Jump to content
ES13Raven

Offline Scanning...

Recommended Posts

We are trying out SAS for the first time. Currently, we have SAS installed on a clean, fast system and then attach the possibly infected hard drive via USB 2.0. This way, we can scan the drive without booting into it or having to go in safe mode etc.

Is there any reason why we should be loading SAS onto the infected drive, booting to it and scanning from there, or is the way we are doing it safer and more effective?

Share this post


Link to post
Share on other sites
We are trying out SAS for the first time. Currently, we have SAS installed on a clean, fast system and then attach the possibly infected hard drive via USB 2.0. This way, we can scan the drive without booting into it or having to go in safe mode etc.

Is there any reason why we should be loading SAS onto the infected drive, booting to it and scanning from there, or is the way we are doing it safer and more effective?

SUPERAntiSpyware can scan the drive if it's mounted as a drive letter - it should show up in the list of drives to scan.

Share this post


Link to post
Share on other sites
SUPERAntiSpyware can scan the drive if it's mounted as a drive letter - it should show up in the list of drives to scan.

Yes, that is how we are doing it - and it is a nice feature.

My question - is this the best way to scan and remove malware, or is there any reason we should boot from the infected PC and scan from there?

Share this post


Link to post
Share on other sites
SUPERAntiSpyware can scan the drive if it's mounted as a drive letter - it should show up in the list of drives to scan.

Yes, that is how we are doing it - and it is a nice feature.

My question - is this the best way to scan and remove malware, or is there any reason we should boot from the infected PC and scan from there?

I would do the offline scan first, then reboot and do a scan so the registry can be cleaned as well.

Share this post


Link to post
Share on other sites
I would do the offline scan first, then reboot and do a scan so the registry can be cleaned as well.

Thank you.

Do you recommend scanning from Safe Mode?

With version 4.0 and the DDA (Direct Disk Access) you should not need to :)

Share this post


Link to post
Share on other sites
I would do the offline scan first, then reboot and do a scan so the registry can be cleaned as well.

So the offline scan can't make changes to the offline registry?

Correct, because the registry hives are not mounted. We may have a special offline mode in the future to mount the hives and scan them, but this is typically not needed.

Share this post


Link to post
Share on other sites
Correct, because the registry hives are not mounted.

Say we do the offline scan first and it finds several files and removes them, but it can't make changes to the offline registry. If we then boot from that drive and do an online scan, will it still find the bad stuff in the registry and remove it? Or does it need to find the files in Windows at the time to know what to do with the registry?

Share this post


Link to post
Share on other sites
Correct, because the registry hives are not mounted.

Say we do the offline scan first and it finds several files and removes them, but it can't make changes to the offline registry. If we then boot from that drive and do an online scan, will it still find the bad stuff in the registry and remove it? Or does it need to find the files in Windows at the time to know what to do with the registry?

It should find most of them when you do the scan in online mode after removing the files - the files are the heart of the infection of course, so the system will likley be usable when you boot to the actual drive.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×