Re: Strange servicepack.exe file (not service.exe) found.

[Doug Foster <fosterd () airshow net>]

David Gillett wrote:

> > Yep.  However, I believe that the argument amongst
> > Windows admins will continue to favor rebuilding will
> > continue for the time being...however unfortunate that
> > may be.
> >    
>
>  Paradoxically, I find many Linux admins perversely prone
> to trying to do minimal cleanup to a box that is found to
> be compromised, without much effort to discover what *else* 
> has been done to the box in its "compromised, but not yet
> detected" state, a period for which records such as local
> logs cannot be trusted.  (Did the discovered compromise
> throw open the doors to additional intrusions not yet noticed?
> Was it, in fact, enabled by some prior unnoticed compromise?)
>
>  
I don't think the issue relates to the OS as much as the lack of 
forensics.  How can new vulnerabilities, zero-day vulnerabilities, be 
discovered if boxes thought to be compromised are not investigated, but 
are merely wiped and rebuilt?  And if the a zero day vulnerability is 
userd but not found out, the corrective cycle of patch/work-around 
cannot commence.  And if that cycle does not complete, all users of the 
same software remain vulnerable. 

The trend towards wiping and rebuilding will save money in the short 
term for whoever's machine as compromised, but overall it will cost us 
all more.  We all will suffer more intrusions, with costs piling up for 
machine rebuilds, customer notifications, lost sales, and damaged careers.

- Doug


---------------------------------------------------------------------------
----------------------------------------------------------------------------