So I consider myself fairly experienced in fighting spyware/malware/rootkits,.. and the vast majority of infections I run into these days are fairly complex/deeply infected. Rootkits hiding in the hard drives MBR, trojans hooking into System32 drivers,etc. Quite often I have to pull the hard drive out to scan from another system, or boot the infected box from an bootable scanning CD like AVIRA Rescue CD or other tools.
So my question is:.. how do these types of scenarios play out in a Virtual Environment ? ... are infections still able to access the MBR? If so, how do you clean it? If the VM-client won't even boot. .I'm assuming you can't run bootable tools like a Windows Repair CD ?
I'm guessing the typical answer is: "Just provision a new VM-client for the end-user and move on."
But then then issue becomes this: ... in most cases today, I can clean/repair a Malware infection a whole lot easier than I can re-provision a box,.. because often the end-user has quite a bit of customized software/configurations and it's not as simple as throwing a base-image on it and calling it a day.
What do, sysadmins?
[link] [comment]