• Flashdrive-hosted Windows for safer malware removal

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Flashdrive-hosted Windows for safer malware removal

    Author
    Topic
    WSalphaa10
    AskWoody Lounger
    March 15, 2015 at 6:47 pm #499029

    Booting Windows from a write-protected flash drive, rather than booting normally, should bypass all infected files on a suspect machine. From that Flash-based instance of Windows, anti-malware applications can be run against a possibly infected computer.

    Since the smarter malware may attempt to neuter all installed AV applications on the host volume, only a flash-drive with a manual write-protect switch assures complete safety from infection.

    1. Does anyone have a “best practices” recommendation for creating a flash-drive hosted READ-ONLY Windows installation?

    2. Does this approach allow full use of anti-malware applications? Are there any limitations?

    Your links and references are appreciated, as well as your viewpoint on this question– is the write-only flash drive practical for anti-malware operations?

    Reply | Quote
    Viewing 6 reply threads
    Author
    Replies
    • WSCalimanco
      AskWoody Lounger
      March 16, 2015 at 7:15 am #1495528
      Reply | Quote
    • WS1PW
      AskWoody Lounger
      March 16, 2015 at 1:00 pm #1495559

      …and a few more: http://pcsupport.about.com/od/system-security/tp/free-bootable-antivirus-software.htm

      Remember that effective prevention and recent back-ups are always far superior to remediation.

      Reply | Quote
      • WSalphaa10
        AskWoody Lounger
        March 16, 2015 at 4:16 pm #1495579

        You can rest assured I believe in prevention and proactivity over damage control, any day. The problem is my customers seldom do.

        Thanks for the links!

        Reply | Quote
    • WSFascist Nation
      AskWoody Lounger
      March 17, 2015 at 2:32 pm #1495711

      Heck, install a panopoly of OS images, and rescue / malware tools onboard a bootable drive:

      http://www.fosshub.com/UNetbootin.html

      http://www.pendrivelinux.com/

      Reply | Quote
    • WSalphaa10
      AskWoody Lounger
      March 17, 2015 at 7:41 pm #1495758

      Fosshub is an interesting site, and I very much like its opposition to spam and bundling. Although a few sites claim to oppose bundleware, most quietly profit from it– only Fosshub appears scrupulously honest on that point.

      Your reference to UNetbootin seems to be exactly what I need, and the application works on many USB devices running Windows, as I had hoped.

      The idea of running a security scan from a read-only flash drive appealed early, and plenty of references provide a means to put applications and operating systems on a flash drive. However, my doubts began when I found there are limitations, and even risks to the use of flash drive hardware to run an instance of Windows on a regular basis.

      So, I have chosen what appears to be the more direct solution for Windows work, using a bootable external USB hard drive, made read-only. That will not work when the suspect machine has no USB boot device option, but such computers are increasingly a minority. For those and especially for “hard cases”, a simple CD should be enough.

      Despite my concern about running Windows regularly from a flash drive, your PenDriveLinux reference may persuade me to run many of my field applications from a Linux-based flash drive, since I am already moving as quickly as possible into Linux.

      Reply | Quote
    • lylejk
      AskWoody Plus
      March 17, 2015 at 9:39 pm #1495761

      Been using hiren’s CD for years. In the past, I’ve saved more then a few PCs using hiren’s CD. 🙂

      Reply | Quote
    • wavy
      AskWoody Plus
      March 18, 2015 at 8:48 pm #1495866

      Perhaps Windows FE might be of interest to you. I have not read much on the site but I have intentions…..

      https://winfe.wordpress.com/2014/11/10/barely-any-updates-to-winfe/

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
      Reply | Quote
    • bharder
      AskWoody Lounger
      April 9, 2015 at 10:33 am #1499296

      Microsoft has a system specifically created to support Windows on flash devices. It’s called Windows To Go.

      From what I’ve been able to find out, WinToGo is only supported for Windows Enterprise licenses. The documentation for this system is a bit hard to find too. I believe that the issue is that WinToGo could be a vector for pirating copies of Windows, so Microsoft limits it’s availability.

      http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step.aspx

      The result is that most people switch to Linux for this job. There are some pretty good Linux repair/recovery systems out there and the fact that the OS and toolset is already built for you is very attractive.

      By the way, you don’t need a write protected flash drive to protect you against infected software on a computer (unless you are foolish enough to run any software on the infected system). The write protection is only necessary to protect the flash drive from infection by hardware based malware. Once you boot from a clean flash device then all the software on the infected system is dormant.

      Infected hardware is a tough problem. Rare in my opinion, and I’m skeptical of standard efforts to defeat it. For instance the best known hardware malware is the keylogger. However a write protected flash drive does not stop a keylogger from doing it’s thing, which is usually to gather your passwords. It’s also tough to design a complete repair system (OS and applications) that runs properly in a pure, write-protected environment. It can be done of course, it just isn’t the normal design target for most software.

      There is, fortunately, just such a system. Knoppix is a long-standing and highly thought of system. Just know that Knoppix wasn’t primarily designed as a repair and recovery distro. It can be used as such but that’s not it’s main focus.

      http://www.knoppix.org/

      Protip: The originator and maintainer of the Knoppix distro is German, so sometimes the language defaults to German. Just select English (or your preferred language) when given the chance.

      Reply | Quote
      • WSlelandhamilton
        AskWoody Lounger
        April 10, 2015 at 6:42 pm #1499500

        http://www.knoppix.org/%5B/url%5D

        Knoppix has saved me many hours of recovery time.

        If you use a CD/DVD to boot Knoppix, the hard drives are not modified unless you use a tool to do so: everything comes from the CD/DVD and a ram disk used for temporary system storage.

        Before I start tinkering with recovery, I do a dd backup of the infected system to an ISO file so that at worst case I can go back to the initial condition. Other image backup tools can serve the same purpose.

        In addition to running malware scans, I also use the “dd” command to make backups of entire partitions to a ISO file (usually placed on my external multiTB hard drive). If I need to “start from scratch” my “scratch” is restoring a previous backup of a configured working system, adding Windows and applications updates, and any new favorite software or updated files, and making an image copy for the starting point next time. One of the reasons for backing up the infected system before wiping it out is that you may find something that is not included in your backup routine.

        Reply | Quote
    Viewing 6 reply threads
    Reply To: Flashdrive-hosted Windows for safer malware removal

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.