In their article Anti-Stealth Fighters: RootKit Testing forDetection and Removal (VirusBulletin, April 2008), the authors Andreas Marx and Maik Morgenstern have written:
A step in the right direction could be to focus on providing
bootable rescue media, too: this might be the product
installation CD or a CD or disk that a user can create and
update himself. When the system is started from
this media, the rootkit cannot be activated on the system,
so a scanner would be able to see all fi les and registry
entries which would usually be hidden. This way, the
scanner could detect and delete all rootkit and malware
components as long as the signature database is up to date
The Symantec Endpoint Recovery Tool CdRom arises in the direction indicated by Andreas Marx and Maik Morgenstern in their article.
You can see Symantec Endpoint Recovery Tool CdRom in action in this video:
Unlike other boot cdrom for removing viruses and malware infections, Symantec Endpoint Recovery Tool CdRom give to you the chance to installs the latest virus definitions, even without an Internet connection active, making it possible to recover the definitions directly or from the hard disk of the computer infected or from an USB stick connected to the infected computer.
Recently I was able to appreciate the importance of the IPS (Intrusion Prevention System) module of Symantec Endpoint Protection (SEP). In the past I have to take care of removing the worm Conficker from several corporate LAN. The main problem that I faced, was the identification of infected workstations. Many of my efforts, could be avoided if I had used the IPS module of the SEP.
I installed the IPS module on a workstation subject to attack by Conficker, the IPS module immediately reported the attack, pointing out the IP address of the attacker and the threat that was trying to exploit: MSRPC Server Service BO detected.
Going to read the web MSRPC Server Service BO in the Symantec web site, I noticed at the bottom of the page, a reference to the Microsoft Security Bulletin MS08-067, the security bulletin on the vulnerability exploited by Conficker. I then took note of the IP address of attackers and using the nmap command I could verify that indeed the workstations that were attacking my computer, had the Conficker worm. I confess that I felt euphoric, for the first time I saw a viral attack stopped and identified. The best!
I believe that every system administrator should seriously consider to install an IPS module on every workstations. Of course, before to deploy massively an IPS module on all workstations of a company, you should always perform an analysis. Nevertheless, I believe that although there is a risk of creating some minor discomfort to personnel of a company, the gain in security is far more profitable.