Top
Browse > Home / Archive: May 2008

Spyware, Viruses, Malware (Part 2)

May 21, 2008

Spyware, Viruses, and Malware - What you may not know.
(Part 2 - How they work and how to locate them.)

 
                Welcome back to my series of articles that pertain to Spyware, Malware, and Viruses and what you may not know about them. In my first article, I gave you and overview and some information on the history of these 3 nasty applications or bots that infect most computers at some time or another. There is a TON of information availible on these subjects on the Internet, so if there is anything more specific that you are curious about or that you didn’t understand from this article you can usually go to http://www.google.com and you can reference it there. In this article, I am going to be  discussing what Viruses and Spyware are, and how you locate them on your PC.

                The first thing that you have to understand is how these malicious applications get onto your systems. Studies show that the number one way to catch a virus or to obtain Spyware on your system is through P2P (Peer to Peer) file sharing applications like Napster, Limewire, Bit Torrent, and any other program of that variety. You may think you are downloading a harmless MP3 file, or you may think you are getting the latest MPEG for free, but the fact is that over 40% of all files that are transferred through P2P programs are actually viruses or Spyware and key loggers that are camouflaged as the file you are looking for. Remember this ONE rule about the Internet, if you only remember ONE thing from this article, and that is there is NO SUCH THING as FREE on the P2P applications. No matter how perfect or scamless the situation may seem, if it is FREE and on the P2P programs than you can guarantee that there are strings attached. So try to stay as far away from P2P programs and applications as you can, because no matter how hard you try and no matter how much protection your system has, you are bound to override your protection to view a file that you shouldn’t because of infection, and you will sooner or later end up destroying your system.

                I’m sure as you are reading this article you are thinking that you are probably secure, and that you have Antivirus and Antispyware software on your system, so none of this applies to you. But remember this, those programs are only good if you do updates to their data files at least once a day, and they can only stop what you tell it to stop. So if you try and access a website that you THINK is safe, and your Antivirus software tries to tell you it is not, and you bypass your antivirus software and access the site anyway, then you may have just let a Trojan or key logger onto your system and your Antivirus software can now do nothing about it. Understand that protection software is only as good as it owner. It also only takes ONE piece of Spyware or Malware to get onto your system to corrupt your Antivirus or Antispyware programs so that they cannot detect future attacks against your system. The first thing a virus or piece of spyware does, is look for the services and applications that run your Antivirus software, and disable them, or even worse, cloak themselves so that your antivirus software thinks everything is running smoothly when in all reality, your system is being destroyed one piece at a time.  A lot of viruses and Trojans will disguise themselves as system services and then they become nearly impossible even by a trained professional to remove from your PC without formatting the computer. There are so many different variations of spyware, Trojans, key loggers, malware, and backdoors that can attack your system, that you have to be on the lookout for strange occurrences at ALL times when surfing the Internet.

                Your best bet for protection is to follow the steps in my next article and try to stick to the rule of Internet thumb, and that is if you don’t know the website or file your are downloading and cannot verify its integrity, then DON’T  go to that site or download that file. It is a very simple rule, but end users seem to forget it a lot, I myself am included in that statement.

So check back later this week for my last installment of, “Spyware and Malware protection and removal and what you MAY not know!”, which will explain how to understand, locate, and eliminate spyware, malware, and viruses.

Until then, take care, and if you have any questions or comments about the articles please leave a comment or send an email to my address below.

Richard Correa, MCSA, MCPS, MCSE, MCNPS, MCDBA
Senior Network Engineer
Lead Web Programmer and Developer
DTI Data – DTI Networks
Office :: 727.345.9665 ext.206
rcorrea@dtidata.com

http://www.dtidata.com
http://www.dtinetworking.com

Written by Rich Correa · Filed Under Computer Repair · 5 Comments 

Check Your RAID Consistency Before A Rebuild

May 8, 2008

Over the years one of the most consistent problems with RAID recovery is the rebuild. I would estimate that nearly 40 percent of the RAIDs that we cannot recover are due exclusively to the fact that a technician executed a rebuild before verifying the following three items.

1. Hardware:

The RAID went down for some reason. Many times it is because the hardware housing the array may have some issues. There may be cabling problems, heat problems, back plane problems, or a hundred and one other hardware issues that can cause the RAID to degrade.

2. Hard drives

A simple surface scan of all drives in the array can give you an indication of the state of the drives. A report outlining any anomalies found for each drive is always critical when diagnosing the array.

3. RAID Consistency

A RAID five bases its integrity on a simple XOR algorithm that is stored on a block by block basis within the array stripe. The firmware of a RAID five uses this algorithm to ensure that the data stored on the RAID is consistent. It also ensures that if a single drive goes down and the array becomes degraded, the technician has ample time to do a quick backup of critical data, get all users off in a timely manner, and cleanly shut down any database handlers that may residing and open on the array. In other words, don’t have a dirty shutdown of your exchange store.

A degraded RAID 5 should NEVER BE PRODUCTION RUN!!! However, this is not normally the case and is why RAID recovery is a multi-million dollar business. A degraded RAID five that is run in production for longer than twenty four hours now contains data on the offending drive that is considered stale. If a second drive goes down then the entire array goes down as RAID five cannot run with two drives out.

When I get a call from a technician that their RAID is down because the array lost two drives, I immediately assume that one of the drives is stale and quickly advise the technician not to do a rebuild. I can count on one hand in the entire time I have been recovering RAIDs that a client has lost two drives simultaneously.

Although items 1 and 2 are not my bread and butter, I am familiar with techniques used to do their respective checks. Item 3, however, I am very familiar with and can help you ascertain if in fact there is a stale drive within your array. The following are set of steps, as well as a free piece of software that you can use before any rebuild is initiated.

Step 1: Pull all drives that are in the array out. Get the drives that are configured as part of the array away from the hardware. This does not include any hot swap drives, only those drives configured in the array and working at time of degrade.

Step 2: Make images of all the drives in the array. This serves several purposes. First, during an imaging session you may find bad sectors on the drives. Secondly, you never want to work on the live data as the drives may be on their last legs and any recovery, rebuild, or diagnostic run on live data may kill the drive. Lastly, if something happens to the drives then you will have the images as a way to recreate the original data set.

Step 3: Download the RAID Diagnostic Toolkit from our website and install it on a Windows NT type machine. The software is very easy to use and very self explanatory. There are options in the software that are not currently active, this is because I will be introducing them in later posts. So I just pop up a little window to let you know that this is a future software enhancement or the function is grayed out.

Currently the software defaults to a 64K, or 128 sector stripe size. Although, the stripe size, for this particular function has no bearing on the test, it is nevertheless used on 95 percent of the RAID fives that I work on and can give us a more real world type map.

The software will run the consistency check on your set of images and give you a report on whether the stripe is corrupt. It will not tell you which drive is the stale drive if the stripe is corrupt, only that a rebuild, using this set of drives would not be advisable.

Written by Dick Correa · Filed Under RAID Data Recovery · 1 Comment 

RAID Configuration and Parity Check

May 8, 2008

The function set for the inaugural offering of RAID Diagnostic Toolkit is very basic. This post will explain how to choose a set of ’streams’ to build a ‘RAID set’. Initially the software does not have any options for stripe size, raid type, meta data offsets, so on and so forth. For the ‘parity check’ function which this current version of this software offers, the assumptions will be a RAID 5, with a 64K stripe size, with no meta data. In future releases of the software these, and many other options will be added in order to make a more robust diagnostic tool.

First we must populate the RAID with streams. There are basically two types of streams that we will use, the first is a physical data stream or ‘hard drive’. The second is an image data stream or ‘file’. Figure A depicts populating the ’stream list’ with physical streams. As you can see the ‘Populate Stream List’ menu item is highlighted. Clicking on this will poll all hard drives on the local machine and display them as shown in Figure B.

Figure A

Figure A

Figure B

Figure B

The best way to test an array is to make images of the hard drives and then use the images for testing. From the ‘Configuration’ menu option click on “Add File Stream To List”. A standard Windows file selection dialog box will appear. Go to the proper folder and choose the image that you would like to add to your stream list. Click on the file, and then open and the file will be added to your stream list. You are now free to add this item into your RAID Configuration list.

In order to add an item from the stream list into the RAID Configuration simply double-click on the stream list item and it will be added into the RAID Configuration list of items as depicted in Figure C.

Figure C

Next, in order to start the parity test click on the menu item “Diagnostics”. Doing so will reveal the menu item “Raid Five Parity Check”. Click on that menu item and the diagnostic will begin. This function will check the RAID five on a stripe by stripe basis and validate the parity using XOR mathematics.

In the lower left hand corner of the software is a small status/information window that offers real time data of the parity scan. this window contains five items which describe the state of the diagnostic.

Type: The configured RAID/River type

Ident: Identifier give to the RAID/River type

Block: The block, currenty being scanned by the software

Time: Time remaining till the scan has completed.

Errors: The total blocks that a parity error has been found.

Two of the five items are most pertinent for this particular function. They are the “Errors” item and the “Block” item. If the “Error” item is ten to fifteen percent of the array then the array stripe is probably corrupt and you may have a stale drive in the array. For all practical purposes however, there should be less that or a total of three or four total errors for the entire array. A healthy array will have no errors and if even only one appears that could mean either the hardware is starting to fail, or worse, the firmware and or its accompanying memory me be buggy. Either scenario could spell disaster for your array and should be looked at immediately. View Figure D as an example.

Figure D

Finally, if you wish to interrupt the diagnostic just click on the “Configuration” menu item, and then the “Interrupt Processing” item and all processing will stop.

That’s it! Of course you must always bear in mind that even if the RAID does not pass the parity test there may still be data to recover. Alternatively if it does pass, this does not necessarily mean that the RAID is good for a rebuild. There will be other functions added to the software that will help you better determine if a rebuild is advisable.

Dick Correa

Written by Dick Correa · Filed Under Corporate Information, RAID Data Recovery · 4 Comments 

Bottom

Data Recovery  |  Hard Drive Recovery  |  Laptop Recovery  |  Advanced Data Recovery  |  Raid Data Recovery  |  Exchange Server Data Recovery