Fraudulent Tech Support Call

scottalanmiller

@dafyre said:

The problem is these guys may be installing some random off the wall app that's custom written and not picked out as an actual virus.

The guys claiming to clean the computer?

dafyre

@scottalanmiller said:

@dafyre said:

The problem is these guys may be installing some random off the wall app that's custom written and not picked out as an actual virus.

The guys claiming to clean the computer?

Yea.

scottalanmiller

@MattSpeller said:

@DustinB3403 said:

@scottalanmiller said:

@BRRABill said:

Do you do the same thing with a virus? If WebRoot (hi @nic) finds a virus on your machine and deletes it. Do you also do a total reinstall?

If it finds one that infected me, absolutely. Every time, no question. I feel like we've asked this before

That seems like a lot of overkill if your AV has caught the virus and stopped it before doing any harm...

Risk vs Reward

99/100 it'll be fine, but I don't like looking foolish* even 1% of the time.

*Sod's law is the 1% will be a C level or other important wanker.

That's really the thing. 1% failure rate when we are talking about things that steal your bank account info is a horrible failure rate.

And reward... is there one? Does all this extra effort amount to making things better? I think that we end up with higher risk AND negative reward most of the time. That's a pretty horrible trade off.

MattSpeller

@scottalanmiller said:

@MattSpeller said:

@DustinB3403 said:

@scottalanmiller said:

@BRRABill said:

Do you do the same thing with a virus? If WebRoot (hi @nic) finds a virus on your machine and deletes it. Do you also do a total reinstall?

If it finds one that infected me, absolutely. Every time, no question. I feel like we've asked this before

That seems like a lot of overkill if your AV has caught the virus and stopped it before doing any harm...

Risk vs Reward

99/100 it'll be fine, but I don't like looking foolish* even 1% of the time.

*Sod's law is the 1% will be a C level or other important wanker.

That's really the thing. 1% failure rate when we are talking about things that steal your bank account info is a horrible failure rate.

And reward... is there one? Does all this extra effort amount to making things better? I think that we end up with higher risk AND negative reward most of the time. That's a pretty horrible trade off.

Presumably the reward would be faster return to work for the user & less time outlay for IT.

I think there's reward in doing the nukes every time, albeit less if I had to quantify it. Same process every time means you're good at it, and do it damn fast. Also with a single process (nuking) you're far less likely to botch it as there's less to remember (vs cleaning, testing, whatever). Also shows your users that viruses are serious and a PITA for them, they may actually learn to be more careful (HAHahahahahahahahaha)

scottalanmiller

@MattSpeller said:

Presumably the reward would be faster return to work for the user & less time outlay for IT.

But is that true? The point of rapid imaging is that time is not wasted investigating, time is not wasted manually attempting to repair, time is not wasted attempting to verify and then there isn't the risk of time being wasted doing it all again (on top of the security risks of not having gotten it flawless.)

If we image immediately, we get people back up and running very, very quickly while having the best chance of eliminating the danger.

scottalanmiller

An important difference with the "reinstall and go" approach is that it is highly reliable. We can pretty much predict how much time it will take to get back up and running. The margin of error is very small. Cleaning a system is "well... you know... thirty minutes to a week, give or take." The "known" is small so the ability to estimate time is very poor.

Dashrender

@DustinB3403 said:

@scottalanmiller said:

@BRRABill said:

Do you do the same thing with a virus? If WebRoot (hi @nic) finds a virus on your machine and deletes it. Do you also do a total reinstall?

If it finds one that infected me, absolutely. Every time, no question. I feel like we've asked this before

That seems like a lot of overkill if your AV has caught the virus and stopped it before doing any harm...

I'll agree if the AV sees the virus in a file that hasn't been allowed to execute, I won't bother reinstalling, but if the AV scan finds it in some random file that wasn't in the process of being executed for the first time (and I know because only I can install things), then it's nuking time.

scottalanmiller

Yeah, finding malware "somewhere" is not the same as being infected. Just having something downloaded to a cache or stored on a mapped drive doesn't indicate an infection. Downloading a file and executing a file are very different things.

dafyre

I am beginning to see some of the benefits of the "unLAN" setup like what @NTG is doing. If one of them gets a virus, they just wipe the device, change passwords from a trusted device, and work from another device while their bugged one is being reimaged.

No need for user-backups because everything should be stored in OneDrive, etc. Right?

Dashrender

@scottalanmiller said:

Yeah, finding malware "somewhere" is not the same as being infected. Just having something downloaded to a cache or stored on a mapped drive doesn't indicate an infection. Downloading a file and executing a file are very different things.

So here's a question - do you wipe a computer that catches a virus during install?

Dashrender

@dafyre said:

I am beginning to see some of the benefits of the "unLAN" setup like what @NTG is doing. If one of them gets a virus, they just wipe the device, change passwords from a trusted device, and work from another device while their bugged one is being reimaged.

No need for user-backups because everything should be stored in OneDrive, etc. Right?

Yep.

scottalanmiller

@dafyre said:

No need for user-backups because everything should be stored in OneDrive, etc. Right?

Exactly. And effectively no chance of cross contamination.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

Yeah, finding malware "somewhere" is not the same as being infected. Just having something downloaded to a cache or stored on a mapped drive doesn't indicate an infection. Downloading a file and executing a file are very different things.

So here's a question - do you wipe a computer that catches a virus during install?

Seems like you would do it especially then.

Dashrender

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

Yeah, finding malware "somewhere" is not the same as being infected. Just having something downloaded to a cache or stored on a mapped drive doesn't indicate an infection. Downloading a file and executing a file are very different things.

So here's a question - do you wipe a computer that catches a virus during install?

Seems like you would do it especially then.

This was a time that I've always questioned. The assumption is that the compression of the installer obfuscated the virus until installation was attempted, then the AV catches it during install, during decompression (I'm assuming).

I can see the desire to wipe or not going either way. I know it's happened to me in the past, but probably been more than a decade since I've seen that happen.

dafyre

If my AV catches something while I'm trying to install an app, then my AV did its job. I"ll let it kill off the files, and then I'll run another scan, just to be safe. I've only been bitten by that once or twice, methinks.

Reid Cooper

As long as the AV is catching something that hasn't run yet, you've been protected.

BRRABill

But from reading into this, the concept is that once you've seen something, or caught something, there's a chance there is more that isn't being seen or caught.

Not a concept I 100% agree with, but the general feeling, I am getting.

scottalanmiller

@BRRABill said:

But from reading into this, the concept is that once you've seen something, or caught something, there's a chance there is more that isn't being seen or caught.

Sort of. It's that once you are breached you no longer control the system and you can never know....

• If anything you see is real. (Think "Total Recall"... once someone controls what you see, they can make you see anything that they want. You cannot tell reality from perception.)
• How deep the infection went. What you "catch" might be a decoy to make you feel like you fixed things.
• If that infection opened things up for other things. Often the malware is only an installer and not the thread itself.

Reid Cooper

It is important to differentiate between infection and just having a file downloaded.

IRJ

In the business world, you image for sure. No questions asked. Especially since every good IT department has images and packages they should be able to push out right away.

In this case we are talking about a co-worker's parent. I just don't believe the hassle is worth making $50-100.