If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
kaspersky rescue disk
On Fri, 01 Jun 2018 12:38:26 -0400, Shadow wrote:
Yes, they changed it after I last accessed it. It now points to: https://support.kaspersky.com/14221 And although it says you can boot it from a USB (in system requirements), they don't tell you how to. The old link to the Rescue2usb utility has been removed. Sh*tty support .... []'s Found the correct link at https://support.kaspersky.com/viruses/krd2018 which leads to downloading https://rescuedisk.s.kaspersky-labs....e/2018/krd.iso Checking out the iso image, it's a customized isohybrid build of gentoo linux, suitable for burning to an optical disc, or copying to a usb device. To copy such an image to a usb device, this page has links to a few programs that can be used. The page is for Mageia linux, but the instructions will work for a Gentoo linux iso image too. https://wiki.mageia.org/en/Dump_Mage...ernative_tools One important thing to understand, is that the iso image contains it's own partition table, so when copying it to a usb flash drive, it has to be copied to the drive, not to an existing partition on the drive. If the drive currently has any partitions on it, make sure they are not mounted. Any data currently on the drive, including it's partition table will be overwritten. Be patient when copying the half gig iso image to the usb drive. It will take a while, as they are much slower than a hard drive. Depending on the usb drive, and other factors, it may appear to complete quickly, even though it's still being written. Give it at least 5 minutes. When you reboot the computer, if it ignores the usb stick and tries to boot directly to the hard drive reboot it again, and watch for any sort of a message such as "Press f7 for setup". Which key needs to be pressed will vary depending on the computer's bios. Once in the setup, look for any options similarly worded to "boot order", and in that section ensure the usb device entry is moved to be before the hard drive option, then save the setup changes, and reboot, which should then load the recovery system. FYI, I'm responding to the article as seen in alt.comp.anti-virus, as I'm not subscribed to the pc-homebuilt newsgroup. Regards, Dave Hodgins -- Change to for email replies. |
#12
|
|||
|
|||
kaspersky rescue disk
David W. Hodgins wrote:
On Fri, 01 Jun 2018 12:38:26 -0400, Shadow wrote: Yes, they changed it after I last accessed it. It now points to: https://support.kaspersky.com/14221 And although it says you can boot it from a USB (in system requirements), they don't tell you how to. The old link to the Rescue2usb utility has been removed. Sh*tty support .... []'s Found the correct link at https://support.kaspersky.com/viruses/krd2018 which leads to downloading https://rescuedisk.s.kaspersky-labs....e/2018/krd.iso Checking out the iso image, it's a customized isohybrid build of gentoo linux, suitable for burning to an optical disc, or copying to a usb device. To copy such an image to a usb device, this page has links to a few programs that can be used. The page is for Mageia linux, but the instructions will work for a Gentoo linux iso image too. https://wiki.mageia.org/en/Dump_Mage...ernative_tools One important thing to understand, is that the iso image contains it's own partition table, so when copying it to a usb flash drive, it has to be copied to the drive, not to an existing partition on the drive. If the drive currently has any partitions on it, make sure they are not mounted. Any data currently on the drive, including it's partition table will be overwritten. Be patient when copying the half gig iso image to the usb drive. It will take a while, as they are much slower than a hard drive. Depending on the usb drive, and other factors, it may appear to complete quickly, even though it's still being written. Give it at least 5 minutes. When you reboot the computer, if it ignores the usb stick and tries to boot directly to the hard drive reboot it again, and watch for any sort of a message such as "Press f7 for setup". Which key needs to be pressed will vary depending on the computer's bios. Once in the setup, look for any options similarly worded to "boot order", and in that section ensure the usb device entry is moved to be before the hard drive option, then save the setup changes, and reboot, which should then load the recovery system. FYI, I'm responding to the article as seen in alt.comp.anti-virus, as I'm not subscribed to the pc-homebuilt newsgroup. Regards, Dave Hodgins If it's a Hybrid ISO, you can do it with Windows dd.exe port. http://www.chrysocome.net/dd http://www.chrysocome.net/downloads/dd-0.6beta3.zip Ubuntu was doing something like this too. At one time, they had USB_Creator_GTK, which prepared some structures on a USB stick so that a non-Hybrid ISO could be loaded. That worked well, and I could use the Ubuntu USB_Creator to load a MINT iso onto a USB stick. When the Hybrid ISOs started coming out, they changed the code in USB_Creator, so it's more or less sector-by-sector dd. Which negated the ability to take older ISO files and load then onto a USB stick. If you have a copy of disktype handy (Cygwin, Win10 bash, etc), you can also check an ISO to see what it contains in terms of a partition structure. http://disktype.sourceforge.net/ disktype some.iso And that will hint as to whether a dd.exe transfer will be sufficient for the job. And this does look suitable for dd transfer to a USB stick. There's everything but the kitchen sink in here ("HFSPLUS" ???) :-) L:\disktype krd.iso --- krd.iso Regular file, size 550.9 MiB (577619968 bytes) DOS/MBR partition map Partition 1: 2.813 MiB (2949120 bytes, 5760 sectors from 1122352) Type 0xEF (EFI System (FAT)) FAT12 file system (hints score 5 of 5) Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB) GPT partition map, 192 entries Disk size 550.9 MiB (577619968 bytes, 1128164 sectors) Disk GUID 86543861-366F-174E-B237-9BFFE65ED0FB Partition 1: 547.7 MiB (574343168 bytes, 1121764 sectors from 588) Type Mac HFS+ (GUID 00534648-0000-AA11-AA11-00306543ECAC) Partition Name "HFSPLUS" Partition GUID 86543861-366F-174E-B236-9BFFE65ED0FB HFS Plus file system Volume size 547.7 MiB (574343168 bytes, 280441 blocks of 2 KiB) Volume name "KRD" Partition 2: 2.813 MiB (2949120 bytes, 5760 sectors from 1122352) Type Basic Data (GUID A2A0D0EB-E5B9-3344-87C0-68B6B72699C7) Partition Name "ISOHybrid1" Partition GUID 86543861-366F-174E-B235-9BFFE65ED0FB FAT12 file system (hints score 5 of 5) Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB) Partition 3: unused ISO9660 file system Volume name "KRD" Preparer "XORRISO-1.4.8 2017.09.12.143001, LIBISOBURN-1.4.8, LIBISOFS-1.4.8, LIBBURN-1.4.8" Data size 550.9 MiB (577619968 bytes, 282041 blocks of 2 KiB) El Torito boot record, catalog at 312 Bootable non-emulated image, starts at 2531, preloads 2 KiB Platform 0x00 (x86), System Type 0x00 (Empty) Bootable non-emulated image, starts at 280588, preloads 2.813 MiB (2949120 bytes) Platform 0xEF (EFI), System Type 0x00 (Empty) FAT12 file system (hints score 5 of 5) Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB) Joliet extension, volume name "KRD" L:\ Paul |
#13
|
|||
|
|||
kaspersky rescue disk
On Fri, 01 Jun 2018 14:14:31 -0400, "David W. Hodgins"
wrote: On Fri, 01 Jun 2018 12:38:26 -0400, Shadow wrote: Yes, they changed it after I last accessed it. It now points to: https://support.kaspersky.com/14221 And although it says you can boot it from a USB (in system requirements), they don't tell you how to. The old link to the Rescue2usb utility has been removed. Sh*tty support .... []'s Found the correct link at https://support.kaspersky.com/viruses/krd2018 which leads to downloading https://rescuedisk.s.kaspersky-labs....e/2018/krd.iso Checking out the iso image, it's a customized isohybrid build of gentoo linux, suitable for burning to an optical disc, or copying to a usb device. To copy such an image to a usb device, this page has links to a few programs that can be used. The page is for Mageia linux, but the instructions will work for a Gentoo linux iso image too. https://wiki.mageia.org/en/Dump_Mage...ernative_tools One important thing to understand, is that the iso image contains it's own partition table, so when copying it to a usb flash drive, it has to be copied to the drive, not to an existing partition on the drive. If the drive currently has any partitions on it, make sure they are not mounted. Any data currently on the drive, including it's partition table will be overwritten. Be patient when copying the half gig iso image to the usb drive. It will take a while, as they are much slower than a hard drive. Depending on the usb drive, and other factors, it may appear to complete quickly, even though it's still being written. Give it at least 5 minutes. When you reboot the computer, if it ignores the usb stick and tries to boot directly to the hard drive reboot it again, and watch for any sort of a message such as "Press f7 for setup". Which key needs to be pressed will vary depending on the computer's bios. Once in the setup, look for any options similarly worded to "boot order", and in that section ensure the usb device entry is moved to be before the hard drive option, then save the setup changes, and reboot, which should then load the recovery system. FYI, I'm responding to the article as seen in alt.comp.anti-virus, as I'm not subscribed to the pc-homebuilt newsgroup. Regards, Dave Hodgins I tried unetbootin on the latest ISO, downloaded today and updated yesterday, according to the krd_bases_timestamp.txt, and the resulting USB was not bootable. If I get bored, I might boot into Linux and "dd" it. It's a pity they don't offer the old stable 100% working version while this "pre-alpha" project is underway. []'s -- Don't be evil - Google 2004 We have a new policy - Google 2012 |
#14
|
|||
|
|||
kaspersky rescue disk
On Fri, 01 Jun 2018 13:38:26 -0300, Shadow wrote:
On Wed, 30 May 2018 18:54:51 -0400, John B. Smith wrote: On Tue, 29 May 2018 16:25:54 -0300, Shadow wrote: On Mon, 28 May 2018 19:57:39 -0400, John B. Smith wrote: maybe there was something wrong with the Rescue 10 iso I downloaded twice. I'll try downloading it again in a week or so, see if anything has improved. Check the MD5 after downloading. Though MD5 is relatively easy to forge: https://support.kaspersky.com/4162 They ought to supply SHA 256 or SHA512 as well as the MD5. Strange for a firm that is supposed to be proficient in security. []'s thanks for that link it says "Kaspersky Rescue Disk 10 is no longer supported. use Kaspersky2018." The 2018 version scans the OS so fast I wonder if the definitions are even included with it. I can't see any place to download them once you boot the disk. Yes, they changed it after I last accessed it. It now points to: https://support.kaspersky.com/14221 And although it says you can boot it from a USB (in system requirements), they don't tell you how to. The old link to the Rescue2usb utility has been removed. Sh*tty support .... So I dd'd it to the USB, it booted, ran a scan (a million files, took just over an hour), found 49 "malware", most of which were Nirsoft utilities. 3 (non Nirsoft) were classified as trojans and one was described as a browser hijacker, but I couldn't read the path to the files (screen not wide enough), so I tried to save a logfile, but that's not an option. So I did some research and discovered it keeps the logs in C:\KRD2018_Data\Reports\*.enc1 But the file is encrypted !!!!! What am I missing ? Is there an util to unencrypt the file so I can discover where the "malware" is and submit it to Virustotal ? TIA PS There is a warning: https://support.kaspersky.com/14231 //Kaspersky Rescue Disk 2018 makes changes to the operating system files. This may affect the work of your operating system. Before you start using Kaspersky Rescue Disk 2018, we recommend that you create a backup copy of your operating system.// WTF does that mean ? What "changes" ? []'s -- Don't be evil - Google 2004 We have a new policy - Google 2012 |
#15
|
|||
|
|||
kaspersky rescue disk
Shadow wrote:
PS There is a warning: https://support.kaspersky.com/14231 //Kaspersky Rescue Disk 2018 makes changes to the operating system files. This may affect the work of your operating system. Before you start using Kaspersky Rescue Disk 2018, we recommend that you create a backup copy of your operating system.// WTF does that mean ? What "changes" ? []'s Maybe they're referring to you having used some "quarantine" function after malware is found ? If you quarantine a file (say winload.exe), that could brick the OS. Paul |
#16
|
|||
|
|||
kaspersky rescue disk
On Fri, 01 Jun 2018 23:19:24 -0400, Paul
wrote: Shadow wrote: PS There is a warning: https://support.kaspersky.com/14231 //Kaspersky Rescue Disk 2018 makes changes to the operating system files. This may affect the work of your operating system. Before you start using Kaspersky Rescue Disk 2018, we recommend that you create a backup copy of your operating system.// WTF does that mean ? What "changes" ? []'s Maybe they're referring to you having used some "quarantine" function after malware is found ? If you quarantine a file (say winload.exe), that could brick the OS. Yes it would, but he old Rescue Disk did that too (as does any decent bootable AV disk), and it's under the header "Special aspects of Kaspersky Rescue Disk 2018". As in, "what is different from the last version". They certainly need to upgrade their PR skills. []'s -- Don't be evil - Google 2004 We have a new policy - Google 2012 |
#17
|
|||
|
|||
kaspersky rescue disk
On Wed, 30 May 2018 11:44:05 -0300, Shadow wrote:
On Tue, 29 May 2018 16:25:54 -0300, Shadow wrote: On Mon, 28 May 2018 19:57:39 -0400, John B. Smith wrote: maybe there was something wrong with the Rescue 10 iso I downloaded twice. I'll try downloading it again in a week or so, see if anything has improved. Check the MD5 after downloading. Though MD5 is relatively easy to forge: https://support.kaspersky.com/4162 They ought to supply SHA 256 or SHA512 as well as the MD5. Strange for a firm that is supposed to be proficient in security. Hum, the MD5 link came up 404. Never done that before. Weird. The last ISO I downloaded (a couple of days ago) has the following checksums: MD5: 9F617FD4573CAAC2DEFC69017DB4234C SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995 SHA-256: DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25 FAC080E8C60E4CE Anyone confirm those numbers ? Could you tell me how you obtain these check sums? I'm kinda confused as I suspect you guys are talking Linux at times but I"m not sure. I only have XP. I successfully made a bootable USB drive with the krb.iso using Rufus and the dd option. I sure didn't take an hour to run the kaspersky scan after I booted it. More like a minute.. Is there a way to look inside the iso to see if the virus definitions are there? Looking at my USB drive in Windows Explorer all I see 3 boot files (efi's) and an fde_id.efi at 629kb. Opening the ISO with 7-Zip: krd_bases_timestamp.txt is 201805170648 Having discovered 7zip it says my krb.iso timestamp is 201805271958 Which is strange, because the previous version always had the latest signatures. This one apparently needs updating before use. []'s PS alt.comp.anti-virus added, where it's more appropriate. |
#18
|
|||
|
|||
kaspersky rescue disk
John B. Smith wrote:
On Wed, 30 May 2018 11:44:05 -0300, Shadow wrote: On Tue, 29 May 2018 16:25:54 -0300, Shadow wrote: On Mon, 28 May 2018 19:57:39 -0400, John B. Smith wrote: maybe there was something wrong with the Rescue 10 iso I downloaded twice. I'll try downloading it again in a week or so, see if anything has improved. Check the MD5 after downloading. Though MD5 is relatively easy to forge: https://support.kaspersky.com/4162 They ought to supply SHA 256 or SHA512 as well as the MD5. Strange for a firm that is supposed to be proficient in security. Hum, the MD5 link came up 404. Never done that before. Weird. The last ISO I downloaded (a couple of days ago) has the following checksums: MD5: 9F617FD4573CAAC2DEFC69017DB4234C SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995 SHA-256: DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25F AC080E8C60E4CE Anyone confirm those numbers ? Could you tell me how you obtain these check sums? I'm kinda confused as I suspect you guys are talking Linux at times but I"m not sure. I only have XP. I successfully made a bootable USB drive with the krb.iso using Rufus and the dd option. I sure didn't take an hour to run the kaspersky scan after I booted it. More like a minute.. Is there a way to look inside the iso to see if the virus definitions are there? Looking at my USB drive in Windows Explorer all I see 3 boot files (efi's) and an fde_id.efi at 629kb. Opening the ISO with 7-Zip: krd_bases_timestamp.txt is 201805170648 Having discovered 7zip it says my krb.iso timestamp is 201805271958 Which is strange, because the previous version always had the latest signatures. This one apparently needs updating before use. []'s PS alt.comp.anti-virus added, where it's more appropriate. The ISO contains multiple partitions. You copied it via "dd" to the USB stick. Windows will not mount all partitions on a USB stick. It mounts the first one. Then, it stops. The second, third, Nth partition are ignored. This means the partition you happen to be looking at right now, is not the "main body" of the USB boot stick. It's one of the tiny partitions instead. And that tiny one happened to be "first" in order. (Linux on the other hand, would mount all the partitions. But this is not important right now.) Since you have 7ZIP, you can examine the contents of the ISO. You can burrow into any partition inside the ISO. Or at least, a restricted subset of partitions. NTFS and FAT32 should be included. The 005-bases.srm file on my download, is dated May 31, and close to the point where I downloaded it. The definitions don't seem out of date to me. The packages all have checksums, implying the boot loader checks them somehow. Traditionally, this ISO is constructed with a custom Gentoo build. Gentoo is a Linux you build from source. You can put just the components you want into it, to keep the size down. And that's the OS that boots when you start the USB key. The scanner program scans for Windows malware definitions. It's an offline scanner. The disc recently had a Windows Registry Editor added to it, and that tool can be separated from the ISO and used on other Linux distros. Perhaps this is intended for secondary cleanup, where the malware gets removed, but the registry entry that launched it, does not. The nuisance error messages that causes, can be cleaned up using the Kaspersky registry editor. One benefit of doing it this way, is malware likes to have the registry entries owned by things like TrustedInstaller, to make it hard for ordinary users or Administrator, to remove it. The rescue disc registry editor just burrows into that thing, no problem at all. Paul |
#19
|
|||
|
|||
kaspersky rescue disk
On Sat, 02 Jun 2018 19:20:00 -0400, John B. Smith
wrote: On Wed, 30 May 2018 11:44:05 -0300, Shadow wrote: On Tue, 29 May 2018 16:25:54 -0300, Shadow wrote: On Mon, 28 May 2018 19:57:39 -0400, John B. Smith wrote: maybe there was something wrong with the Rescue 10 iso I downloaded twice. I'll try downloading it again in a week or so, see if anything has improved. Check the MD5 after downloading. Though MD5 is relatively easy to forge: https://support.kaspersky.com/4162 They ought to supply SHA 256 or SHA512 as well as the MD5. Strange for a firm that is supposed to be proficient in security. Hum, the MD5 link came up 404. Never done that before. Weird. The last ISO I downloaded (a couple of days ago) has the following checksums: MD5: 9F617FD4573CAAC2DEFC69017DB4234C SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995 SHA-256: DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD2 5FAC080E8C60E4CE Anyone confirm those numbers ? Could you tell me how you obtain these check sums? Sure http://implbits.com/products/hashtab/ At the bottom of the page, you'll see the installer for XP. Install, then right click on any file, look at "properties", then "file hashes". If you right click inside that window, you can choose the ones you want displayed (I use MD5, SHA1 and SHA256) in "settings". The more recent ISO will have different hashes, but the ones above will probably match the one you downloaded. I'm kinda confused as I suspect you guys are talking Linux at times but I"m not sure. I only have XP. When you boot from the Rescue Disk, you are booting into Linux. Which is good, because you can scan for rootkits which might be hidden if you scanned from a running Windows system. I successfully made a bootable USB drive with the krb.iso using Rufus and the dd option. I sure didn't take an hour to run the kaspersky scan after I booted it. More like a minute.. Is there a way to look inside the iso to see if the virus definitions are there? Probably because you didn't scan your whole hard drive (look at the scan settings). By default, Kaspersky Rescue Disk only looks at boot sectors, system files and your startup programs. It might look at browser extensions, and programs listed in prefetch too, but I'm not sure. That only takes a few minutes. Ah, and it checks your hosts file, and it said mine was "infected". False positive. To scan a million files, it took just over an hour, but I have an 8 core CPU. On my old PC, I'd leave it scanning overnight. HTH PS The bad thing is you cannot not save a readable log file. The old version did. []'s -- Don't be evil - Google 2004 We have a new policy - Google 2012 |
#20
|
|||
|
|||
kaspersky rescue disk
On Sat, 02 Jun 2018 19:20:00 -0400, John B. Smith
wrote: Could you tell me how you obtain these check sums? I'm kinda confused as I suspect you guys are talking Linux at times but I"m not sure. I only have XP. Checksums are a code key, where someone has compiled a program for distribution. Many sources may have the same program, but some will not provide such a key - or "hash table." The reason they do not is because the program has been variously modified for inclusion of a general class of malware. The provided key is an attempt to establish physical verity, that the compilation is as original by good intent, not an outside modification from parties intending to interject false or misleading purposes, which having nothing to do with the original program. These codes were also used earlier along in computer backups, archival storage, so that the key could be used for a later comparator when indicating evidence of modification and possible corruption. A wholly different process of entropy or "natural" degradation and breakdown of communications;- scabs interjecting exploitational codeworks into everything they can get their grubby paws on, comes to be widely seen at a more modern stage for programming, not the isolated urban hero of yesteryear's joyboy hacker, whose ego has grown criminal, but one in a matter of maturity gainfully employed among industrial, and other classes, engaging in widespread subterfuge. I'm sure checksums would deserve better, sustained reading from more reputable sources if the process is one of interest as a integral discipline of the computer sciences. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Kaspersky's Rescue Disk refuses to update | John B. Smith | Homebuilt PC's | 3 | September 3rd 16 06:08 PM |
Will low level formatting rescue a clunking hard disk? | OM | General | 7 | February 21st 05 08:24 PM |
REQ: Hi, Anyone Have A Rescue Disk For An Old Compaq LTE 5/25 ?,xoxo's Brenda | Brenda | Compaq Computers | 1 | September 23rd 04 12:17 PM |