Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 2751 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie question: Any need to boot from CD for a "clean" scan?

peterpqa
I'm a brand new user of Sophos AV Mac Home. I searched the forums on "boot" and "startup" but found no info on this issue... I've always been a Mac user at home, but I used Windows machines at work 'til 2002. To properly scan a Windows machine, we had to boot it from a CD or a locked floppy so we could scan for boot sector viruses. If we booted up the Windows machine from its hard drive and ran a virus scanner, it couldn't see that malware. Is there a need to do this on a Mac? That is, if I boot my Mac normally from my hard drive and run a Sophos scan, are there certain files and/or firmware that Sophos can't scan because they are "in use" or otherwise inaccessible, and would they be scannable with a boot from CD? Thanks, Peter
:1003063


This thread was automatically locked due to age.
Parents
  • 0

    Peter, thank you; this is a set of extremely good questions.

    Because Macs use EFI instead of a BIOS and Master Boot Record, all those boot sector viruses will not work on a Mac.  So far, there have been no EFI-style infectors written, likely due to the security architecture designed into the EFI framework itself.

    There are also no currently known rootkits in the wild, so the standard initial scan procedure is just to perform a full system scan.  Once the professional malware authors get to understand the intricacies of the HFS+ partitioning system, we may see more linux-style rootkits show up, but not right now.

    Because of the way the operating system and filesystem work, Sophos is unlikely to be unable to access a file due to it's being "in use" -- the malware would have to be loaded by the kernel before Sophos in order to block it from looking at files, as Sophos uses the same filesystem events that are used by the filesystem manager itself.  In essence, Sophos gets to look at the files before other processes start   If your machine is compromised enough that malicious software has loaded something prior to this point, your best bet is to scrub the entire system, preserving only your own user folder, and start again from scratch.

    If you do want to step outside of your normal operating environment, keep an emergency hard disk around -- it could be another Mac that you can connect via Firewire, a USB disk, or even a large USB key.  Install the OS on it, and install SAV on that.  You'll need a  volume that's at least 8GB (so no CD boots).

    Alternatively, if you have another Mac, use a firewire cable to connect the two and mount the suspicious Mac as and external volume and scan the volume.

    So in summary, you don't need a "BootCD" at this time, and due to the architecture of the OS and hardware, many of the reasons for needing this on Windows don't exist on OS X... but most of the Unix/Linux dangers also exist on OS X, so it is wise to keep a backup known-clean boot drive around somewhere that you can install SAV onto if needed.  An 8GB USB key would do the job perfectly, although it couldn't be locked.

    :1003079
Reply
  • 0

    Peter, thank you; this is a set of extremely good questions.

    Because Macs use EFI instead of a BIOS and Master Boot Record, all those boot sector viruses will not work on a Mac.  So far, there have been no EFI-style infectors written, likely due to the security architecture designed into the EFI framework itself.

    There are also no currently known rootkits in the wild, so the standard initial scan procedure is just to perform a full system scan.  Once the professional malware authors get to understand the intricacies of the HFS+ partitioning system, we may see more linux-style rootkits show up, but not right now.

    Because of the way the operating system and filesystem work, Sophos is unlikely to be unable to access a file due to it's being "in use" -- the malware would have to be loaded by the kernel before Sophos in order to block it from looking at files, as Sophos uses the same filesystem events that are used by the filesystem manager itself.  In essence, Sophos gets to look at the files before other processes start   If your machine is compromised enough that malicious software has loaded something prior to this point, your best bet is to scrub the entire system, preserving only your own user folder, and start again from scratch.

    If you do want to step outside of your normal operating environment, keep an emergency hard disk around -- it could be another Mac that you can connect via Firewire, a USB disk, or even a large USB key.  Install the OS on it, and install SAV on that.  You'll need a  volume that's at least 8GB (so no CD boots).

    Alternatively, if you have another Mac, use a firewire cable to connect the two and mount the suspicious Mac as and external volume and scan the volume.

    So in summary, you don't need a "BootCD" at this time, and due to the architecture of the OS and hardware, many of the reasons for needing this on Windows don't exist on OS X... but most of the Unix/Linux dangers also exist on OS X, so it is wise to keep a backup known-clean boot drive around somewhere that you can install SAV onto if needed.  An 8GB USB key would do the job perfectly, although it couldn't be locked.

    :1003079
Children
No Data