PDA

View Full Version : XP more vulnerable



Quantax
11-08-2004, 11:42 AM
Just curious if there might be some "feature" in Win XP that makes it more vulnerable to virus attacks.

On my dual boot setup, I often leave the PC running but with XP instead of Win 98. When I return hours later there's a message from the AVG anti-virus program indicating a virus has been located in the System Volume
Information. I've managed to delete yet it reoccurs intermittently and yet it never happens in Win 98 when I leave that running instead of the XP.

ErnieK
11-08-2004, 12:58 PM
Do you have system restore enabled?

If so you will need to stop it (turn it off) and reboot the computer and re-start Sys restore again.

Also (Turn on VIEW ALL FILES first) try deleting your cache/temp files/temp inet files/prefetch files the contents not the folder/cookies etc (before stopping Sys-restore). Finally check your Recycle bin as well as your Virus Vault (or what ever it is named by your AV software)

John0904
11-08-2004, 01:06 PM
Wanting to add is the the reason Windows 98 is not effected is because Win98 doesn't have a System Volume like XP. :)

Quantax
11-08-2004, 05:11 PM
Ah, maybe that explains it then(the System volume bit)meaning something inherent in XP's System volume over that of 98?

Do you know what then accounts for this difference?

Thanks,
Quantax

david eaton
11-08-2004, 05:18 PM
The "system volume information" files are the restore points that WinXP sets. If these contain a virus/trojan, it can be detected by an anti virus program, but not removed. The only way of removing it is to disable system restore, and reboot. That will remove all existing restore points, and the associated files. Then you can restart system restore, and set a clean restore point.

There are no similar files in Win98, as this OS does not have any system restore facility.

Paul Komski
11-08-2004, 05:48 PM
If you are running an unpatched winxp (or win2k) you will be at the mercy of exploits utilising RPC "holes". In this sense these more advanced OSes ARE intrinsically more vulnerable to attack when connected to a network (including the internet). It is vital to run a firewall and keep these systems up-to-date from windows update if you want to be protected from blaster, nachi, sasser and the like.

System restore only comes into play AFTER something has go onto your computer in the first place.

Quantax
11-08-2004, 11:37 PM
The "system volume information" files are the restore points that WinXP sets. If these contain a virus/trojan, it can be detected by an anti virus program, but not removed. .

Yet after I run the AVG scan, it says that the viruses(like the Nachi worm)have been deleted(or whatever equivalent term it used). You're saying that THAT is still inadequate and that the System Restore still needs to be disabled?

By the way, Paul, this has happened even with TWO firewalls installed. :confused:

PrntRhd
11-09-2004, 12:07 AM
Yet after I run the AVG scan, it says that the viruses(like the Nachi worm)have been deleted(or whatever equivalent term it used). You're saying that THAT is still inadequate and that the System Restore still needs to be disabled?
Not inadequate, just another nook/cranny that needs to be purged after removing the virus, if you would do system restore using that contaminated restore point it could re-infect the PC.
:rolleyes:

Paul Komski
11-09-2004, 04:09 AM
When I return hours later there's a message from the AVG anti-virus program indicating a virus has been located in the System Volume

Just curious/puzzled but was AVG running during your absence or do you get this result when you run the scan on your return. For AVG to have detected a virus in the System Volume Information folders one would have thought it would have first detected it and (only after prompting you) cleaned it in its original location. If that's not happening then maybe its lurking somewhere else, not being detected. So are you sure you are scanning all files when scanning your system. Also - do you know which specific virus(es) it has been detecting.

And - what are the two firewalls you are using?

Quantax
11-09-2004, 12:27 PM
Actually, the notice about the virus appeared on the Desktop while AVG was running in the background. It also detected it(the nachi worm)when I ran the scan afterwards.

The two firewalls are Sygate(free edition) and the one that comes with Win XP's SP2.

Paul Komski
11-09-2004, 02:53 PM
I would have expected sp2 to have prevented nachi (whic exploits the RPC vulnerability); perhaps you do need to get a specific patch from windows update though.