G³ Solutions
Technology Defined
kgiii.info
G³ Home
Microsoft® Windows®
> > All Platforms < <
General
Additional System Info
Access MS Newsgroups
Device Transfer Speeds
Disable Delete Prompt
Forgotten ISP Password
Function Keys
Keyboard Shortcuts
Malware Cleaning
Microsoft's TechNet Archive
MSCONFIG - Startup
Pesky Startup Apps
Print Screen - Screenshots
Registry Editing Warning
Replacing Disks/Hardware
Reserved Names
Safe Mode
Showing Hidden Files
USB 2.0
Windows Windows Windows?
WinKey Shortcuts
Tips / Tweaks
Changing Owner & Organization Delete - Skip the Recycle Bin
Security
Firewalls – Basics
Identifying a Virus
Prevent Phishing
Safe Mode - Explained
Advanced
Clean LastKey Regedit
Backup! Image/Clone
98
ME
2000
XP
Security
Links
G³ Blog
G³ Forum
Web Site Hosting
Microsoft® Windows® > All Platforms
 Security

Safe Mode - Explained

It's not uncommon for people to scan in regular mode and find that they manage to remove the instance of malware only to have it return when they reboot. What is happening is that the file is spawning over and over again because there are still files in use when you're doing the scan in "normal mode." So the question is, then, why should I scan in safe mode?

In safe mode you do not have your normal list of startup applications. A lot of malware is tied into certain processes meaning, for example, when you open up Internet Explorer the malware loads too and then directs your searches, passwords, etc to another server for use by evil people. If those processes aren't started then there's less of a chance that the malware will be running at the time of scanning and deleting. Attempting to delete a file that is in a running state is akin to trying to name a folder "con" or "LPT1" and just about as big a waste of time.

Why safe mode without networking? Because if you loaded your computer up in safe mode none of your security applications would be starting and your system would then be online and would be vulnerable to attack. Again, when you boot into safe mode you're actually booting with the bare minimal files needed for the OS to run. Your firewall won't start and your anti-virus will not start either.

Is there a reason to use safe mode WITH networking? Once in a while there's a time and a place for it but it is risky and not really worth it. One of the biggest reasons to do so would be when you have two computers;

Let's call them COMP-A and COMP-B

COMP-A is infected with a virus
COMP-A should be disconnected from the INTERnet and the INTRAnet
COMP-B is clean
COMP-B is protected with the latest updates and definitions
COMP-B is reasonably secure
COMP-B should be used to download the latest versions of some malware cleaning software, some can be found here: Malware Cleaners and Repair
COMP-B should then disconnect from the internet
COMP-A can then boot to safe mode WITH networking
COMP-A can then have the INTRAnet (your local LAN) reconnected
COMP-A can then get the latest versions from a network shared file on COMP-B
COMP-A should then disconnect from the INTRAnet
COMP-A can then install and scan
COMP-B can go on computing as normal

There's one such example of when you might desire to use safe mode with networking. There aren't that many of them. One of the biggest reasons to recommend against safe mode with networking is because you have no right to go online if you have an infected machine. As a good net-citizen it is your job to ensure that you do your utmost to prevent the propagation of malware. Freedom, like it or not, ends at the tip of your nose (or the connection on your RJ-45 or RJ-11 in this case) and you have a responsibility to do this.

Ideally, and this is starting to climb on a soap box now, you will never have to scan. By practicing safe hex, keeping your security software updated AND properly configured, and by keeping your operating system up to date you should be able to continue online indefinitely without needing to ever do a scan in safe mode. The tools that are listed or that you may purchase should have a real time scanning engine and should have automatic update features. Use them.

So, there will likely come a time when you've made the mistake of visiting the dark side of the internet for one reason or another. You may contract something for which there's been no definitions released, and you may need to scan. Scanning in regular mode is a waste of your time because chances are very high that the malware will have so many hooks into the running processes and be running itself that it can't be deleted and cleaned effectively. Scanning in safe mode is the best way to go if you are even going to scan at all.

What? Scan at all? Okay yes... Scan at all...

First you shouldn't have to. Second, just because your security software is able to recognize the malware doesn't actually mean it's able to delete it effectively. It may or may not kill most of the files. It may only kill the ones that it knows about. It may only kill the one process that's running, skip the .DLL file, and leave the registry looking for stuff that is not there any longer and cause you a bunch of system errors.

"Umm... Okay?" You might say?

Well, how did you know you had been infected with malware? You know, all system errors and bugs are not viruses? Amazing but true sometimes they're just plain old bugs. Sometimes they are *gasp* your fault for using non-updated software, installing applications that are not meant to go together, and not maintaining your system properly.

Now, where was I?

Ah yes... How did you know you were infected? Well, something must have popped up and told you or some sign was exhibited that matched a specific malware infection and you then confirmed that it was so and that you were infected. How about cleaning it manually? That's right... Take a few moments of your time and clean it manually. It's faster, more effective, and downright easy. Take the name of the virus that you have, type it into a search engine, keep poking about, and find out how it's cleaned manually. Then, if you want to be sure, go ahead and scan.

"Doesn't this conflict with the information on your malware cleaning page?"

Yes, yes it does. The information there is meant to be very generic and the average end-user is not going to either have the knowledge, desire, or time to clean an infestation manually. The two are not diametrically opposed it's just that the method of cleaning it manually is offered as a better solution for those who wish to take the time to do so.

So, clean in safe mode without networking. Scan in safe mode without networking.


OS: All Platforms > Security
Date: 02/15/06

Back to top
About G³ - Copyright - Privacy - Contact G³