Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 2750 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie question: Any need to boot from CD for a "clean" scan?

peterpqa
I'm a brand new user of Sophos AV Mac Home. I searched the forums on "boot" and "startup" but found no info on this issue... I've always been a Mac user at home, but I used Windows machines at work 'til 2002. To properly scan a Windows machine, we had to boot it from a CD or a locked floppy so we could scan for boot sector viruses. If we booted up the Windows machine from its hard drive and ran a virus scanner, it couldn't see that malware. Is there a need to do this on a Mac? That is, if I boot my Mac normally from my hard drive and run a Sophos scan, are there certain files and/or firmware that Sophos can't scan because they are "in use" or otherwise inaccessible, and would they be scannable with a boot from CD? Thanks, Peter
:1003063


This thread was automatically locked due to age.
  • 0

    Peter, thank you; this is a set of extremely good questions.

    Because Macs use EFI instead of a BIOS and Master Boot Record, all those boot sector viruses will not work on a Mac.  So far, there have been no EFI-style infectors written, likely due to the security architecture designed into the EFI framework itself.

    There are also no currently known rootkits in the wild, so the standard initial scan procedure is just to perform a full system scan.  Once the professional malware authors get to understand the intricacies of the HFS+ partitioning system, we may see more linux-style rootkits show up, but not right now.

    Because of the way the operating system and filesystem work, Sophos is unlikely to be unable to access a file due to it's being "in use" -- the malware would have to be loaded by the kernel before Sophos in order to block it from looking at files, as Sophos uses the same filesystem events that are used by the filesystem manager itself.  In essence, Sophos gets to look at the files before other processes start   If your machine is compromised enough that malicious software has loaded something prior to this point, your best bet is to scrub the entire system, preserving only your own user folder, and start again from scratch.

    If you do want to step outside of your normal operating environment, keep an emergency hard disk around -- it could be another Mac that you can connect via Firewire, a USB disk, or even a large USB key.  Install the OS on it, and install SAV on that.  You'll need a  volume that's at least 8GB (so no CD boots).

    Alternatively, if you have another Mac, use a firewire cable to connect the two and mount the suspicious Mac as and external volume and scan the volume.

    So in summary, you don't need a "BootCD" at this time, and due to the architecture of the OS and hardware, many of the reasons for needing this on Windows don't exist on OS X... but most of the Unix/Linux dangers also exist on OS X, so it is wise to keep a backup known-clean boot drive around somewhere that you can install SAV onto if needed.  An 8GB USB key would do the job perfectly, although it couldn't be locked.

    :1003079
  • 0
    Andrew, thanks for the thorough reply. Glad to know system-level malware like that isn't out there for Macs ... yet. But it will almost certainly emerge eventually. And it's a good bet lots of users won't have an emergency hard disk prepared in advance like you suggested, or access to another known-clean Mac. It would be great if SAV were already enhanced in the near future with an emergency recovery capability. I know absolutely nothing about software engineering, but I imagine it working something like this: Boot from OS X Install Disc 1, launch Terminal, FTP "get" an updated SAV package to the hard drive, install it, launch SAV, remove the malware, and reboot from the hard drive. (Instead of an entire new SAV package that needs installing, it could be a special launch-ready application file just for removing system-level malware.) This may not be possible. I don't know if the machine's pre-existing internet connection is active and usable after booting from the install disc and launching Terminal. Also, I don't know how much of this could be done in Terminal. It's just an uneducated suggestion. But thanks for the answer to my original question. Peter
    :1003093
  • 0
    After I posted my reply, I looked up EFI. My Mac is the last model of PowerPC-based PowerBook G4 Apple made, so it's using Open Firmware instead of EFI. It still serves me quite well, and I don't plan on upgrading to an Intel-based Mac for the foreseeable future. I don't know if Open Firmware versus EFI makes any difference with regard to my original question. Thanks, Peter
    :1003095
  • 0

    You can think of EFI as being "Enhanced Open Firmware" -- OF doesn't have as strict a security model, but it is also unlikely that someone's going to write Forth malware for it at this point, so the issue is moot.  If you want to improve security for it, you can password protect your Open Firmware; that will protect you from any theoretical malware.

    :1003097
  • 0
    I'm paranoid about security, so I password protected my Open Firmware long ago. I also figured nobody would be writing malware specifically for PPCs these days - just wanted to be sure. I'm also curious as to your reaction to my emergency recovery scheme. Thanks, Peter
    :1003099