong time for me to realize that certain versions of rescue CDs require a new .iso file to get the latest signature definitions.

After that oops, I made sure I used rescue-CD applications that can download and incorporate the latest signature files without needing to rebuild the CD.

That brings me to my next mistake. I typically don't give much thought to whether the network connection is hard-wired or Wi-Fi. I assumed rescue CDs would be able to update using either. That's not always true. In some cases, rescue-CD apps will not recognize the wireless network adapter.

Here they are

The following rescue-CD applications always get good reviews and do well in independent testing. And, they are all capable of updating their signature database via an Internet connection:

AVG Rescue CD

Base: Linux (77 MB)

Configured to create either a bootable CD or USB drive

Signature Update: Online update or downloaded signature file

Avira AntiVir Rescue System

Base: Linux (47 MB)

Signature Update: Downloaded signature file

BitDefender Rescue CD

Base: Linux (228 MB)

Signature Update: Online update or downloaded signature file

Dr.Web LiveCD

Base: Linux (65 MB)

Signature Update: Online update

F-Secure Rescue CD

Base: Linux (155 MB)

Signature Update: Online update or downloaded signature file.

Kaspersky Rescue CD

Base: Linux (103 MB)

Signature Update: Online update

Norton Recovery Tool

Base: Windows Vista PE (241 MB)

Signature Update: Online update

Best at detecting malware

Avira's AntiVir Rescue System is consistently on top when it comes to malware detection. Virus Bulletin is a well-known test house for anti-malware, and they place AntiVir Rescue System first (registration is required).

A close second is BitDefender Rescue CD. To many system admins being second is not an issue. That's because BitDefender Rescue CD has many attributes that make their job easier.

Most features

BitDefender Rescue CD outclasses the entire group when it comes to features. That's in large part due to BitDefender using Knoppix, a well-thought-out Linux distro. It has many third-party apps such as ChkRootKit, Nessus Network Scanner, Partition Image, and GtkRecover. One additional convenient feature is the inclusion of the Firefox Web browser.

Create a rescue flash drive

Most rescue CD applications require converting an .iso file to make a bootable CD. If that seems confusing, this link to the Petri Web site will help explain. With netbooks becoming popular, using a rescue CD isn't an option. One way to resolve that is to use UNetbootin. It is an application that will create a bootable flash drive from any of the above rescue-CD .iso files. I have to admit though, it's a cumbersome process.

Thankfully, AVG Rescue CD has an alternative answer. Simply download the rescue file specifically developed for flash drives, extract the contents of the file to the flash drive, and click on makeboot.bat. That's it. You now have an AVG Rescue Flash Drive.

OS boot sequence

One other consideration that needs to be addressed is the boot sequence of the computer being worked on. If you are using a rescue CD, the CD drive has to be moved to the top of the list. If you are using a netbook, more than likely the USB drive will already be first on the list and not a problem.

My rescue-CD wish list

Many things have to go right for rescue CDs to work. It doesn't have to be that way. All it would take is the following:

  • Make it simple to create "rescue flash drives." Why? They can be easily updated without involving access to the computer's operating system or having to recreate the CD.
  • Make sure theĀ BIOS software recognizes USB drives in their boot sequences.
Final thoughts

Rescue CDs and rescue flash drives will become more important as malware writers figure out better ways to obfuscate their code. Rootkits come to mind as they are the forerunners of deception.

If you prefer a rescue-CD application not listed here, I would appreciate learning about your experience.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks