Safe Mode: A Misnomer
Thursday March 12, 2009 at 10:10 am CST
Posted by Nandi Kishore
Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.
The services and drivers that load in Safe Mode are listed under the following registry key(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.
Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.
March 13th, 2009 at 06:44
[...] Windows Safe Mode – How Malware can add start-up entrieshttp://www.avertlabs.com/research/blog/index.php/2009/03/12/safe-mode-a-misnomer/ [...]
March 17th, 2009 at 17:45
[...] Some things just beg for a blog post. Like the stupidity of telling malware and virus writers exactly how to load their programs in safe mode. Thanks, McAfee. That was brilliant. Safe mode is typically the last resort for removing stubborn viruses, and I’ve only ever seen one that did this. Expect to see a whole bunch of new malware with this ability in the future. This makes me glad I only run ESET’s NOD32 on my computers. [...]
March 18th, 2009 at 02:50
[...] McAfee advierte en un blog corporativo de la posibilidad de que el popular “modo a prueba de fallos” de Windows, sea violado por determinado malware capaz de correr en un modo en teoría seguro, al que la compañía de seguridad destaca “su inapropiado nombre”. [...]
March 18th, 2009 at 06:34
[...] dice que no es tan seguro como su nombre lo dice y así también lo comenta en [theinquierer] McAfee advierte en un blog corporativo de la posibilidad de que el popular “modo a prueba de fallos” [...]
March 18th, 2009 at 09:26
[...] “modo seguro” no es tan seguro como su nombre indica McAfee advierte en un blog corporativo de la posibilidad de que el popular “modo a prueba de fallos” [...]
March 19th, 2009 at 07:14
[...] Why Windows ‘Safe Mode’ Isn’t So Safe March 19, 2009 — sabinborka Windows has, for many years, come with a special mode you can load at boot called Safe Mode. The idea is that non-essential services and software don’t load in safe mode and so it can be useful in diagnosing system problems.You might assume that it can be useful in fixing malware infections and you’d be right, but not in all cases. As McAfee’s Avert Labs points out in a blog entry, it’s possible for malware to set itself up to load even in Safe Mode. [...]
March 21st, 2009 at 05:36
[...] malware infections and you’d be right, but not in all cases. As McAfee’s Avert Labs points out, it’s possible for malware to set itself up to load even in Safe Mode. The software and [...]
March 21st, 2009 at 19:02
[...] You might assume that it can be useful in fixing malware infections and you’d be right, but not in all cases. As McAfee’s Avert Labs points out in a blog entry, it’s possible for malware to set itself up to load even in Safe Mode. [...]
March 31st, 2009 at 18:42
[...] McAfee advierte en un blog corporativo de la posibilidad de que el popular “modo a prueba de fallos” de Windows, sea violado por determinado malware capaz de correr en un modo en teoría seguro, al que la compañía de seguridad destaca “su inapropiado nombre”. [...]
April 1st, 2009 at 13:42
[...] bien como se publica en el blog de McAfee este modo de arrancar el equipo, no es tan segura como el propio numero dice. Según se puede leer [...]
April 8th, 2009 at 01:18
[...] de Windows y se limita la ejecución de otros procesos que no son parte del sistema. Sin embargo, McAfee avisa en su blog que este modo no es tan seguro como [...]
April 23rd, 2009 at 22:07
[...] You might assume that it can be useful in fixing malware infections and you’d be right, but not in all cases. As McAfee’s Avert Labs points out in a blog entry, it’s possible for malware to set itself up to load even in Safe Mode. [...]
December 2nd, 2009 at 20:13
[...] [...]
December 7th, 2009 at 16:04
[...] If all the malware locations listed above are not enough to piss you off, malware can also load in the registry and even load while in safe mode! [...]
January 2nd, 2010 at 23:38
[...] According to McAfee, [...]