Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: kaspersky rescue disk
402 views
Skip to first unread message
Shadow
May 30, 2018, 10:45:21 AM5/30/18
to
On Tue, 29 May 2018 16:25:54 -0300, Shadow <S...@dow.br> wrote:
>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>wrote:
>
>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>twice. I'll try downloading it again in a week or so, see if anything
>>has improved.
>
> Check the MD5 after downloading. Though MD5 is relatively easy
>to forge:
>
>https://support.kaspersky.com/4162
>
> They ought to supply SHA 256 or SHA512 as well as the MD5.
>Strange for a firm that is supposed to be proficient in security.
Hum, the MD5 link came up 404. Never done that before.
Weird.
The last ISO I downloaded (a couple of days ago) has the
following checksums:
MD5: 9F617FD4573CAAC2DEFC69017DB4234C
SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995
SHA-256:
DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25FAC080E8C60E4CE
Anyone confirm those numbers ?
Opening the ISO with 7-Zip:
krd_bases_timestamp.txt is 201805170648
Which is strange, because the previous version always had the
latest signatures. This one apparently needs updating before use.
[]'s
PS alt.comp.anti-virus added, where it's more appropriate.
--
Don't be evil - Google 2004
We have a new policy - Google 2012
>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>wrote:
>
>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>twice. I'll try downloading it again in a week or so, see if anything
>>has improved.
>
> Check the MD5 after downloading. Though MD5 is relatively easy
>to forge:
>
>https://support.kaspersky.com/4162
>
> They ought to supply SHA 256 or SHA512 as well as the MD5.
>Strange for a firm that is supposed to be proficient in security.
Hum, the MD5 link came up 404. Never done that before.
Weird.
The last ISO I downloaded (a couple of days ago) has the
following checksums:
MD5: 9F617FD4573CAAC2DEFC69017DB4234C
SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995
SHA-256:
DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25FAC080E8C60E4CE
Anyone confirm those numbers ?
Opening the ISO with 7-Zip:
krd_bases_timestamp.txt is 201805170648
Which is strange, because the previous version always had the
latest signatures. This one apparently needs updating before use.
[]'s
PS alt.comp.anti-virus added, where it's more appropriate.
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Shadow
Jun 1, 2018, 12:39:35 PM6/1/18
to
On Wed, 30 May 2018 18:54:51 -0400, John B. Smith <cra...@verizon.net>
>thanks for that link it says
>"Kaspersky Rescue Disk 10 is no longer supported. use Kaspersky2018."
>The 2018 version scans the OS so fast I wonder if the definitions are
>even included with it. I can't see any place to download them once you
>boot the disk.
Yes, they changed it after I last accessed it.
It now points to:
https://support.kaspersky.com/14221
And although it says you can boot it from a USB (in system
requirements), they don't tell you how to.
The old link to the Rescue2usb utility has been removed.
Sh*tty support ....
[]'s
wrote:
>On Tue, 29 May 2018 16:25:54 -0300, Shadow <S...@dow.br> wrote:
>
>>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>>wrote:
>>
>>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>>twice. I'll try downloading it again in a week or so, see if anything
>>>has improved.
>>
>> Check the MD5 after downloading. Though MD5 is relatively easy
>>to forge:
>>
>>https://support.kaspersky.com/4162
>>
>> They ought to supply SHA 256 or SHA512 as well as the MD5.
>>Strange for a firm that is supposed to be proficient in security.
>> []'s
>On Tue, 29 May 2018 16:25:54 -0300, Shadow <S...@dow.br> wrote:
>
>>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>>wrote:
>>
>>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>>twice. I'll try downloading it again in a week or so, see if anything
>>>has improved.
>>
>> Check the MD5 after downloading. Though MD5 is relatively easy
>>to forge:
>>
>>https://support.kaspersky.com/4162
>>
>> They ought to supply SHA 256 or SHA512 as well as the MD5.
>>Strange for a firm that is supposed to be proficient in security.
>thanks for that link it says
>"Kaspersky Rescue Disk 10 is no longer supported. use Kaspersky2018."
>The 2018 version scans the OS so fast I wonder if the definitions are
>even included with it. I can't see any place to download them once you
>boot the disk.
Yes, they changed it after I last accessed it.
It now points to:
https://support.kaspersky.com/14221
And although it says you can boot it from a USB (in system
requirements), they don't tell you how to.
The old link to the Rescue2usb utility has been removed.
Sh*tty support ....
[]'s
David W. Hodgins
Jun 1, 2018, 2:16:59 PM6/1/18
to
On Fri, 01 Jun 2018 12:38:26 -0400, Shadow <S...@dow.br> wrote:
> Yes, they changed it after I last accessed it.
> It now points to:
> https://support.kaspersky.com/14221
> And although it says you can boot it from a USB (in system
> requirements), they don't tell you how to.
> The old link to the Rescue2usb utility has been removed.
> Sh*tty support ....
> []'s
Found the correct link at https://support.kaspersky.com/viruses/krd2018
> Yes, they changed it after I last accessed it.
> It now points to:
> https://support.kaspersky.com/14221
> And although it says you can boot it from a USB (in system
> requirements), they don't tell you how to.
> The old link to the Rescue2usb utility has been removed.
> Sh*tty support ....
> []'s
which leads to downloading
https://rescuedisk.s.kaspersky-labs.com/updatable/2018/krd.iso
Checking out the iso image, it's a customized isohybrid build of gentoo
linux, suitable for burning to an optical disc, or copying to a usb
device.
To copy such an image to a usb device, this page has links to a few
programs that can be used. The page is for Mageia linux, but the
instructions will work for a Gentoo linux iso image too.
https://wiki.mageia.org/en/Dump_Mageia_ISO_on_a_USB_flash_drive_-_Alternative_tools
One important thing to understand, is that the iso image contains it's
own partition table, so when copying it to a usb flash drive, it has
to be copied to the drive, not to an existing partition on the drive.
If the drive currently has any partitions on it, make sure they are not
mounted.
Any data currently on the drive, including it's partition table will be
overwritten.
Be patient when copying the half gig iso image to the usb drive. It will
take a while, as they are much slower than a hard drive. Depending on
the usb drive, and other factors, it may appear to complete quickly,
even though it's still being written. Give it at least 5 minutes.
When you reboot the computer, if it ignores the usb stick and tries to
boot directly to the hard drive reboot it again, and watch for any
sort of a message such as "Press f7 for setup". Which key needs to be
pressed will vary depending on the computer's bios. Once in the setup,
look for any options similarly worded to "boot order", and in that
section ensure the usb device entry is moved to be before the hard
drive option, then save the setup changes, and reboot, which should
then load the recovery system.
FYI, I'm responding to the article as seen in alt.comp.anti-virus, as
I'm not subscribed to the pc-homebuilt newsgroup.
Regards, Dave Hodgins
--
Change dwho...@nomail.afraid.org to davidw...@teksavvy.com for
email replies.
Paul
Jun 1, 2018, 4:07:34 PM6/1/18
to
http://www.chrysocome.net/dd
http://www.chrysocome.net/downloads/dd-0.6beta3.zip
Ubuntu was doing something like this too. At one time, they
had USB_Creator_GTK, which prepared some structures on a USB
stick so that a non-Hybrid ISO could be loaded. That worked
well, and I could use the Ubuntu USB_Creator to load a MINT
iso onto a USB stick.
When the Hybrid ISOs started coming out, they changed the
code in USB_Creator, so it's more or less sector-by-sector dd.
Which negated the ability to take older ISO files and
load then onto a USB stick.
If you have a copy of disktype handy (Cygwin, Win10 bash, etc),
you can also check an ISO to see what it contains in terms
of a partition structure.
http://disktype.sourceforge.net/
disktype some.iso
And that will hint as to whether a dd.exe transfer will be
sufficient for the job.
And this does look suitable for dd transfer to a USB stick.
There's everything but the kitchen sink in here ("HFSPLUS" ???) :-)
L:\>disktype krd.iso
--- krd.iso
Regular file, size 550.9 MiB (577619968 bytes)
DOS/MBR partition map
Partition 1: 2.813 MiB (2949120 bytes, 5760 sectors from 1122352)
Type 0xEF (EFI System (FAT))
FAT12 file system (hints score 5 of 5)
Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB)
GPT partition map, 192 entries
Disk size 550.9 MiB (577619968 bytes, 1128164 sectors)
Disk GUID 86543861-366F-174E-B237-9BFFE65ED0FB
Partition 1: 547.7 MiB (574343168 bytes, 1121764 sectors from 588)
Type Mac HFS+ (GUID 00534648-0000-AA11-AA11-00306543ECAC)
Partition Name "HFSPLUS"
Partition GUID 86543861-366F-174E-B236-9BFFE65ED0FB
HFS Plus file system
Volume size 547.7 MiB (574343168 bytes, 280441 blocks of 2 KiB)
Volume name "KRD"
Partition 2: 2.813 MiB (2949120 bytes, 5760 sectors from 1122352)
Type Basic Data (GUID A2A0D0EB-E5B9-3344-87C0-68B6B72699C7)
Partition Name "ISOHybrid1"
Partition GUID 86543861-366F-174E-B235-9BFFE65ED0FB
FAT12 file system (hints score 5 of 5)
Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB)
Partition 3: unused
ISO9660 file system
Volume name "KRD"
Preparer "XORRISO-1.4.8 2017.09.12.143001, LIBISOBURN-1.4.8,
LIBISOFS-1.4.8, LIBBURN-1.4.8"
Data size 550.9 MiB (577619968 bytes, 282041 blocks of 2 KiB)
El Torito boot record, catalog at 312
Bootable non-emulated image, starts at 2531, preloads 2 KiB
Platform 0x00 (x86), System Type 0x00 (Empty)
Bootable non-emulated image, starts at 280588, preloads 2.813 MiB (2949120 bytes)
Platform 0xEF (EFI), System Type 0x00 (Empty)
FAT12 file system (hints score 5 of 5)
Volume size 2.796 MiB (2931712 bytes, 2863 clusters of 1 KiB)
Joliet extension, volume name "KRD"
L:\>
Paul
Shadow
Jun 1, 2018, 4:45:51 PM6/1/18
to
updated yesterday, according to the krd_bases_timestamp.txt, and the
resulting USB was not bootable. If I get bored, I might boot into
Linux and "dd" it.
It's a pity they don't offer the old stable 100% working
version while this "pre-alpha" project is underway.
Shadow
Jun 1, 2018, 10:43:05 PM6/1/18
to
files, took just over an hour), found 49 "malware", most of which were
Nirsoft utilities. 3 (non Nirsoft) were classified as trojans and one
was described as a browser hijacker, but I couldn't read the path to
the files (screen not wide enough), so I tried to save a logfile, but
that's not an option.
So I did some research and discovered it keeps the logs in
C:\KRD2018_Data\Reports\*.enc1
But the file is encrypted !!!!!
What am I missing ? Is there an util to unencrypt the file so
I can discover where the "malware" is and submit it to Virustotal ?
TIA
PS There is a warning:
https://support.kaspersky.com/14231
//Kaspersky Rescue Disk 2018 makes changes to the operating system
files. This may affect the work of your operating system. Before you
start using Kaspersky Rescue Disk 2018, we recommend that you create a
backup copy of your operating system.//
WTF does that mean ? What "changes" ?
Paul
Jun 1, 2018, 11:19:24 PM6/1/18
to
Shadow wrote:
> PS There is a warning:
>
> https://support.kaspersky.com/14231
>
> //Kaspersky Rescue Disk 2018 makes changes to the operating system
> files. This may affect the work of your operating system. Before you
> start using Kaspersky Rescue Disk 2018, we recommend that you create a
> backup copy of your operating system.//
>
> WTF does that mean ? What "changes" ?
> []'s
>
Maybe they're referring to you having used some
> PS There is a warning:
>
> https://support.kaspersky.com/14231
>
> //Kaspersky Rescue Disk 2018 makes changes to the operating system
> files. This may affect the work of your operating system. Before you
> start using Kaspersky Rescue Disk 2018, we recommend that you create a
> backup copy of your operating system.//
>
> WTF does that mean ? What "changes" ?
> []'s
>
"quarantine" function after malware is found ?
If you quarantine a file (say winload.exe), that
could brick the OS.
Paul
Shadow
Jun 2, 2018, 9:28:40 AM6/2/18
to
On Fri, 01 Jun 2018 23:19:24 -0400, Paul <nos...@needed.invalid>
wrote:
Yes it would, but he old Rescue Disk did that too (as does any
decent bootable AV disk), and it's under the header "Special aspects
of Kaspersky Rescue Disk 2018". As in, "what is different from the
last version".
They certainly need to upgrade their PR skills.
wrote:
decent bootable AV disk), and it's under the header "Special aspects
of Kaspersky Rescue Disk 2018". As in, "what is different from the
last version".
They certainly need to upgrade their PR skills.
Shadow
Jun 2, 2018, 8:59:23 PM6/2/18
to
On Sat, 02 Jun 2018 19:20:00 -0400, John B. Smith <cra...@verizon.net>
wrote:
>On Wed, 30 May 2018 11:44:05 -0300, Shadow <S...@dow.br> wrote:
>
>>On Tue, 29 May 2018 16:25:54 -0300, Shadow <S...@dow.br> wrote:
>>
>>>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>>>wrote:
>>>
>>>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>>>twice. I'll try downloading it again in a week or so, see if anything
>>>>has improved.
>>>
>>> Check the MD5 after downloading. Though MD5 is relatively easy
>>>to forge:
>>>
>>>https://support.kaspersky.com/4162
>>>
>>> They ought to supply SHA 256 or SHA512 as well as the MD5.
>>>Strange for a firm that is supposed to be proficient in security.
>>
>>
>> Hum, the MD5 link came up 404. Never done that before.
>>
>> Weird.
>> The last ISO I downloaded (a couple of days ago) has the
>>following checksums:
>>
>>MD5: 9F617FD4573CAAC2DEFC69017DB4234C
>>SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995
>>SHA-256:
>>DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25FAC080E8C60E4CE
>>
>> Anyone confirm those numbers ?
>Could you tell me how you obtain these check sums?
Sure
http://implbits.com/products/hashtab/
At the bottom of the page, you'll see the installer for XP.
Install, then right click on any file, look at "properties",
then "file hashes".
If you right click inside that window, you can choose the ones
you want displayed (I use MD5, SHA1 and SHA256) in "settings".
The more recent ISO will have different hashes, but the ones
above will probably match the one you downloaded.
>
>I'm kinda confused as I suspect you guys are talking Linux at times
>but I"m not sure. I only have XP.
When you boot from the Rescue Disk, you are booting into
Linux. Which is good, because you can scan for rootkits which might be
hidden if you scanned from a running Windows system.
>
> I successfully made a bootable USB drive with the krb.iso using Rufus
>and the dd option. I sure didn't take an hour to run the kaspersky
>scan after I booted it. More like a minute.. Is there a way to look
>inside the iso to see if the virus definitions are there?
Probably because you didn't scan your whole hard drive (look
at the scan settings). By default, Kaspersky Rescue Disk only looks at
boot sectors, system files and your startup programs. It might look at
browser extensions, and programs listed in prefetch too, but I'm not
sure. That only takes a few minutes. Ah, and it checks your hosts
file, and it said mine was "infected". False positive.
To scan a million files, it took just over an hour, but I have
an 8 core CPU. On my old PC, I'd leave it scanning overnight.
HTH
PS The bad thing is you cannot not save a readable log file.
The old version did.
[]'s
wrote:
>On Wed, 30 May 2018 11:44:05 -0300, Shadow <S...@dow.br> wrote:
>
>>On Tue, 29 May 2018 16:25:54 -0300, Shadow <S...@dow.br> wrote:
>>
>>>On Mon, 28 May 2018 19:57:39 -0400, John B. Smith <cra...@verizon.net>
>>>wrote:
>>>
>>>>maybe there was something wrong with the Rescue 10 iso I downloaded
>>>>twice. I'll try downloading it again in a week or so, see if anything
>>>>has improved.
>>>
>>> Check the MD5 after downloading. Though MD5 is relatively easy
>>>to forge:
>>>
>>>https://support.kaspersky.com/4162
>>>
>>> They ought to supply SHA 256 or SHA512 as well as the MD5.
>>>Strange for a firm that is supposed to be proficient in security.
>>
>>
>> Hum, the MD5 link came up 404. Never done that before.
>>
>> Weird.
>> The last ISO I downloaded (a couple of days ago) has the
>>following checksums:
>>
>>MD5: 9F617FD4573CAAC2DEFC69017DB4234C
>>SHA-1: D7B6B15E1DBA821E89A439B962357214DADF0995
>>SHA-256:
>>DBDA178E1CD89DBC47E8B7304A1AF5B9F52B7D8BC8DA7DD25FAC080E8C60E4CE
>>
>> Anyone confirm those numbers ?
Sure
http://implbits.com/products/hashtab/
At the bottom of the page, you'll see the installer for XP.
Install, then right click on any file, look at "properties",
then "file hashes".
If you right click inside that window, you can choose the ones
you want displayed (I use MD5, SHA1 and SHA256) in "settings".
The more recent ISO will have different hashes, but the ones
above will probably match the one you downloaded.
>
>I'm kinda confused as I suspect you guys are talking Linux at times
>but I"m not sure. I only have XP.
When you boot from the Rescue Disk, you are booting into
Linux. Which is good, because you can scan for rootkits which might be
hidden if you scanned from a running Windows system.
>
> I successfully made a bootable USB drive with the krb.iso using Rufus
>and the dd option. I sure didn't take an hour to run the kaspersky
>scan after I booted it. More like a minute.. Is there a way to look
>inside the iso to see if the virus definitions are there?
Probably because you didn't scan your whole hard drive (look
at the scan settings). By default, Kaspersky Rescue Disk only looks at
boot sectors, system files and your startup programs. It might look at
browser extensions, and programs listed in prefetch too, but I'm not
sure. That only takes a few minutes. Ah, and it checks your hosts
file, and it said mine was "infected". False positive.
To scan a million files, it took just over an hour, but I have
an 8 core CPU. On my old PC, I'd leave it scanning overnight.
HTH
PS The bad thing is you cannot not save a readable log file.
The old version did.
[]'s
0 new messages