Bao ve he thong truoc “cap ban tam giao quy quyet” worm va virus doi hoi phai kiem tra ky cang o dia.  Cac doanh nghiep van dang tim kiem cach thuc hieu qua hon trong tran chien truoc malware nhu virus, Trojan va bot. Dang tiec, lap trinh vien “mu den” van tiep tuc khong ngung pha che them nhieu ma moi nguy hiem. Do do cac cong ty cung can update them nhieu vu khi bao mat va ke hoach phong chong bao ve moi.
Virus thuong duoc chinh sua tu cac ma host hop phap va phat tan qua e-mail hay tin nhan tuc thoi. Chung kho viet hon worm va Trojan, vi viet ra duoc ma virus la phai dam bao co suc pha hoai khien cac file chinh sua moi khong bi pha hoai.
Microsoft Windows va Windows File Protection (duoc gioi thieu lan dau tien voi ten goi System File Protection trong Windows Me) bao ve duoc khoang 99% file he thong mac dinh truoc cac chinh sua khong ro nguon goc. Neu mot virus chinh sua file dua ra, Windows se thay the ban copy da sua bang mot ban copy lanh lan trong mot vai giay sau do.
Windows Resource Protection sap toi cua Windows Vista tham chi con duoc nang cap chuc nang tot hon, bao ve duoc nhieu file hon va ngan chan cac chinh sua ngay tu ban dau. Doi pho voi bien phap nay, hau het chuong trinh malware ngay nay tu tao ra file moi trong hoat dong pha hoai cua minh.
Muon loai bo virus doi hoi phai xoa sach tung con tu cac file da bi nhiem doc, thuong kho hon la chi can phat hien ra chung nhu cac chuong trinh anti-viurus thong thuong van lam.
Con voi worm, bot, spyware, va Trojan thi lai khac. Don gian ban chi can xac dinh va loai bo cac file nhiem doc doc lap moi. Toi thuong xuyen su dung chuc nang Autorun cua Sysinternals hay SilentRunner.vbs de xac dinh vi tri va kieu chuong trinh khong ro nguon goc. Trong vong nua the ky truoc, voi hau het virus da biet, viec loai bo malware tro nen de dang, tru phi may tinh bi tan cong boi mot chuong trinh rootkit.
Nhung bay gio, mot loat cap sau moi xuat hien lam phuc tap them qua trinh xac dinh, nhu Downloader.Agent.awf. Duoc biet den giong kieu spawner hay twin, cac cap sau (va virus) nay se chinh sua moi truong cua may tinh bi nhiem doc. Khi he thong co gang thuc thi mot file hop phap, file doc hai se tranh chay dau tien.
Sau khi thuc thi, chuong trinh malware Download.Agent.awf doc ma dang ky HKLM (hay HKCU) \Run cua may tinh bi nhiem doc de xac dinh cac chuong trinh tu dong cai dat truoc do. Roi copy chuong trinh thuc thi nguyen goc sang mot khu vuc moi va thay the file ban dau voi file copy dat lai ten cua sau. Khi may tinh thuc thi khoa dang ky \Run, no se chay cap chuong trinh thay the, sau do moi tiep tuc den chuong trinh nguyen goc ban dau.
Dieu nay khien chuong trinh do tim va loai bo tro nen phuc tap. Cac sau se xuat hien nhu da duoc biet tu truoc hoac nhu mot chuong trinh thuc thi cai dat san duoc nhan ra mot cach pho bien. Vi the khi tim kiem cac ma doc hai, ban khong the tin tuong don gian vao ten file va khu vuc luu tru. Ban phai kiem chung tung ham bam toan ven trong file truoc mot ban copy vo hai hoac mot gia tri da biet.
Voi su tai xuat hien cua cac cap malware va moi de doa ngay cang tang tu cac Trojan rootkit, cac nhan vien dieu tra phap ly can xem xet ky may tinh nhiem doc dang ngo voi phuong thuc out-of-band (nhu boot mo rong chang han) va kiem chung tinh toan ven cua tat ca cac chuong trinh cai dat.
De duoc trung thuc hon, bat ky chuong trinh bao mat may tinh ca nhan nao cung thuc su nen co phuong an du phong mo rong kem theo. Nhung khi hau het malware khong lam duoc dieu nay, that de dang tro nen luoi bieng voi cac shorcut.
Toi thuong su dung dia boot Linux (nhu Live distros) de thuc hien cac cuoc kiem tra out-of-band. Dia boot yeu thich nhat hien nay cua toi la Live distros, danh cho cac chuyen gia phan tich phap ly la Ubuntu, Knoppix, va BackTrack.
Nhung Linux Live distros khong the chay phan mem Windows 32-bit dung de kiem tra tinh phap ly cua mot may tinh Windows. Cung nhu the, mac du chung co the thuong xuyen doc cac phan vung NTFS, nhung hau het lai khong the ghi duoc (nhu loai bo mot chuong trinh malware, ngat hoat dong cua mot dich vu hay co che tu dong hoa…). Tham chi chung khong hieu nhieu thanh phan mo rong cua Windows (nhu EFS, Compression,…). Trong nhieu truong hop, neu muon boot nhanh mot shell Windows 32-bit out-of-band de lam mot so viec co phan hoi gian lan thi rat kho.
Khach hang doanh nghiep cua Microsoft voi co che tai bao hiem phan mem da co Windows Preinstallation Environment (WinPE) tu Windows XP. Muc dich ban dau cua chuong trinh nay la ho tro cai dat nhanh chong he dieu hanh. WinPE va giao dien “dong lenh” tro thanh nguoi trong cuoc thu vi voi hinh thuc kiem tra out-of-band trong cac he thong bi nhiem doc. Windows Vista co WinPE 2.0, thanh vien mo rong cua gia dinh WinPE voi giao dien GUI Windows 32 bit kha dep, ho tro Windows API va co che doc, ghi NTFS, co che dang nhap mang, dieu khien o, co the chay tren hau het chuong trinh Windows. Dang tiec cac tinh nang mo rong do chi co o Windows Vista.
Hien nay xuat hien mot san pham tot hon co ten BartPE. BartPE Builder co the giup ban tao toan bo anh boot Windows out-of-band. Khi cai dat, chuong trinh se tim kiem o cung cua ban truoc de cai dat file. Moi lan tim chuong trinh se dung chung de xay dung mot anh boot moi. BartPE Builder co the tao mot anh ISO hoac lay truc tiep anh vao dia CD hoac DVD.
Do la mot phien ban “yeu” toan bo cua Windows. Mac du chi den truoc khi cai dat voi mot nhom chuong trinh kiem tra (goi la plug-in) nhung ban co the bo sung bat ky tinh hop phap moi nhat nao hoac bo sung chuong trinh kiem tra ma ban thich. Anh BartPE cua Chris, nguoi ho tro tac gia bai viet nay co toi 13 san pham antivirus duoc cai dat, 6 chuong trinh anti-spyware va 20 bo kiem tra tinh toan ven, ca chuong trinh kiem tra rootkit RootkitRevealer va Blacklight cung gan 100 chuong trinh khac. Khi ban can kiem tra tinh hop phap cua mot he thong, ban co the khoi dong dia CD BartPE tuy chon va tat ca moi thu ban can deu nam trong mot menu GUI.. Ban co the tu lap anh BartPE tuy chon rieng voi cac chuc nang huu ich nhat.
Tuy nhien khi lam dieu nay, ban se thay viec kiem tra file don gian theo kieu auto-run lai it tinh tin cay hon. Hay can nhac su dung BartPE de xay dung co che kiem tra Windows toolkit cuoi cung cho ban. T.Thu (Theo Infoworld) Article source http://w4rum.com/222.t
| 