Would you use a PXE malware removal tool?

[OaksLabs]

For an independent study to finish my degree, I'll be designing a PXE network that will run some sort of malware removal program. I'm wondering if anyone would have an interest in actually using a tool like this (and if so, what features would you want)? My initial thoughts are to do a zero-touch scan/clean and then shut the PC down, but I'm interested in what other features would draw interest.

If enough people are interested, I might roll this project into a low cost professional product (aimed at MSP's, who could hook it onto the network and clean the whole office in one fell swoop).

 

[jmitservices]

My workshop is totally CD less and I boot all of my tools from WDS. I do have a few bootable virus removal tools such as AVG rescue etc... However I haven't used them in months and months as nothing really gets that bad that I can't get into the machine somehow.

Are you going to code something from scratch or cotton together some existing removal tool?

 

[OaksLabs]

Are you going to code something from scratch or cotton together some existing removal tool?

I'll be programming the "binding agent" that will hold everything together and make the software run automatically. With a typical rescue CD, you must download the definitions, set your scan parameters, give instructions about deleting or quarantining threats, etc. What I'm going to be working on is PXE boot and walk away -- a truly zero-touch malware removal if used with WOL.

 

[Metanis]

I'll be programming the "binding agent" that will hold everything together and make the software run automatically. With a typical rescue CD, you must download the definitions, set your scan parameters, give instructions about deleting or quarantining threats, etc. What I'm going to be working on is PXE boot and walk away -- a truly zero-touch malware removal if used with WOL.

Sounds interesting. Would you want to save the boot sector and partition table before doing any automated repair?

 

[ZenTree]

I'll be programming the "binding agent" that will hold everything together and make the software run automatically. With a typical rescue CD, you must download the definitions, set your scan parameters, give instructions about deleting or quarantining threats, etc. What I'm going to be working on is PXE boot and walk away -- a truly zero-touch malware removal if used with WOL.

I would be interested

 

[TechPJC]

I would be interested

+1

 

[MotzTech]

Add some sort of remote access and you will make a killing. Many remote access tools offer the ability to add their functionality to your own products. You could even make this a more generic repair toolkit that includes not only malware removal but system diagnostic software as well.

 

[OaksLabs]

Add some sort of remote access and you will make a killing. Many remote access tools offer the ability to add their functionality to your own products. You could even make this a more generic repair toolkit that includes not only malware removal but system diagnostic software as well.

As time allows I might branch off into a more Swiss army knife tool for general repair, but I don't want to compete with other AIO tools.

Out of curiosity, are you thinking remote access for scan monitoring? Personally I wouldn't guess remoting into a computer running an automated outside of Windows scan would be too interesting -- but if you're thinking of a logging or auditing function (or perhaps an e-mail/ text message about the scan being finished) then I can definitely incorporate that.

 

[jmitservices]

What virus scanner are you thinking of using?

 

[OaksLabs]

What virus scanner are you thinking of using?

I'm open to suggestions. For my class, I'll need to use an open source AV, as the university is subject to license audits. For my actual professional system, I have a few ideas, and I'm still deciding. The requirements are the following:

• It must have a compatible EULA -- I'm not going to sell pirated software.
• It must be "portable" -- I have some tricks up my sleeve, but the software must be WinPE friendly to a point.
• It must have good detection results -- I have ~90GB of compressed malicious *.exe files on hand, so I can do some through testing.

Otherwise, I'm open to ideas.

 

[MotzTech]

As time allows I might branch off into a more Swiss army knife tool for general repair, but I don't want to compete with other AIO tools.

Out of curiosity, are you thinking remote access for scan monitoring? Personally I wouldn't guess remoting into a computer running an automated outside of Windows scan would be too interesting -- but if you're thinking of a logging or auditing function (or perhaps an e-mail/ text message about the scan being finished) then I can definitely incorporate that.

You make a valid point, an E-mail log would be great. I would suggest pulling the computer name out of the registry in case multiple scans are running at once.

That is stored here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName in a key called Computername

 

[OaksLabs]

You make a valid point, an E-mail log would be great. I would suggest pulling the computer name out of the registry in case multiple scans are running at once.

This is definitely something I'll look into (as soon as the actual core functionality is done).

Would anybody need IPv6 functionality? I'm trying to design this so a server loaded with this software would integrate as seamlessly into the network as possible...

 

[HCHTech]

Hat's off to you, man. This sounds like a meaty project that will exercise your programming chops, you get credit towards your degree, and you end up with a useful product for the industry = equals potential revenue stream for you. Win-win-double-win.

 

[CLC]

As time allows I might branch off into a more Swiss army knife tool for general repair, but I don't want to compete with other AIO tools.

Good idea, don't make it bloated, just make it work. There are a lot of tools out there with extra crap that is not even needed, this is what turns me off to most of them.

 

[OaksLabs]

Good idea, don't make it bloated, just make it work. There are a lot of tools out there with extra crap that is not even needed, this is what turns me off to most of them.

My thoughts exactly. I don't want to shoot down feature requests (because an AIO PXE boot tool sounds like a fun project in and of itself....), but I do envision this project as a pure malware removal solution.

Personally, I envision polymorphic malware making a comeback (think worms like Conficker). I want this to be a deus-ex-machina solution, where IT staffs could clean the whole network segment at once and not play cat and mouse with the infection.

With that said, I might see if I could add software to make the server/software itself send out the WOL packet, and perhaps add some network options, but I intend to keep this project short and to the point.

 

[ZenTree]

Personally, I envision polymorphic malware making a comeback (think worms like Conficker). I want this to be a deus-ex-machina solution, where IT staffs could clean the whole network segment at once and not play cat and mouse with the infection.

Sounds awesome. Would there be any way you could see to stop accidental booting of computers onto the pxe server? I'm thinking kids messing about at a school and running it or just someone with the incorrect boot order set. I was going to say a password option but that kind of removes the whole hands free thing. Is there any way you could specify a whitelist of computers that are allowed and if they are not on it then it will just boot up as normal? I have no idea how big/complicated a task this is and it's not essential, it just would be handy.

 

[OaksLabs]

Sounds awesome. Would there be any way you could see to stop accidental booting of computers onto the pxe server? I'm thinking kids messing about at a school and running it or just someone with the incorrect boot order set. I was going to say a password option but that kind of removes the whole hands free thing. Is there any way you could specify a whitelist of computers that are allowed and if they are not on it then it will just boot up as normal? I have no idea how big/complicated a task this is and it's not essential, it just would be handy.

Since PXE ties into your DHCP options (or via proxy DHCP) the ability to boot from the server can be configured in two ways:

• Physically turning on/off the server (physical or virtual) if using proxy DHCP.
• Manually editing DHCP options 66/67 if the network has a standalone DHCP server.

An environment like a school is definitely a different ball of wax. I pictured the server as having 2 NICs, and being dropped in between the gateway and the network segment, thus the server itself would be the DHCP server. I have never considered a good way to tie into an existing network infrastructure (but a proxy DHCP utility that doctor's your router's DHCP reply to include PXE boot information would be my first thought).

 

[ZenTree]

I have never considered a good way to tie into an existing network infrastructure (but a proxy DHCP utility that doctor's your router's DHCP reply to include PXE boot information would be my first thought).

That's what I was thinking of using as well when we looked at some other PXE related stuff. Thanks for the detailed reply though, you obviously know what you are doing! What degree are you doing exactly?

 

[OaksLabs]

That's what I was thinking of using as well when we looked at some other PXE related stuff. Thanks for the detailed reply though, you obviously know what you are doing! What degree are you doing exactly?

I'm a Computer Science major....the boring programming stuff [Java, C#, Assembly] and all the theoretical mathematics behind it. I'm much more interested in IT, and that's why I'm doing this to finish the last 4 credits of my degree.

 

[ZenTree]

So is this project a go then?