Endpoint Protection

Hi,

I've found this outdated tool from Symantec downloads (In the security world, anything over a year old is really outdated, IMHO). It is a tool used to reset the registry that was damaged by malwares. The link is:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2004-050614-0532-99

Some other tools are found in: http://www.symantec.com/business/security_response/removaltools.jsp if you haven't seen it, I suggest you take a look into it.

Anyway, has Symantec made another similar registry cleaner or basic removal tools available for free. Some might say that SEP will do the job...well, a lot of people might say that. But my point is, if there is already a malware present and that wouldn't allow me to run any AV installer and formatting the PC is not an option. There's no way of cleaning the threat if it cannot be identified and the one doing the install have no idea what to change in the OS. Just to make our task a little easier.

I know this doesn't directly answer your question -- but my solution is to scan the computer with another computer.
My prefered method is to take the Hard Drive of the suspect computer and plug into a computer with AV using a USB adaptor. This way I can run a full scan of the disk without any files being locked or any installation issues.
After the disk has been cleaned, I put it back.
Another option you have is to share the whole hard drive and then scan it over the network.

Hi Ghent, yes, we do that too. But the flaw in that solution is that it does not scan the registry or scans it as it would on any other file.

I agree with mon, there are some windows valid processes already infected by some virus or malware and AV's cant detect them. 1 example is wscript.exe which almost all virus usb flash drives used to infect the system. That's why I scripted a batch file to stop this process when resetting autorun.inf. You can see it on my downloads.

UnHookExec.inf can be a very useful tool in winning control of a computer back from an infection.  There are similar scripts available from a quick Internet search, but Symantec's is one that I have used successfully in the past.

Another (currently unsupported) solution is to use a bootable LiveCD.  Booting off such a LiveCD and scanning the computer from a small Linux-based OS can be a lot easier than trying to wrestle with Windows when an infection has tied one hand behind the admin's back. (Again, there are several such tools which an Internet search will find, and experienced admins can create their own LiveCD that cleans using the Norton Security Scanner tool.) 

Symantec currently has a project underway to create a supported LiveCD for Enterprise use.  It is currently in development, but should be available for all customers within a relatively short time.   I have made a note to update the forum when it is released.

Thanks and best regards.

Agreed. I would love to have a system that could unpack and scan the registry.
However, most malware use the registry to hook in a file. If the DLL or EXE is gone, the registry keys have little or no effect. At that point you can run protection on that computer directly with any malware blocking you to get all the registry keys.
Even if something does hid in the registry during the external scan, it usually takes it at least 1 reboot before it can actually load with escalated privelages -- which again, gives you time to scan the system without malware stopping you.