I'm getting into analyzing Malware and am wondering what the standard is on setting up a malware lab for both behavioral and static analysis. 

Assuming I am analyzing malware targeted at Windows machines, I realize that behavioral analysis will be on a windows machine as well - running in a VM or secure environment.

What I wonder more about is static analysis.  In the past, I've been using linux distributions, as there is no worry about infections.  However, I'm starting to want to use tools more often that can only be found in Windows. 

Is it standard practice to set up a fully patched Windows box for static analysis of malware?  Would I simply tell an antivirus scanner to ignore my samples directory (otherwise it will definitely go crazy) and be sure not to execute any pieces in attempts they still work on the patched machine?  I suppose for extra caution it could be re-imaged after each analysis just in case, but that makes it more difficult to keep an updated repository of malware on the system, OS patches, etc.

I'm just curious to see what other people do or what is standard in the professional world.  As I said earlier, I've been using linux but am thinking about setting up a Windows box instead - it seems nearly every tool or script will run on Windows but only some on linux...

Thanks for the feedback and link.  I hadn't checked out that site yet but it doesn't look like they have much listed in the Atlanta area right now.  Ill add it to my list of sites to check though.

As for the course, I suppose i should do the 60 days as you are probably right...I just think I may need to wait until I have some income to cover the costs...while not ideal, it's a bit out of my range for now, so I'll just knock out more affordable options that I can study more on my own for and just pay for the test, like the CEH perhaps followed by ccna (already have lab equipment ).  I do think the OSCP course will be really fun though so I hope to do it soon.  The main thing that intrigues me is the lab machines are already set up and ready for practicing on...and I didn't set them up which makes it a bit unfair...While looking over syllabus, I feel like ive done at least 80% of the objectives already and used the tools already...however it's almost always been against my own machines except in a network security course i took where it was against two other teams (we dominated of course!).  I just want more practice in an unknown environment.

I'm currently working on the CEH and will be taking the exam whenever I get permission from ec-council.  However,  I find it a bit too general and it glosses over too many details... I want something more involved...

Enter OSCP...I hear good things and it seems to be extremely useful in helping one really learn the concepts.  But how long does it take to go through the modules?  The site recommends the 60 day program and it seems many people here opt for that.  Can it be done in 30?  How many hours a day does it take to work on it? 

My situation is I just graduated with my masters in computer science and am currently unemployed looking for a job.  So i have plenty of time and can spend several hours each day easily.  If it can be done in 30 days, that would be nice, after all im unemployed and on a pretty tight budget!

Id like to do it now if possible while I have all this time though...idk if it will help me tremendously in my job search or not since from what i hear its not as well known or popular as others even though its every bit as difficult if not harder than most.  But i do feel it would greatly help my skills overall, which is the main goal anyways. Its a tough choice...not the cheapest for someone unemployed but if im gonna do it i should do it now...

So is 30 days reasonable if I can put in several hours a day?  I also have a pretty strong background i feel in security even though i just now starting to take certs for it.  Ive used a lot of the tools already rather than just read about them and have good programming experience from school as well.

@h1t M0nk3y : You're right.  I probably do know enough to pass the C|EH considering the format it's in and things of that nature.  But I don't intend to stop at the C|EH and want to learn along the way as it will help me in the real world as well as preparation for more challenging exams in the future.  Might as well learn it right the first time!

@ziggy : I downloaded enum4linux and seems it could be pretty handy and straightforward to use.  Unfortunately I'm having the same issue with it that I had using Dumpsec.  I can't enumerate information even though it seems like it connects fine using IPC$.

With enum4linux running enum4linux.pl -a targetIP I see it successfully gets:

domain/workgroup name (workgroup in this case)
nbstat information
server allows sessions using username '' password ''
domain sid (NULL SID) cant determine if host is part of domain or workgroup
gets some OS information

But now we start having issues:
users on targetIP:
couldnt find users using querydispinfo or enumdomusers NT_STATUS_ACCESS_DENIED

share enumeration:
share enumeration works (gets shares, including IPC$ and a test one I created), but
session request to targetIP failed (called name not present)
attempting to map shares fails resulting in denied for all shares EXCEPT
targetIP/IPC$ mapping: OK Listing: Denied

And then later on,
couldnt get RID: NT_STATUS_ACCESS_DENIED. RID cycling not possible


And that's basically it.  So again, seems to be the same issue.  Can connect to IPC$ but can't really get much information.

Double checked settings on targetIP...both restrictanonymous and restrictanonymoussam are currently set to 0.  Windows Firewall is off altogether...

I'm studying for the CEH and working through some exercises on null sessions.  I'm not sure how useful they are in real life now since it seems XP sp3 and any newer systems seem to have fixed the issue, but I suppose there could be older machines...

Anyways, I have an unpatched XP with no service pack running as a virtual machine and another running XPsp3 where I test from.

I didnt have an any trouble setting up a null session as it told me it was set up successfully.  However, it did take some work to get user2sid to work remotely...it always told me the user did not exist, even though the previous step set up the null session and ports 137 and 445 were both open.  It did seem to work once I put both machines in the same workgroup.

However, I then tried dumpsec to get an enumerated list, but I haven't been able to get that to work.  I set up the null session as before and can use the net use command and user2sid remotely, but after connecting to the same machine in dumpsec it fails to retrieve a list of users...am i doing something wrong?  Is dumpsec broken for XP?  I tried to find some other enum tools that were mentioned in my book, but I cant even find any to download.  The one enum.exe download i found was corrupted, tried searching for 4getacct as mentioned in my book, but the only thing pulled up by google wwas references to the chapter from the book I'm reading.

I also checked the registry settings, which were still the defaults.  Restrictanom was set to 0 and restrictanomsam was set to 1.  Tried changing this to 0 as well to see if that would fix the issue with dumpsec but still no luck...

So...anyone have any ideas?  Is it worth the trouble to even try to get this to work?  Can i still use this in real life or just need to know the idea for the CEH?