Would you use a PXE malware removal tool?

[ComputerRepairTech]

I'm a Computer Science major....the boring programming stuff [Java, C#, Assembly] and all the theoretical mathematics behind it. I'm much more interested in IT, and that's why I'm doing this to finish the last 4 credits of my degree.

Wait the college you attend has a class that teaches assembly!?

 

[kwisher]

I have setup my own PXE environment where I can now network boot Clonezilla, AVG & Boot n' Nuke. It's really not that difficult to do if you do some web searching. The first requirement for this to even work is being able to turn on PXE on your network via your router's DHCP server options or make the PXE server itself your DHCP server.

 

[Slaters Kustum Machines]

I have setup my own PXE environment where I can now network boot Clonezilla, AVG & Boot n' Nuke. It's really not that difficult to do if you do some web searching. The first requirement for this to even work is being able to turn on PXE on your network via your router's DHCP server options or make the PXE server itself your DHCP server.

Or let your DHCP server know about the PXE server. They don't have to be on the same box.

 

[kwisher]

Or let your DHCP server know about the PXE server. They don't have to be on the same box.

That's what I meant when i said "Or let your DHCP server know about the PXE server". Whatever DHCP server you are using, it has to announce the PXE sever on the network.

 

[OaksLabs]

Wait the college you attend has a class that teaches assembly!?

Yes. Stuff like this:

%INCLUDE "csci224.inc"

;EX1_1: prime number calculator
;Tested to work with numbers up to 100000000.

SEGMENT .data
prompt: DB "Please enter an integer to see all prime numbers up to that integer.",10,0
prompt2: DB "Primes: ",10,0

SEGMENT .text
main:
    mov edx, prompt                    ;Queue prompt for printing
    call WriteString                  ;Print prompt
    call ReadInt                    ;Get user input
    mov edx, prompt2                    ;Queue prompt for printing
    call WriteString                  ;Print prompt

    mov ecx, eax                    ;Move user number to loop counter

L1:
    push ecx                        ;Push number in question into stack
    call prime                        ;See if number is prime
    JNC .L2                            ;Carry bit not set, number wasn't prime
    mov eax, ecx                    ;Move number to eax register for printing
    call WriteInt                    ;Number was prime, print it out
    Call Crlf                        ;Clean line
    clc                                ;Clear carry bit

.L2:                            ;Prime method determined number wasn't prime
    loop L1                            ;Loop

    ret
;----------------------------------------------------------------------
prime:
    push ebp                        ;Stack Frame
    mov ebp, esp

    push eax                        ;Save all registers
    push ebp
    push ecx
    push edx
    push esi

    mov eax, [ebp+8]                ;Move parameter to register
    call root                         ;Move the square root of n into ecx to use for the loop counter
    mov esi, eax                    ;Move number to be tested into a register unaltered by the division process.
    dec ecx                            ;ECX = n - 1
    cmp ecx, 0                        ;Was 1 or 0 passed to the function?
    jle .L3                            ;Yes, exit

.L1:                            ;Main Loop
    cmp ecx, 1                        ;Is the denominator 1
    je .L4                            ;Yes, no need to check if it divides evenly
    mov eax, esi                    ;Numerator = prime
    sub    edx, edx                    ;Zero out register as a place holder for division
    mov ebx, ecx                      ;Denominator = ecx, 1 < ecx < n
    div ebx                         ;EDX = remainder, EAX = quotient
    cmp edx, 0                        ;Is the remainder 0?
    je .L2                            ;If remainder is zero, break
    loop .L1                        ;Loop to next integer

.L4:                            ;Prime number discovered
    stc                                ;Remainder was never zero, number is prime
    jmp .L3                            ;Exit prime method

.L2:                            ;Number is not prime
.L3:                            ;Exit

    pop esi                         ;Restore all registers
    pop edx
    pop ecx
    pop ebp
    pop eax
    pop ebp
    ret 4

;-----------------------------------------------------------------------------------------------------------------------
root:                            ;Square root appropriator from HW2.
                                ;The rounding is incorrect, so 10^(1/2) is 4 instead of 3.
    push eax                        ;Save used registers
    push ebx
    push ecx
    push edx
    push esi

    ; ecx = n | esi = r

    mov ecx, eax                    ;Store number from prime method in ecx
    mov edx, 1                        ;edx = 1
loopp:

    mov eax, esi                    ;Move r into register for calculation
    mov ebx, esi                    ;Move r into register for calculation
    mul ebx                            ;Square r
    cmp ecx, eax                    ;Is r^2 > n
    jle found                        ;Integer part of square root has been found
    inc esi
    jmp loopp                        ;Keep searching

found:
    mov ecx, edx                    ;Move root to ecx to use in method prime

    pop esi                            ;Restore used registers
    pop edx                           
    pop ecx
    pop ebx
    pop eax
    ret

 

[OaksLabs]

That's what I meant when i said "Or let your DHCP server know about the PXE server". Whatever DHCP server you are using, it has to announce the PXE sever on the network.

I haven't decided how I want to do this, but time permitting I hope to put both "proxy DHCP" and integrated/stand alone DHCP into this project.

 

[OaksLabs]

So is this project a go then?

Yes. I've started work on it (the semester just started this week).

 

[ZenTree]

Awesome

 

[Patrick Brown]

Interested to see how this turns out.

 

[Jeremy Leik]

I'm definitely interested in looking at this when it's finished to see if it would be useful for me.

 

[ajgyomber]

Have you looked at Serva?

http://www.vercot.com/~serva/

 

[OaksLabs]

Have you looked at Serva?

http://www.vercot.com/~serva/

Serva is an interesting utility, but not robust enough for what I want to do. It also requires the paid version for commercial use -- and it's closed source. I'm looking at interfacing with current infrastructure and/or temporarily using my "device" to replace the network infrastructure (I'm planning on having two versions) and you can do more with open source utilities (and use a *nix OS while you're at it). That way, if I'm successful, I can offer the tool to the world without a bunch of licensing hoops to jump through.

 

[ZenTree]

Just wondered how you were getting on with this?

 

[wolfson]

+1 for interest in this tool. We typically plug the drive into a workstation and run antivirus software on the drive as an external before booting the OS... or sometimes we'll boot Kaspersky Rescue Disk. It would be especially cool if one could plug in different modules for tools to run -- a quick SMART test, for instance, to make sure that you're not stressing a failing drive (especially if the virus scan is meant to be run with little to no intervention).

Edit: herdProtect somehow uses a bunch of different engines to scan for malware, maybe that would be a good place to start.

 

[OaksLabs]

Well, I passed the class (and got me degree!). I got a basic proof of concept prototype built (a linux server booting a windows live environment) and I got Clam AV working.

I've been quite busy as of late, but things are beginning to settle down. I'll do testing with 3rd party Clam AV signatures to see if they have acceptable detection rates; and if so I'll get a beta rolled out for you guys. Otherwise, I'm looking for an engine to power this.

Edit: herdProtect somehow uses a bunch of different engines to scan for malware, maybe that would be a good place to start.

This is a very cool looking engine; but it's cloud based. I'd be concerned about creating network bottle necks with all the outgoing traffic that it would create. However, I'll investigate more (free is not always equal to open source or valid for commercial use without a license).

 

[wolfson]

creating network bottle necks with all the outgoing traffic that it would create.

That's true, though based on completely unscientific anecdotal evidence, it hasn't caused any trouble with bottlenecks in our shop (it only cloud-analyses files that it's unsure about)

free is not always equal to open source or valid for commercial use without a license

Right, I'm not sure how it's licensed.

 

[ZenTree]

Well, I passed the class (and got me degree!). I got a basic proof of concept prototype built (a linux server booting a windows live environment) and I got Clam AV working.

I've been quite busy as of late, but things are beginning to settle down. I'll do testing with 3rd party Clam AV signatures to see if they have acceptable detection rates; and if so I'll get a beta rolled out for you guys. Otherwise, I'm looking for an engine to power this.



This is a very cool looking engine; but it's cloud based. I'd be concerned about creating network bottle necks with all the outgoing traffic that it would create. However, I'll investigate more (free is not always equal to open source or valid for commercial use without a license).

Congrats on the degree!

 

[mickybee]

well done on passing your degree