Page 3 of 16 FirstFirst 1234513 ... LastLast
Results 21 to 30 of 157

Thread: ZeroFill, a good idea?

  1. #21
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,182
    Blog Entries
    1

    Default Re: ZeroFill, a good idea?

    Well, technically, it can - some older viruses ran from specific blocks
    on the drive rather than as files (boot sector viruses were very popular,
    for example - but I also had seen some that were stored in blocks around
    the partition table and were called even after a warm boot by virus code
    that was still in memory - that's old DOS stuff, though, and not common
    these days).
    Yes, but in general we're talking about user-space files, and not a virus that may be resident in memory. The question was being asked as to whether deleting a virus was sufficient, as opposed to overwriting with zeroes...

  2. #22
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: ZeroFill, a good idea?

    On Tue, 22 Jan 2013 17:56:02 +0000, deano ferrari wrote:

    > Yes, but in general we're talking about user-space files, and not a
    > virus that may be resident in memory. The question was being asked as to
    > whether deleting a virus was sufficient, as opposed to overwriting with
    > zeroes...


    Well, certainly, through WINE there's less chance of direct access to
    specific disk blocks.

    But I'm thinking that things like Windows-based file recovery tools
    (which access the disk directly to read the Directory Entry Tables and
    other critical areas of the disk) wouldn't work because the filesystem
    isn't FAT/FAT32/NTFS, so the tables aren't actually there.

    Zeroing the file would be unnecessary - but I'd go a step further and
    question why one would connect to a server knowing it has a virus on it,
    rather than notifying the operator that they're spreading a virus.

    But one must also remember that in *nix, you can delete files that are
    open, so if the code is executing in memory (as an executed file),
    deleting the file isn't sufficient, either. You have to make sure the
    process is dead first.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  3. #23
    Join Date
    May 2010
    Location
    Space Colony Lagrange Point 22° à, 77° Ƅ, 56° ɤ, 99° ɜ
    Posts
    3,166

    Default Re: ZeroFill, a good idea?

    you could always try openSUSE +apparmor(VM(WINDOWS+games))
    GNOME Version 3.20.2
    openSUSE Leap 42.3 64-bit

    www.vazhavandan.blogspot.com

  4. #24
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: ZeroFill, a good idea?

    On 2013-01-22 18:56, deano ferrari wrote:
    > Yes, but in general we're talking about user-space files, and not a
    > virus that may be resident in memory. The question was being asked as to
    > whether deleting a virus was sufficient, as opposed to overwriting with
    > zeroes...


    But can a Windows process be resident in memory, in Linux via wine? Once
    wine exits, those processes, if there, can no longer run, there is no
    Windows api to talk to. Unless those libraries remain loaded, too. I'm
    speculating, I don't know much about those Wine details: I don't know if
    once Wine exits all its libraries are unloaded or some can remain.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith))

  5. #25
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: ZeroFill, a good idea?

    On 2013-01-22 19:26, vazhavandan wrote:
    >
    > you could always try openSUSE +apparmor(VM(WINDOWS+games))


    Yes, with AA you can impede code from writing outside of the wine directory.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith))

  6. #26
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: ZeroFill, a good idea?

    On Tue, 22 Jan 2013 18:44:06 +0000, Carlos E. R. wrote:

    > On 2013-01-22 18:56, deano ferrari wrote:
    >> Yes, but in general we're talking about user-space files, and not a
    >> virus that may be resident in memory. The question was being asked as
    >> to whether deleting a virus was sufficient, as opposed to overwriting
    >> with zeroes...

    >
    > But can a Windows process be resident in memory, in Linux via wine? Once
    > wine exits, those processes, if there, can no longer run, there is no
    > Windows api to talk to. Unless those libraries remain loaded, too. I'm
    > speculating, I don't know much about those Wine details: I don't know if
    > once Wine exits all its libraries are unloaded or some can remain.


    I've observed that exiting programs started by WINE doesn't always shut
    WINE down - so presumably if a background process continues running,
    it'll keep running even if the application that started it has terminated
    without killing that process.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  7. #27
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: ZeroFill, a good idea?

    On 2013-01-22 22:00, Jim Henderson wrote:
    >> > But can a Windows process be resident in memory, in Linux via wine? Once
    >> > wine exits, those processes, if there, can no longer run, there is no
    >> > Windows api to talk to. Unless those libraries remain loaded, too. I'm
    >> > speculating, I don't know much about those Wine details: I don't know if
    >> > once Wine exits all its libraries are unloaded or some can remain.


    > I've observed that exiting programs started by WINE doesn't always shut
    > WINE down - so presumably if a background process continues running,
    > it'll keep running even if the application that started it has terminated
    > without killing that process.


    Although I have used wine now and then, I don't remember the details. If
    wine continues running in those cases, it is then easy to see that it is
    running, so closing the window should kill any resident code.

    I don't know if I explained myself :-?

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith))

  8. #28
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: ZeroFill, a good idea?

    On Tue, 22 Jan 2013 21:14:06 +0000, Carlos E. R. wrote:

    > On 2013-01-22 22:00, Jim Henderson wrote:
    >>> > But can a Windows process be resident in memory, in Linux via wine?
    >>> > Once wine exits, those processes, if there, can no longer run, there
    >>> > is no Windows api to talk to. Unless those libraries remain loaded,
    >>> > too. I'm speculating, I don't know much about those Wine details: I
    >>> > don't know if once Wine exits all its libraries are unloaded or some
    >>> > can remain.

    >
    >> I've observed that exiting programs started by WINE doesn't always shut
    >> WINE down - so presumably if a background process continues running,
    >> it'll keep running even if the application that started it has
    >> terminated without killing that process.

    >
    > Although I have used wine now and then, I don't remember the details. If
    > wine continues running in those cases, it is then easy to see that it is
    > running, so closing the window should kill any resident code.
    >
    > I don't know if I explained myself :-?


    Closing the window doesn't kill background processes that the program
    that creates the UI starts. Windows can fork background processes, too,
    and those processes don't have to have a UI associated with them.

    That would particularly be the case with a virus that implicitly runs in
    the background as a "hidden" process.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  9. #29
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: ZeroFill, a good idea?

    On 2013-01-22 22:26, Jim Henderson wrote:
    > On Tue, 22 Jan 2013 21:14:06 +0000, Carlos E. R. wrote:


    >> Although I have used wine now and then, I don't remember the details. If
    >> wine continues running in those cases, it is then easy to see that it is
    >> running, so closing the window should kill any resident code.
    >>
    >> I don't know if I explained myself :-?

    >
    > Closing the window doesn't kill background processes that the program
    > that creates the UI starts. Windows can fork background processes, too,
    > and those processes don't have to have a UI associated with them.


    But can those forked processes run out of the control of the Wine window
    that hosts them initially?

    Remember that those processes can not interact with Linux directly.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith))

  10. #30
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: ZeroFill, a good idea?

    On Tue, 22 Jan 2013 23:54:07 +0000, Carlos E. R. wrote:

    > But can those forked processes run out of the control of the Wine window
    > that hosts them initially?


    There is no "WINE window". Yes, those forked processes can continue if
    the application is shut down. I've seen it happen on WINE and Crossover
    (which uses WINE) and have had to use the Crossover tools to actually
    kill the WINE session.

    > Remember that those processes can not interact with Linux directly.


    Of course they can't. But if a Windows process is still running, then
    WINE keeps running.

    WINE isn't a perfect sandbox, mind, but it's pretty good. But if a
    Windows process forks something, WINE knows about it and keeps running.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Page 3 of 16 FirstFirst 1234513 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •