Do you recommend system rebuilds flat out?

The trick to Microsoft's article is, arguably, "completely compromised". How do we define “completely compromised”? In my experience, I have seen computers infected with hundreds of potential threats, identified by programs I have mentioned I used in previous blog entries and forum posts. In my case, these computer systems were federal, municipal, or city property, residing on such property. By rights, were the university to own these systems, the university would have every degree of flexibility in recalling their own property and doing with it what it pleases. This includes liquidating hard assets and reconfiguring soft ones. If the university has an acceptable use policy for their systems, and predetermines what rights they have to take the computer back into possession, even when files that do not belong to the university reside there, the issue becomes even clearer from a logical perspective.

The thinking about malware, in general, is that there is a very real risk that malware intrusion could signify imminent signs that a system has been “completely compromised”. Ports may be open, the software firewall may be compromised, and important information can be stolen or lost, simply through Internet connectivity. If I lend you my car, and somehow I discover that the car is being used by a different driver, or perhaps even infested by ants, I have every right to demand the car’s immediate and safe return. The difficulty comes with assessing whose property is “in the computer” after I retrieve it. This is why a potentially legally binding document explaining the property rights of the issuer of the system is so important. It would prevent the moral dilemma that comes with the notion of perceived risk and liability. Does the computer user know that if the computer becomes infected with malware, they will lose their files? Has the university made the computer user aware of this fact? Has the computer user acknowledged and agreed to be bound to these terms?

When it comes to actually fixing these computer systems, even then, that issue is variable. No answer is ever so simple, and as we know, it may take a skilled technician only a few minutes to reclaim a system from a few minor malware problems.

If your network is at real risk from your own computers, even if they are being loaned out, there are some real reasons to consider reformatting or reimaging these systems. One is the cost factor. It costs money for technicians to run around with bells and whistles on to fix computers that are enamored with malware from misuse. Basic principles of property rights tell us that if it is the university's property, and not the users, or even if the reverse is the case, the damage of that property could even further endanger other properties owned by the university. Therefore, the university may have the right to protect their network by restricting access to systems they do not own. This danger could be posed to the entire network itself, and perhaps the servers. Therefore, logic tells us that it would be wise for you to formulate a plan for reimaging these systems quickly.

However, there is a variable degree of seriousness when it comes to the virus/malware threat, and some minor threats can be easily done away with using appropriate software. I believe that in these cases, you can argue that the system has not been "completely compromised". However, you are still taking a risk. This is why I have tried to emphasize preventative or proactive computer maintenance, do-it-yourself techniques, and other ways to protect the system before it is too late.

How organizations deal with these problems should be consistent with the issues at hand:

• The understanding of the informed user.
  
• The consent of the owner.
  
• The desire to see organizational resources properly allocated (will it take days to fix this problem, and is retaining that data worth days?)
  
• What monetary value do we place on the contents of a system even when it is unavailable, and should users be given time to get their files off of the systems?

I have found, that more times than not, malware is the effect, and not the cause of a problem. Most of the time, malware infections can be traced back to inadequate security procedures on the entire network, the individual computer, or misuse and misunderstanding by the computer user. As the term goes "Problem Between Desk and Chair" is a common issue in IT world. I believe leaving options open may be the best route. It is up to computer professionals to determine if a computer is “completely compromised” on a case by case basis. But that is also subject to budget constraints, and many other factors, that need to be considered by the university’s administrative body.

My experience tells me that, as much as possible, all systems should be uniform, able to carry the same restore image, and ready to be reformatted on a moment’s notice. The value of the work on the computer, if it can be preserved, should be, and the system should be returned to a working state. Whether or not the system has been completely compromised is dependent on a number of factors, which can be assessed by both analyzing and formulating threat assessments on certain viruses.

In many cases I have been able to save computers, without any side effects, and without any re-installation. In other cases, I had to rebuild systems that were torn asunder by the plague of malware which could not be assuaged. Subjectively, I prefer the reinstall option. But I also see value in saving the work of others and teaching others to protect, not just their own property, but the property of others.

You likely have found I have edited this several times due to the dilemna that the university does not actually own the systems, but does have the right to protect their own property.

Thanks for the great response Mike!

I completely agree with you and can confirm some of this is in place for the strictly university-owned systems, but what we deal with is specifically not owned by the university, but rather students, faculty, and staff through their private purchase. We currently do have procedures in place to re-image and even have faculty and staff store files on networked drives so the wiping of a computer is very easy.

However, I do not specifically work with those machines and can deal with any manufacturer, any version of Windows, and any amount of user's misuse. Our network has several security systems in place and does a great job at protecting itself, but what occurs is that the end user has no access to the resources they need. This is great for our protection, but it puts us in a the place to be responsible for getting the system clean where it can get back on the network.

Ultimately it has been the same two causes for the end result of a compromised system. Either the user states there was a popup that stated malicious items were found and they should download/purchase the scanner to clean it or they receive something in an email along the lines of e-cards. Since they own the system and it is their personal property they can feel free to ruin it all they want because the network will then stop them when detected. It's just that I deal with these machines strictly and do not hold the same vision as the techs that have the ability to work with managed systems.

On top of it all we provide the service for free and do have an agreement that if necessary we can wipe the machine out, but I just always hate the look on the user's face. At a personal level also, our policy has us charge for backups of data and transfers so if they want to keep their data they have to pay for it. I feel I can resolve most cases and am a true believer of not having the end user pay anything since we offer it.

I just run into many more people just saying "why do you just format it" and when the issue comes down to not even being compromised I wonder if they would have done a format in the situation.

I found, that even in scenarios where the computer was owned by the agency, the perception by the end-user was that this was still their computer. While the problem is different in your case, and very much so, many of the same procedures you mention were put into place. The networked file storage, the concept of trying to save the system rather than reformat it, etc. What I found interesting is that in the environment where the organization owns the computers, the end-user still often feels it is their property most of the time. When it became time to move desks or transfer employees, the end-user would insist that “their computer” must go with them. Even though their files could be retrieved from the network or moved to another computer.

You seem to have a situation where the system really is owned by the individual. And in that case, there is still a dualistic nature to your problem. On the one hand, you must do everything you can to protect the resources of the university from rogue systems, even if they are owned by end-users, and on the other hand, you must help the end-user save their computer from a complete reformat. The problem you continually mention is the idea of phishing attacks. These attacks, as you mention, popups that refer to viruses, are common all over the Internet.

When the end-user accesses your network, there is insufficient protection on the wide area network. There is insufficient protection on their systems. This is where your vulnerability may be. Also, if the university is giving you time to fix these computers, without reformatting them, and by some way, this will help the end-user, it is probably the better option. If they have personal artifacts on their systems that are meaningful and important, wiping out the system could cause setbacks.

It is true that there is no way to ensure that the computer is 100% safe by using anti-malware software. This is because you cannot prove that something does not exist. I can only prove to you a positive. So you can prove that the system is secure, but not that it is malware free. In a strictly scientific sense. In reality? Run the right software and give it a few passes, port scan the systems, check for any reoccurrences of the problem, check file system and OS integrity, and the computer will probably be safe enough to use. Can you give this guarantee to anyone formally? Probably not.

If you truly have the tools and methodology at your utility to solve the problem without reformatting, you may be making the person feel better and protecting their computer at the same time. The re-imaging or reformatting of the computer will always be the safer, but less desirable option.

Excellent topic for a blog DanDan, thank you. I suppose that the answer is and will probably remain subjective in that if you are like me, you always want to provide the machine owner with the best possible outcome to his problem. The premise to the article that you linked to is sound and on its' face irrefutable, the only way to be absolutely 100% positive that a hard drive (or hard drives) no longer contain any remnants of an infection, regardless of the type, is to completely wipe it (I would actually take it one step further and use a utility like KillDisk or Dban to write 1s and 0s from end to end). You can't really argue with that position because it assumes worst case.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-comfficeffice" /><o></o>
However; I'm not sure that the current round of scare ware and browser hijackers actually rise to the level of completely "compromised", but if I kept any serious financial data and passwords on a system that had become infected, it would certainly give me pause. And I would actually consider a low level format, and contacting my online financial services to change my passwords. But if all you do on the system is read your email and surf the web, write an occasional document, listen to music and play games. I would definitely try to rescue the system rather than wipe it. Sometimes efforts to rescue the machine can be exhausting and frustrating and there is always a point of diminishing returns to consider. But I would think that if, when you return the machine to the owner, you make it clear that this represents your best efforts and the machine appears infection free but there can be no guarantees without the scorched earth option your conscience should be clear. And of course the bright smile and thank you is always much more rewarding than the sad tearful puppy dog eyes when you tell them you have to wipe their machine.<o></o>