I examine nine AV rescue CDs designed to remove particularly nasty malware to determine which is the best disc, and if the free ones are good enough.
The other day a reader e-mailed me to ask about a situation that hadn't previously crossed my mind. He wanted to know which antivirus software would clean up a hard drive that he had removed from its original computer and mounted as a slave drive in his work computer. Now, every antivirus can scan files on all local drives, but he also wanted it to scan and clean the "foreign" drive's registry—a significantly more difficult task.
My first thought was that the "rescue CD" products offered by many antivirus vendors should do the job. You'd typically use such tools when a nasty threat resists removal by a regular antivirus program, or when malware fights back and balks security software installation. Rescue CDs work by booting into a different operating system (commonly some form of Linux), which rootkits and other threats that actively resist detection or removal are powerless against, because they never get launched.
Intrigued by the thought of which rescue CD could tackle the task, I quizzed nine antivirus vendors about their rescue CD products. They were:
Antivir Rescue CD (free) (Direct Download)
avast! BART CD ($149.95)
AVG Rescue CD (free)
BitDefender Rescue CD (free)
F-Secure Rescue CD (free)
Kaspersky Rescue Disk (free)
Norton Bootable Recovery Tool (free with license)
Panda SafeCD (free)
PC Tools Alternate Operating System Scanner (free)
Rescue CDs: Operating Systems and Disk Burning
Almost all the products boot into some variety of Linux. BitDefender and F-Secure specifically use Knoppix, Kaspersky boots into Gentoo, Panda runs Debian, and PC Tools created their own purpose-built Linux distro. Norton and avast! run under Windows PE (a preinstallation environment), and are the only two that aren't free. Windows PE licensing requirements mean Symantec can't give away the Norton product, so only those with a valid license key can use it. The avast BART CD is designed for a technician's toolbox; its $149 sticker price means that it's not for the average user. (Note that BART stands for Bootable Antivirus and Recovery Tool—there's no connection with the BartPE environment).
In most cases, you'll need to download an .ISO file and burn it to CD using a malware-free computer. Norton's disk is an exception—you download a wizard that handles the process of creating a CD or bootable USB drive. AVG and F-Secure also include the option to create a bootable USB drive rather than a CD. Kaspersky will add this ability in its 2011 edition. If you bought a boxed copy of your antivirus or security software you may already have a rescue CD. Those using AVG, BitDefender, F-Secure, Norton or Panda can simply boot from the product CD—the same will be true of Kaspersky's 2011 edition.
Rescue CDs: How They Work
All the rescue CDs listed here can scan and clean both FAT and NTFS drives. It may seem strange to even mention that fact, but, in the past, some rescue CD products limited their cleanup to one file system or the other. All of them except PC Tools have the built-in ability to download updates; PC Tools handles updates by building a new version of the CD every week. Antivir and avast! go further, updating the rescue CD image with every virus definition update.
The PC Tools and F-Secure CDs simply rename found threats so they're no longer executable, counting on the full antivirus product to complete the cleanup. The other applications attempt to disinfect, quarantine, rename or delete threats, but you'll still want to follow up with a full in-Windows antivirus scan. Avast!'s BART CD is an exception—it's designed to perform a complete cleanup without any help from another product. Avast! and Norton are the only ones of this group that can also clean up traces in the registry, which makes sense as they're the only ones built on Windows.
The reader whose query got me started on this investigation wanted to mount another system's hard drive as a slave in his system and use a tool that would clean up all file and Registry malware traces. All the products except PC Tools will clean up files on the foreign drive, but only avast!'s BART CD can remove malware traces in the "foreign" registry.
Rescue CDs: The One to Choose
If you run into a malware problem that gets past your existing antivirus protection or if entrenched malware prevents installation of security software I'd suggest you try as many of these as necessary to set things right (after all, seven of the nine rescue CDs discussed here are free). Those with a valid Norton product key should start with the Norton CD, as it can clean up more thoroughly than the free products. The true virus warrior who's working hard to clean up other people's drives, however, should go with avast!'s BART CD. It carries a premium, but technicians will surely recoup the cost of the software after just a few jobs.
Source: By: Neil J. Rubenking
