Users unprepared for wipe/restore
Well, looking at what I said, I made it clear that you save the data FIRST. It's not hard. You connect an external drive and copy the data. There are only 2 or 3 directories you need to back up on a Windows system. Or better yet, you boot off known clean media and copy the data off, giving it a good scan in the process to ensure that you aren't helping carry the malware to the new system. Or, like I said, you have a properly designed and configured system on the network, where all of the important information is stored on a server anyways, so its a moot point. This is always a good opportunity to broach the "regular backups" topic with the user too. If the virus didn't bite them, a dead harddrive could.
In terms of recovery media... again, coming from a background of a proper business network, this isn't an issue. Maybe for consumers it is, but given how manufacturers like to partition the disks so that there's recovery media, that's not an issue in many cases. There are a few makers who force you to pay for the restore media, but I believe that they allow you to download it (don't know, haven't used maker provided restore media in a while).
Your average malware removal time may be one hour. You may simply think it is. If you haven't seen a system where one virus is the gateway for dozens or hundreds more, you've either been really lucky, or missed something. Remember, the A/V missed the infection before it got running (otherwise you wouldn't be dealing with the infection in the first place). What makes you think it isn't STILL missing some? Trust in the A/V that missed it when the file arrived and let it run in the first place? Give me a break. And the user behavior which allowed the first virus on has a good chance of allowing other viruses on. Not to mention garbageware which looks enough like a legitimate app to not be considered a virus (is Weatherbug still running around?).
On top of that, viruses are known to be self-mutating to sneak past scanners, and many of them attack the scanner itself. How many times have McAfee and Symantec A/V's been exploited in the last decade?
Once a system has been compromised... that's it. You have zero guarantee that you can find any additional infections. Many rootkits are completely undetectable once they are on there, and they CAN be installed by the virus you managed to wipe out.
Yes, some viruses can be removed with 100% confidence. But past that... it's not worth it. Anything that is able to run a remote code execution attack, for example, leaves you 100% uncertain that it did nothing else, unless you are able to inspect the source code for the virus that was run and figure out precisely what damage it did.
J.Ja
