PURPOSE: check if my understanding is correct.

Malware on an infected computer can & usually will get onto a livedvd in use, though removed upon a restart since only temporarily in RAM.

Thus, malware should easily be able to get onto any media (hdd/pendrive) mounted through the livedvd (unless media is write-protected).

Malware has to "write" to the disk to get onto it.


QUESTION: when mounting an external hdd (to an infected computer) as READ-ONLY, does this mean that malware from the computer will not be able to get onto the external hdd anywhere?

My question stems from thinking that maybe the malware can get onto the ext hdd in somewhat of a ‘dormant’ form, but not write to files until a later time when the hdd is NOT in read-only mode.

At the same time, I’m wondering if the files are the only part of the media that is in ‘read-only’ mode, or, conversely, if the “entire hdd” is in read-only mode.

Lastly, my guess is that the "livedvd" is completely irrelevant, and that malware can not get onto the disk (anywhere) b/c it would have to write to the disk to do so and it can not in 'read-only' mode.

Knowing this for certain is very important to me. Thanks.

Yes, this is precisely the problem.

When you mount a disk read-only, this means that you can't write to the files and directories on the filesystem that resides on the disk.

However, you can still write to the disk device, for example by writing to /dev/sdb1. So, yes it is possible for a program to alter the content of a disk that is mounted read-only. It won't be dormant; the effect would be immediate.

A DVD is different. DVD-R's can't be written at all, I would think (but I may be wrong). DVD-RW's can be written in principle, but I don't think it works the same as an HDD. SD-cards have a read-only switch, and some USB drives might enable you to make them readonly as well. When set to readonly, software should be unable to write to them at all.

1 members found this post helpful.

Thanks BDB - I really needed to find this out!!


So, if the malware writes to a partition while read-only - what happens once disk is 'no longer' in read-only mode? My guess is that the malware can move onto the files and directory at that point, infecting them or sort of 'sit on the files' waiting for the files to opened at which point only THEN will the file(s) will become infected (unless reading in read-only)......?

thanks again

Code, including malware, can only do something when it is executed. Copying malware to some file is not enough - it must be a file that is executed.

I guess I repeat what you said

1 members found this post helpful.

Thanks.

As a sidenote, is it fair to say that when files are in a directory, and malware is present, that the directory acts as a "preventitive wall" thereby preventing the malware from getting on the files themselves - until the directory is executed?

thx

duplicate here....

A directory doesn't protect files, it just contains them. And you can't execute a directory.

1 members found this post helpful.

Directories don't get executed. They have an "execute" bit which, when set, allows their contents to be accessed, but no code is actually run when this happens because all a directory file can contain is filenames and their corresponding inodes.

1 members found this post helpful.

Thanks BDB.

I was equating "executing" with "opening".