Windows 7 Image files (.TIB) and failure of Security software

[jimbo45]

Hi all

This to me seems a HUGE HUGE vulnerability in some current AV packages.

I've got an ISOLATED machine which I use sometimes for specific AV testing.

Anyway I decided to "Infect it" deliberately with some spyware and a key stroke trojan and then take an image of the system with Acronis True image.

For example this one amongst others.

JS:FakeAV-W [Trj]

These "Archives" are .TIB files.

I then "uninstalled" the Acronis true image product (so the Archive can't be read via normal progams such as Windows explorer).

Now I then booted up a Clean computer (installed directly from the MS RC 7100 official CD with NO extra applications installed. I then installed only drivers from the Mobo CD and the AV software and copied the .TIB file on to a second partition on the "Clean computer".

Kaspersky, AVAST, etc all failed to detect anything on the .TIB file.

I only tried 3 AV software packages so the problem *might* be fixed in other systems.

This seems to be to be a HUGE flaw in some of these AV programs -- if you are restoring an Image you DEFINITELY want it to be clean.

However unless some of these archiving programs open up their formats to the AV companies this is a real potential risk.

So when choosing AV software make sure that backups / image files in the format of your backup software is also handled by the AV software.

Note I only tried "Free" or Trial editions so the "PRO version" might work.

Cheers
jimbo

 

[reghakr]

I suppose you already know this,

The .tib is associated with Acronis True Image Disk Image .It must be an image you created using acronis

Try using a spyware detection program to locate it.

 

[jimbo45]

Hi there

I KNOW that the .TIB file is the Acronis backup image -- I created it in the normal way.

My point was that I deliberately created an image of an "Infected computer" as decribed in my post.
Now imagine if I was going to restore this image on another computer.

What I NEED from the AV software is to be able to scan the backup image (the .tib file) to ensure it's not infected -- otherwise I'm just restoring the image of an Infected machine.

If AV software can't verify that the backup system images are Virus Free then to me this is a HUGE defect in the AV software.

You can't always be certain that your machine is Virus Free before creating the backup -- there's often a "lead time" between a new Virus appearing and av software updating their databases. So you can imagine the scenario

1) Machine gets infected with some new malware at point X in time.
2) backup is taken on what user thinks is a "clean" machine at point Y (could be a day later for example)
3) A few days later your AV software has the database updates and reports your machine is infected.
4) You restore your computer from the image you created in step 2) thinking the machine is clean at that point.


Afraid this isn't good enough. The AV software MUST be able to read the backup image to determine if it contains any infections.

(Of course you could re-update the AV software and re-scan and you'll find your machine is infected -- so you have to restore again from an earlier period and go through the whole B/S again). You might find you have to restore 3 or 4 times before finally getting a "Clean machine".

This rather nullifies the whole point of taking quick convenient backups.

Another drawback is that you can't get a log of exactly WHEN the computer was infected. You get a log of when the AV software FOUND the virus -- that's a totally different piece of information and doesn't really help you in deciding how far back to go to find the last backup when your machine was totally clean.

If I can't rely on the backups being clean then to me the whole point of using ANY AV software will be a total waste of time -- it's better just to use your computer sensibly and NEVER load anything from "dubious sources".

Cheers
jimbo

 

[reghakr]

Sorry I didn't read it correctly.

I'm not sure about the scanning of the contents. it must be a huge file, correct?

You might want to use a spyware detector. mine has a right-click context menu that appears under any file or directory and states Scan with Spyware Doctor.

Others probably have a similar feature.

Am I getting it correct this time?

 

[jimbo45]

Hi there

the file is an image of your OS (that is restorable via a Stand alone bootable disk of necessary).
Depending on what you've got installed in your system and the compression used it could be 5 - 10 GB. It's an IMAGE of your entire OS.

(I always partion my OS -- I keep User data etc on different disks / partitions and usually use something like a 35 - 40 GB partition for the OS).

So as you can see that if I'm doing a stand alone restore via the Acronis software to restore my system from the backup image I want to be 100% sure that the OS after restore is 100% clean. It's a HUGE waste of time if you have to RESTORE first. THEN check if it's clean -- if it isn't find ANOTHER EARLIER backup restore file and do the same process again which could STILL show the OS has being infected.

Cheers
jimbo

 

[loathe]

Im suprised Kaspersky didnt pick up your trojan, wouldve thought that it would.

However,

"My point was that I deliberately created an image of an "Infected computer" as decribed in my post.
Now imagine if I was going to restore this image on another computer."

why would you want to mount the image on another system? Would there not be all sorts of problems with drivers? Would be bad news if there came a time when you had to rely on the image to remount to your own system. Guess to make sure you would scan your computer before you made the image so you know you have a clean copy.

Interesting point though

 

[jimbo45]

Hi there

That's the WHOLE POINT of taking an image -- you CAN restore it to the Identical machine -- the whole purpose is for TESTING AV software on a machine with a KNOWN infection -- if you do this Disconnect the machine COMPLETELY from your LAN of course and test it "Stand alone".

Incidentally Acronis allows restore to "unlike" machines (called Universal restore) -- you can specify where it needs to pick up new drivers from or can even use the Windows system install disk and HAL hive files.

BTW VERY USEFUL when testing THIS build of W7

Cheers
jimbo