After infection: New schemes to restore your systems

In the computing world, detecting problems is far easier than fixing them. Take antimalware software: It’s always been better at accurately finding viruses and the like than at cleaning up and repairing infected systems. That left security professionals with an ongoing conundrum for the past three decades: How can we be certain we’ve cleaned up a system once it’s been compromised? Just because it tells you it’s infection-free doesn’t mean it is. Malware can modify one bit, and because you don’t know which bit has changed, you have to do a complete recovery.

The answer is you can’t trust a system once it’s been compromised unless you completely rebuild it. In today’s world of insufficient backups, that task usually gets distilled into arduous and time-consuming tasks. For example, you may have to copy off all your data that isn’t backed up, format the drive, re-install the operating system and software, then replace the data.

[ Roger A. Grimes offers a guided tour of the latest threats in InfoWorld’s Shop Talk video, “Fighting today’s malware.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Some of my favorite security features, which protect against malicious hackers and malware, focus more on detecting than preventing or fixing problems. For example, most disk encryption software (such as Microsoft BitLocker Drive Encryption, Symantec PGP Whole Disk Encryption, or open source TrueCrypt) will alert you when the data it protects has been modified but cannot be repaired. No surprise here — encryption and integrity are two different functions. Knowing you’re exploited and knowing how to easily fix that exploit has always been a challenge.

For the past decade, there’ve been a growing number of solutions trying to improve the missing piece of the puzzle. Tripwire, one of the early and best-known host-intrusion applications, can not only detect unauthorized changes, it can restore systems to their known, compliant states. The problem with Tripwire and other “snapshot” software programs: They can tell you if a measured system has undergone a change, but they have no way of knowing if the measured system itself was trustworthy in the first place. How is a software program supposed to know if a system of which it takes a snapshot is unexploited to begin with? Normally the answer has been to make sure that the system you measure is clean and trustworthy at the start, but that’s hard to ensure in a large enterprise environment.

Wyatt Starnes, a Tripwire co-founder, created a new company called SignaCert that tried to address the problem. SignaCert collects the file properties of tens of millions of legitimate files, including operating system files, software programs, driver files, and so on. The product uses that information to determine if a system has only known legitimate files. There’s no need to start with a brand-new, clean system. Many other application control programs such as Bit9 Parity and Lumension Application Control have started providing the same service.

Many OEMs, using hidden disk partitions or install disks, have long allowed system administrators to reset PCs to their original delivered states. Infected too badly to clean it up? Just start all over. A “renew” functionality formats the disk, which means the user can end up losing data that isn’t backed up ahead of time. Either way, the user has to re-install now missing patches and other software programs and customizations that were added since the beginning. But at least the malicious modification is gone — that’s remediation, not just detection.

Even operating systems are getting into repair and remediation. Windows 8 has new refresh-and-reset functionality. Refresh will reinstall Windows, but keep your files and other important custom data. Reset will take the system back to its original state. iOS and Android users have similar options.

The feature doesn’t help a user figure out what the infection was nor where it came from. Still, it’s a big improvement over reformatting and reinstalling everything, which can take more than an hour. Now, it’s 5 minutes and you’re up and running again.

It’s an exciting time in the computer security world because more and more remediation options are coming in the near future. The days of detection-only protection schemes will be eventually phased out in favor push-button remediation. It’s been a long wait.

This story, “After infection: New schemes to restore your systems,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.