Malware How to Remove 2018
Malware will not go away, and it is actually likely to increase, just like it has year after year for the last ten years. Whether it is the slow running of a computer or a call to the helpdesk reporting a strange message being displayed, users will continue to suffer malware attacks on their PCs, smartphones, and tablets.
In this blog, I will explore how malware infects PCs and networks, their specific entry points, and payloads. I will discuss how you can protect against infection and minimize the impact of a malware attack. You will have to understand the symptoms and likely effects of malware, so that you can troubleshoot and identify when a device has been targeted.
How Malware Infects PCs
It is well known that compared to other computing devices, PCs are attacked the most. This is because PCs, and Windows PCs in particular, are generally open systems that have many vulnerabilities. There are several reasons why Windows PCs have become appealing for viruses, these include
Maintenance of backward software compatibility
Home users with administrative privileges
Open networking stack
Volume of user base
Apart from the positive effect following the introduction of User Account Control (UAC), mentioned in blog, it is unlikely that malware infection rates will decrease for Windows PCs going forward.
The symptoms that result from a virus infection can include any or a combination of the following:
Computer performs tasks very slowly
Unexplained disk and network activity
Files don’t open with the default application
Custom pop-up messages, or background images, appear
Unexpected command prompt window opens then closes
PC crashes or hangs or will not boot
Strange computer behavior
Too many pop-up windows
Internet access is very slow compared to normal
Let’s consider how malware can infect Windows PCs, then we will consider how you can identify attacks once they have taken place. There are generally three types of viruses that can infect your PC. These are file-infector viruses, boot sector viruses, and macro viruses.
Difficult if loaded before Windows. USB/HDD can be detected using signature-based virus scanner.
Not easy. Rootkits can prevent the remover software from loading.
Some users may have experienced file-infector type viruses, either directly through an attack or by attending computer security training. This type of attack is the most common and has been around for many years. Because infector-type viruses attach themselves to, or bury inside, another file, they are often detected by a routine antivirus scanner, which can locate the virus, owing to its known virus signature.
A virus signature is a known, characteristic pattern that a virus scanner detects when a virus has been hidden embedded within a program file. Although new viruses are created on a regular basis, antivirus software knows what to look for and has to be updated regularly to keep abreast of the most recent virus signatures.
If a virus is not detected, it can infect system memory and executable files and reside on the device for months and even years. One classic (and particularly nasty) virus from a few years ago infected systems and behaved as a rogue security program that attempts to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass, and generally nag the user into paying the hacker to clean his or her system by using the fake security software.
The virus, called “Win32/FakeScanti” presented the user with various warnings and a credible-looking security tool named Windows Antivirus Pro.
The virus would try to convince users that their systems were unreliable and infected, by periodically rebooting the system and preventing other executables from running, by associating the .exe extension with desot.exe, one of the files installed by Win32/FakeScanti.
Whenever the user tried to run an application, such as an antivirus tool, or even Microsoft Paint, the file name was passed to desot.exe, which then decided to run the application or display a message box with a virus warning. Thankfully, the Malicious Software Removal Tool (MSRT), which I will discuss in blog, successfully removes the Win32/FakeScanti virus and its variants.
Rootkits and Boot Sector Viruses
A boot sector virus normally resides in the special area of a hard drive, USB, CD, or DVD and aims to infect a system before Windows or any antivirus software can detect its presence.
Any boot virus that can load and hide inside areas of system memory can potentially remain undetected by Windows indefinitely. You saw in the first two blogs how rootkits and boot sector viruses have become very effective at bypassing traditional anti-malware software detection. They are very sophisticated in their design and execution and are designed to evade detection. Typical payloads of rootkits include
Backdoor programs: Log in backdoors, keyloggers
Packet sniffers: Inspect network traffic from within the network
Log-wiping utilities: Remove logs to cover tracks
DDoS (distributed denial of service) programs: Use the PC as a DDoS client
IRC/bots: Bots used to take over Internet Relay Chat (IRC) channels
Even today, it is still very difficult to detect boot viruses, and if you are concerned about being attacked by a rootkit, and you have Windows 8 or Windows 10, you should implement UEFI Secure Boot, which will protect the boot environment.
When Windows 8 was about to launch, Microsoft announced that it would enable UEFI Secure Boot on all new devices using Windows 8 and later versions. Following a massive outcry from concerned users (who believed that Secure Boot would prevent them from dual booting or install a different operating system), Microsoft backed down and modified its plans a little.
All new devices that carry the “Windows 8 Compatible” or “Windows 10 Compatible” logo, must allow the user to turn the Secure Boot feature off.
Modern Linux distributions such as Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE currently support Secure Boot and will work without any tweaks on modern hardware, because their bootloader now contains a signed certificate that is recognized by Secure Boot.
It can be difficult to completely remove a rootkit infection. but my preferred remedy is to format the drive, flash the UEFI or BIOS, and completely reinstall the operating system. As Lt. Ellen Ripley said in the 1986 movie Aliens, “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.”
Originally, macros were used in Microsoft Excel and Word to speed up repetitive tasks. As the technology advanced, macros could be written that not only worked within Microsoft Office applications but could interact fully with the operating system also.
As macro viruses became more popular, Microsoft began to warn users that macros could be dangerous, and the dialog box displaying “This document contains macros” would alert them to the presence of a macro.
You may wonder why we need a warning about a macro contained within a spreadsheet. Most macros initialize themselves when the spreadsheet or document is opened; therefore, opening a spreadsheet containing a destructive macro virus would potentially create havoc on your machine.
If you received an e-mail from a colleague containing a macro-enabled spreadsheet, it would have the file extension .XLSM. This would indicate the e-mail contains an Excel Macro-Enabled Workblog file created in Excel 2007 or newer versions. If you are not aware that a file contains a macro, you should be cautious and not trust the macro. The file will still open, without the macro being run, and the contents, therefore, will be safe.
After the year 2000, macro viruses began to decline, but in recent years, macro viruses have made a comeback. One cunning tactic employed is for a macro virus to wait for you to open an infected document, and then it will quietly spread into your Office template files. Once your template files are infected, the virus can easily hijack Office every time you use it and infect all the documents that you edit or create thereafter.
Microsoft continues to protect users from macro malware, by restricting macro-enabled documents. By using social engineering methods, malware authors are often able to trick susceptible users into enabling macros, thereby bypassing the built-in protection within Office.
E-mail and the Internet
Often e-mail and the Web are blamed for being the source of the majority of malware. This is only partly correct. E-mail and the Internet are now the modern delivery mechanism of malware, but in themselves, they are just the carrier. The malware is still an infected file or a macro that needs to be activated in some way by the user.
Most users have learned not to open suspicious-looking e-mail attachments, and rarely will a proficient user fall prey to a suspicious e-mail payload.
Recently, though, malware writers have become more professional, and e-mails
are now better worded, and unless the user is kept up to date with current malware
approaches, he or she is more susceptible to a rogue attachment. E-mail scams, together with their attachments, now present themselves as being from a reputable source, bundled with a very credible narrative and goal.
For example, a PDF file can be made to execute an embedded executable file without exploiting any vulnerability, although a warning message is displayed (although it is possible to customize the warning message and, therefore, socially engineer it to persuade the user to accept the warning).
Note If you want to review how malicious PDF files can contain viruses, look at the Troj/PDFEx-DF. Sophos discusses it at URL April 12, 2010 - Naked Security trojpdfexdf-sophoslabs-sees-malware-exploiting-launch/.
A company will employ many layers of defense against malware, both internally on PCs and externally on mail servers. In all examples of e-mail borne viruses, it must be remembered that only when someone opens it can the virus activate itself. Vigilance and training of the user must always be the last line of defense.
The human factor can only at best be mitigated. Even with the best security awareness-training program, at least one in a thousand people will still click that well-crafted phishing e-mail.
How Malware Infects Networks
The majority of PCs using the Web now have some form of protection, yet more than 50% will have been infected with malware during the last 12 months.
We have to ascertain how more than half of all PCs can be infected, despite having some protection in place. We can identify potential areas that require urgent attention, including the following:
Antivirus software is not operational: Users often turn off antivirus software because it might negatively affect the performance of their device.
Antivirus software is not up to date: Users believe that their antivirus software is effective once installed. Often, a user is unaware that it requires daily updates, provided by the security vendor.
Constant game of cat and mouse: Anti-malware software needs to keep track of hundreds, or even thousands, of signatures related to possible viruses. This is updated daily and requires 100% proficiency by the security vendor.
Old applications are vulnerable: Older versions of applications, plug-ins, and operating systems beyond their end of life (EOL) can be exploited by malware.
Anti-malware software incorrectly configured: Security software designed to protect against malware is increasingly difficult for the average user to configure and set up on-demand scans, scheduled scans, e-mail scans, download scans, and on-use scans.
Ineffective anti-malware software: Not all anti-malware is as effective as others. The rise of freeware anti-malware software makes the choice extremely difficult for the user.
Multiple installations of anti-malware software: Not all anti-malware software will detect specialist attacks, such as spyware or adware infections, so users are forced to install two of more security solutions. Unfortunately, rival security products often fail to work nicely with each other, which can leave gaps for malware to slip through.
When deployed, most PCs typically will be performing their ability to detect and deter malware well. Often, users adopt a “set and forget” approach to security and will seldom check to see if their anti-malware solution continues to work, or if their PC is being routinely updated. We have seen how, through poorly configured or maintained devices, malware can slip through the barrier created by traditional antivirus systems.
Malware can attack the network itself and the PC. An attack can aim for several possible outcomes, some of these are
Exfiltration theft of data
Identity, intellectual property theft
Disruption of operations, reputation
Payment of ransom, profit motive
If we analyze some of the most common types of attacks, we can detect their motives. It is clear to see that the motivation for creating malware has shifted from fame and notoriety to profit.
Malware authors now direct their efforts to bypass client-based security and operate in stealth mode, concealing itself within the operating system, using rootkit technology, whereby it can then disable any existing anti-malware software and take control of network access. Once the malware is in place, it can then steal data and user identities, until detected.
If malware can gain access to a PC via the Web, it has the potential to connect to other devices, using Windows networking.
Access to the network will often be a key objective for most malware because access to the network is likely to deliver some beneficial goal. Malware uses the network to (1) provide a backdoor on the system, (2) spread viruses to other machines, or (3) contact the virus authors and allow remote control of a PC or server.
Ever since the early versions of Windows, Microsoft has employed a very open approach to file sharing and networking. Left unchecked, it can offer areas for malware to attempt exploits such as
Access shared files across the network using the Server Message Block (SMB) protocol: Upgrade to latest SMB version.
Access via network-connected multifunction printers and copier: Monitor and use complex passwords.
Available administrative shares, such as C$, IPC$, and ADMIN$: Remove them if they are not required.
Internal web-server vulnerability (they should be as secure as your DMZ web-servers)
Network administrators should employ NTFS and password-protected file sharing and ensure that no resources are left accessible, unless by an authenticated user.
Thankfully, Windows networking is a great deal more secure since the release of Windows Vista. With Vista, Microsoft fully redesigned the implementation of the TCP/IP stack to allow for an IPv4/IPv6 dual stack.
It also engineered several performance enhancements (Jumbo frames) and security features, such as the introduction of Link Layer Topology Discovery (LLTD) and turning off the default behavior to allow viewing of other devices on the network.
Note If you are interested in learning more about the new Next Generation TCP/IP Stack introduced in Windows Vista and Windows Server 2008, visit TechNet: https://technet. microsoft.com/en-us/network/bb545475.aspx?f=255&MSPPError=-2147217396.
A new approach to detecting malware is to attempt to detect it before it arrives at the client. Instead of relying solely on the client device to protect itself, the network is also charged with the duty of overall network security.
Network attacks are typically restricted to fewer than ten distinct communication protocols, such as UDP, TCP, HTML, etc. Dedicated network equipment can look for viruses traversing the network.
Both solutions will analyze for the thousands of potential virus signatures, but the network device can achieve this while the virus is in transit, whereas a client-based anti-malware solution must monitor and then quarantine once the virus has landed onto the PC.
Increasingly, service providers will offer network-based solutions that allow enterprises to subscribe to a fully managed anti-malware solution. The hardware is supplied, maintained, and managed, and malware is detected, quarantined, analyzed, and reviewed by the service provider. Because this is deployed on a subscription model, this is Security as a Service.
By utilizing this type of solution, your network benefits from an “always-on,” “always up-to-date” solution that cannot be disabled by the user (or by malware). With the constant threat from malware, it is recommended that both network-based and client-based security solutions are employed, as these represent separate layers in your defense-in-depth strategy.
Identifying External Attacks
The majority of security breaches are from external attacks. If malware is attacking computers within your environment, how will you know? Most PC users will have some awareness of malware threats, through training or personal experience, but as we have seen earlier, the attacks keep being re-engineered and become more sophisticated and less easy to spot.
In extreme cases, home users can become exceedingly concerned by the threat of malware and identity theft, and I have seen users stop using their computers.
In order to discuss external attacks, I will first identify the most common types of external malware that are encountered today.
The common external malware types are currently
Firewall attacks and DDoS
E-mail borne viruses and ransomware
Targeted application hacking
Firewall Attacks and DDoS
The primary reason for hackers to implement a firewall attack is to create a breach opening and allow ingress of specialist network traffic, which can be laden with a Trojan horse or virus. Once they have gained control of the network firewall, or a device on the inside of the network, they will be able to hide their tracks and create additional pathways into the network.
Having multiple access routes is useful if a tunnel is compromised or if each vector has a different purpose. Often, when a threat is uncovered, the typical response is to close the vulnerability, whereas the correct response should be to perform a full security audit and look for other threats residing on the network.
A distributed denial-of-service attack is when a hacker uses multiple bots (distributed robotic services) to attempt a flooding of the router with more requests than it can handle. A successful DDoS can result in several possible outcomes.
Authorized users being unable to access resources
Creation of a smokescreen for the “real” or “secondary” attack
Failure of one or more networking components
Compromise of the networking component
Opening of a backdoor into the computer, allowing remote control of it.
Loss of reputational goodwill
Note Bots are defined as being individual infected machines, and botnets are multiple bots working together. Bots, when used for hacking purposes, are manipulated by the hacker. Bots can be used to issue spam on a near-continuous basis. The Rustock spamming botnet operated for five years between 2006 and 2011 and infected an estimated 2.4 million computers worldwide.
E-mail-Borne Viruses and Ransomware
We have all encountered e-mail-borne viruses with attachments that entice us to open them, thereby unleashing the payload to infect our computers. This will continue and become more effective.
In all business environments, unknown attachments within e-mails should be sandboxed (typically, automatically placed in a virtualized environment), until they have been checked and, if safe, released. Methods to evade detection, such as encrypting or compressing, should also result in the files being prevented from traversing within the internal e-mail system.
Because e-mail-borne viruses are one of the oldest and most well-known methods of attack, ensuring that your users remain well-trained and vigilant, coupled with up-to-date virus scanning software, should reduce the incidence rate of any e-mail virus.
Should you fall foul of an e-mail virus in which you open an infected file, it is likely that the payload will be some form of ransomware. This method of attack has gained huge success in recent years, because it encrypts your personal files and then holds you ransom until you pay the perpetrator.
The concept has been very effective and financially successful, with the original ransomware viruses and their derivatives. Cryptolocker, discovered in late 2013, reportedly extorted a staggering $30 million in the first three months after release. Even if this is a wild exaggeration, it still shows that a lot of money is being made.
It is worth mentioning how you can identify whether you have been infected by ransomware. Ransomware requires an executable to deliver its payload, and, therefore, the most common method is to hide within a downloaded Torrent file.
Once infected, the virus will associate itself with system and application file extensions, so that when you try to open an application, for example, Word or Excel, the virus will display a custom pop dialog that informs you of its malicious action. Most ransomware viruses will encrypt your personal files and request that you pay a ransom in Bitcoin to have your files decrypted.
The virus is normally time-bombed, to create urgency, so that the victim panics and makes prompt payment. Often, once payment has been received, the files are either not decrypted, or, if they are, the virus may lay dormant and resurface for another payment six months later.
The existence of the PClock2 virus can be established by checking the registry for the presence of the following key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\] “wincl” = “%APPDATA%\WinDsk\windsk.exe”
The virus will also store malware files locally in the following locations:
%APPDATA%\WinDsk\windsk.exe: The malware executable
%APPDATA%\WinDsk\windskwp.jpg: The custom wallpaper generated by the malware
%DESKTOP%\CryptoLocker.lnk: A shortcut to the malware executable
%USERPROFILE%\enc_files.txt: List of encrypted files
After infection, the machine is unusable, until the virus is removed. This may be achieved using a decrypter tool available from your antivirus vendor.
Ransomware that has already been released should be detected by your anti-malware software, but due to the lucrative nature of this attack, it is likely that significant effort will be invested to create new variants of ransomware and make them harder to detect before they release their payload.
The suggested defense against this type of malware is to back up regularly (onto media stored disconnected from the PC) and remain vigilant to all executable files. Enterprise machines should not be able to accidentally activate any ransomware executables, especially if they are using a modern operating system with UAC enabled. Users of older systems are, particularly at risk.
One method of increasing the effectiveness of e-mail attacks is known as spear phishing. This is typically an e-mail-borne phishing attack that has been customized with your information, so that it appears legitimate.
For readers of this blog, this may not be a huge threat, but for inexperienced users, this type of targeted, specific scam whereby the sender e-mail address is also impersonated, the e-mail content can become even more compelling to the recipient who knows the purported sender.
With the explosion of personal and corporate information available on social media and public sites such as LinkedIn, it is now even easier to connect pieces of the jigsaw and make a previously laughable spam e-mail become entirely credible.
Targeted Application Hacking
On October 21, 2015, UK telecommunications provider TalkTalk was successfully hacked, with the loss of customer data. Once the breach was investigated, a database containing 4 million records, of approximately 157,000 customers, including names, addresses, and bank account details, had been accessed. The perpetrators e-mailed several TalkTalk employees with ransom demands and included some proof of the stolen cache of data.
The attackers were apprehended in November and December 2015, whereupon more details of the breach become known. One of the hackers was a 15-year-old boy from Northern Ireland who had used an SQL injection attack on a database maintained in a third-party call center. Preceding the theft, the hacker used a DDoS attack that distracted TalkTalk’s security team.
During the trial of the hackers in November 2016, TalkTalk admitted that it was not aware that the hacked web server contained vulnerable web pages that could be used to access the membership database. The company also confirmed that it was not aware that the database software was outdated and not supported by Microsoft.
The incident cost TalkTalk an estimated $75 million and the loss of 95,000 customers, as well as a sharp drop in its share price. The criminal told magistrates, “I was just showing off to my mates.”
The SQL injection attack method in the TalkTalk breach had been discovered more than ten years ago, and a patch was available. It is important to review all applications for vulnerabilities and take steps to ensure that services provided by third-party contractors are also compliant with your security measures.
Another external attack on the database of an adult dating service, “Friend Finder Network,” reportedly exposed between 340 million and 412 million accounts, e-mail addresses, and passwords from its websites, dumping them on the black market. No details of how the actual hackers gained access to the data was available at the time of writing.
It is not just the enterprise-grade database applications that are at risk of attack. In the last ten years, there have been severe vulnerabilities discovered in popular add-ons, including Oracle Java, Adobe Reader, and Adobe Flash. Unless PCs and their applications are regularly updated, they are vulnerable to exploit kits.
Identifying Internal Attacks
An internal attack refers to a malicious activity that seeks to disrupt the computer systems from within the workplace. This could be directly from a member of staff, a contractor, or a visitor. The action may be deliberate or accidental.
During a recent security briefing, the consensus was that human error opens more doors to hackers than technical shortcomings, resulting in a permeable perimeter that is a constant challenge to police. Insider threats remain a significant cyber risk to organizations, with a quarter of all malware attacks originating from the inside.
Trusted employees often require access to critical systems and data, to perform their role within the work environment. The employer has a legal duty to protect the business from any form of fraud or malicious activity. In light of this and other legislation (such as the US Sarbanes-Oxley Act of 2002), it is essential that careful consideration be given to how much scope each role within the workplace is given to individual employees.
A disgruntled employee can cause significant financial and reputational damage through the theft of sensitive data and intellectual property when they leave, and often the damage is not discovered for several months.
Members of staff with specific IT knowledge and access may cause destructive cyber damage by facilitating, or launching, an attack to disrupt or degrade critical services or wipe data from the organization’s network. Accidental damage can also occur by staff, for example, if an employee inadvertently infects the network with a virus.
Other examples of accidental damage including
Clicking on a phishing e-mail
Plugging an infected USB into a computer
Ignoring security procedures
Allowing unauthorized use of company devices
Downloading unsafe content from the Internet
Social engineering is a growing threat. It is akin to the tactics employed by World War
II spies, and there was a need to curtail all idle talk in case a spy was listening.
Social engineering is one of the easiest methods by which to obtain sensitive information about an enterprise. Individuals, such as reception staff or junior employees, are regularly targeted and can unwittingly provide access to the network or carry out instructions in good faith that benefit the fraudster. Common (and successful) examples of social engineering include the following:
Phishing scams to obtain personal information, such as names, addresses, and Social Security numbers
URL link shorteners to obfuscate malicious links that redirect users to suspicious websites
Pretexting, whereby an attacker focuses on creating a good pretext, such as a fabricated scenario, to try and steal information or scam their victim into allowing entry into the building
Baiting can be used to spread hidden malware by distributing free or gifted USB sticks to staff that contains a virus. A similar method is to leave USB sticks plugged into a meeting room PC and wait for it to be turned on and then capture and broadcast the credentials, using keylogging malware.
Tailgating is very common and relatively easy to pull off, especially in a large organization. Someone without the proper authentication follows an employee into a restricted area, leaves a USB in an unattended computer, and then walks out.
There are many ways to reduce the overall cyber risk to an organization, which will form part of your security policy documentation and should be included in employee employment contracts and contractor agreements.
The technological bar required to create sophisticated malware is becoming higher, but some malware is now obtainable to buy directly from the Dark Web. If malware eventually becomes less effective, it is possible that hackers and fraudsters will target physical access into an organization, as this may become the easiest entry vector.
Another very high-profile cyberattack occurred in July–August 2015 on the databases of the online dating service offered by Ashley Madison. This hack is believed to have been the result of an internal breach and emphasizes the importance of the internal threat. Ashley Madison claimed to have an international membership of 37.6 million, and details of this membership was stolen and subsequently made public. It was one of the largest file ransomware attacks.
Because of the highly sensitive nature of the data stolen and publicly released, the fallout following the breach included suicides, lost employment, and families and reputations destroyed. The hackers have never been identified, but many industry experts believe the breach bore the signs of an inside job.
Historically, companies have approached cyber security from a cost-benefit perspective. It is often thought cheaper to deal with the fallout from a breach. However, when the risk of a security leak is the size of Ashley Madison or AdultFriendFinder, security must take priority at any cost.
The need for a positive and proactive security culture that is alert and responsive to the threat posed by the various forms of espionage is extremely important in this modern age.
External Malware and Virus Resources
There are few experiences worse than your PC being infected by malware. Normal reactions to being struck with a virus include shock, panic, and fear.
Depending on where personal data, such as family photos, correspondence, and downloaded files is located, your level of anxiety can become extreme. Help is at hand, and there are many options available to you to protect and recover your machine from the grip of malware.
In this blog section, you will learn not to panic and to approach the cleanup task in a methodical and measured way that should help give you the best chance to make a full recovery.
Malware Protection Center
All current versions of Windows can access the security software offered by the Malware Protection Center at Antimalware and cybersecurity portal.
Microsoft has curated a dedicate security portal for business and consumer Windows users. You should blog mark the website and take some time to review the various tools and resources that are available and which could help restore your PC to good health following a malware attack.
Because the resources are maintained online, you can be assured that they are accessible and up to date, regardless of a malware infection on your device.
On the Malware Protection Center, there are three key resources areas: Get updates, for security software; Get protected, to download security software; and Get Microsoft support, to explore support options.
Get Updates for Security Software
Within the update section, Microsoft provides step-by-step guidance on how you can update your Microsoft anti-malware and anti-spyware software.
There are useful links for obtaining the security software and on how to troubleshoot Windows Update if it stops working. Within the advanced troubleshooting area, there is also a guide showing you how to mitigate malware that prevents you from using Windows Update and a list of potential error codes that your security software can issue.
Considerations that may prevent Windows Update from obtaining the latest anti-malware signatures covered in the resource pages include
Freeing up space on your PC, to allow for updates to be saved
Updating your security software and running a full scan
Updating vulnerable software with the latest patches and service packs
Using the Microsoft Safety Scanner or Windows Defender Offline to clean malware from your device
Viewing the extensive encyclopedia for known malware and any special instructions on removal and cleanup.
How to restore your PC from a backup
From the portal, you can download antivirus and anti-spyware updates for the following supported security applications:
Microsoft Security Essentials
Windows Defender in Windows 8.1 and Windows 10
Windows Defender in Windows 7 and Windows Vista
Microsoft Diagnostics and Recovery Toolset (DaRT)
Forefront Client Security
Forefront Server Security
Forefront Endpoint Protection
System Center 2012 Configuration Manager
System Center 2012 Endpoint Protection
To check that you have the most up-to-date version of your anti-malware software, you should navigate to the help or settings menu and select About, which will provide the current versioning details, for Windows Defender.
Download Security Software
When you click the Get protected link on the Malware Protection Center portal, you are provided with a matrix of options that relate to the security software that is available, including the following:
Microsoft Security Essentials
Malicious Software Removal Tool
Windows Defender Online
Microsoft Diagnostics and Recovery Toolset (DaRT)
System Center 2012 Endpoint Protection
Microsoft provides free client protection against malware and other threats, by offering Windows Defender, which is built into Windows 8.1 and Windows 10. Support is still available for Windows 7 and Windows Vista through the Microsoft Security Essentials package. Both tools work the same to protect you from malware.
*Windows XP is no longer supported by Microsoft
**You can download Microsoft Security Essentials from the Microsoft Security Essentials website at https://support.microsoft.com/en-us/help/14210/security-essentials-download. Both Microsoft Security Essentials and Windows Defender are free. Despite the price, they are very credible security solutions and fully supported by Microsoft.
You will notice that Windows XP does not have a Microsoft-supported anti-malware solution. As of April 8, 2014, technical support for Windows XP stopped including updates that help protect Windows XP PCs against attack.
Get Microsoft Support
The final option on the Malware Protection Center portal allows you to seek specialist help from the various Microsoft support channels in relation to Windows security.
On the support page, you can search for help, drill down to a specific product, and locate product support. You can also submit questions to the community of Microsoft experts, by clicking the Ask the Community option.
Once on the community page, you can fine-tune the resources available, by selecting the version of Windows and the category, such as virus and malware, and the type of solution, from the available Microsoft security solutions. Finally, select the type of help you require, such as the scanning, detecting, and removing threats, and click Apply.
One of the biggest hindrances to cleaning up after a malware attack is that most users are unaware of the help and support that Microsoft and other security vendors provide. This information has to be shared, so that the fear of malware, and any guilt, panic, and shame felt following an attack, can be alleviated.
If you want to keep up to date with the very latest security trends and methods to detect and thwart malware attacks, you should regularly download your preferred security vendor’s newsletter. For Microsoft, you can read the Microsoft Security Intelligence Report.
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) has been available for a number of years across many versions of Windows. The MBSA tool tries to identify security vulnerabilities on your system.
I have found that despite the MBSA being around for a very long time, only a few users are aware of this free tool. MBSA 2.3 is the current version, and it works with Windows 8.1 and previous versions of Windows. It can be downloaded from www. microsoft.com/en-gb/download/details.aspx?id=7558.
After downloading the MBSA file (1.7MB), you should install it and then launch the analyzer. MBSA allows you to choose to scan a single machine, a range of IP addresses, or to review an existing security scan report.
If you check for security updates, which is recommended, MBSA must first download the latest security update information from Microsoft, which may take up to ten minutes. The tool will then automatically continue with the security scan, and the finished summary will be presented and can be saved or printed.
The tool produces a user-friendly report that can be used to benchmark devices and confirm that your system is not missing patches and common security vulnerabilities. The majority of issues MBSA identifies relate to missing security patches and others relating to user accounts. You should review the findings and implement the recommendations.
Note You can find more information about MBSA at https://technet.microsoft.com/en-us/security/cc184924.aspx.
Windows Defender was originally known as Microsoft AntiSpyware and was eventually included with Windows Vista and Windows 7.
Windows Defender offers every Windows user a perfectly good anti-malware package at an affordable price: free. If you have no loyalty to another third-party tool, save your money and stay with the official bundled anti-malware solution that is recommended and integrated into the operating system that it is trying to protect.
Windows Defender runs as a background process (MsMpEng.exe) and monitors your system continuously by default. You should, however, take the opportunity to check that it is running and also whether automatic updating of the virus and spyware definitions are up to date. Start Windows Defender by typing “defender” into the Search Windows box and select Windows Defender.
Windows Defender should display a green bar with the title “PC status: Protected.” If it displays a red bar and “PC status: At risk,” it is likely that someone has turned off real-time protection, cloud-based protection, or that malware may have infected your PC. To restore the protected status, click the Turn On button on the Windows Defender Home tab or use the following steps:
\1.\ Open Settings
\2.\ Update & security
\3.\ Windows Defender
\4.\ Turn on Real-time protection
\5.\ Turn on Cloud-based protection
\6.\ Open Windows Defender and perform a Quick Scan
If Windows Defender finds malware or a potentially harmful or suspicious file, it will immediately move it to quarantine, where it is safe from you or from other malware accessing it.
To view any malware that has been detected, you can click the History tab within Windows Defender, select All detected items, and click View details.
If you have harmful files that have been detected, you should maximize the Windows Defender screen, then you can see the file name and location path belonging to the malware.
At the bottom of the detected file information is a Get more information about this item online link that will direct you to a page within the Microsoft Malware Protection Center that provides information, technical data, and removal advice relating to the item.
If the files that Windows Defender detects as malware are, in fact, safe, this is known as a false positive. You can use the Add an exclusion setting within the Windows Defender settings to exclude monitoring specific files and areas on your device, such as excluding files, folders, file extensions, and processes, including .exe program files.
Windows Defender is normally updated through Windows Update, which is enabled by default, and if this is disabled, Windows will provide you with a warning that your system is not protected.
It is worth mentioning that some users may never encounter malware, while for others, it may be a constant battle. Allowing Windows to maintain a continual watch over your system will certainly help to mitigate the ever-present threat of malware.
Third-Party Malware and Malware Removal Tools
Antivirus protection is absolutely necessary if your device is connected to the outside world, such as the Internet, an e-mail system, or even external media such as CDs and USB drives.
You have already seen that there are many antivirus packages available. Some are free and others follow a monthly or annual subscription payment model.
Which should you choose? I recommend the built-in Microsoft anti-malware solutions that are discussed throughout this blog, but there are others that you should consider.
In addition to these third-party tools available, there are also some additional tools that Microsoft maintains to help you recover from a malware attack, such as a virus, rootkit, or ransomware. These tools can be found in the Malware Protection Center, covered earlier in this blog, and they are summarized following.
Malicious Software Removal Tool
This tool is an essential first action when you believe your device is infected, and your current anti-malware solution has been ineffective. You can download the standalone Malicious Software Removal Tool (MSRT) from the Malware Protection Center or directly, using the following URL: www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx.
After downloading the MSRT file (approx. 45MB), you install the application and allow the tool to scan your device. The tool is able to detect and remove the most prevalent malware and allows three levels of scans.
Once started, the tool will scan your PC and search and attempt to remove any infected files it can find. The tool is fast, taking only a couple of minutes to complete, and provides you with a detailed report detailing the scan results.
The MSRT is updated monthly, on the second Tuesday of each month, and you should use the latest version available. The current version includes detection and removal support for well-known and prevalent malware, including Blaster, Sasser, and Mydoom.
Windows Defender Offline
This tool is a powerful offline scanning tool you boot to from Windows 10, or via CD, DVD, or USB flash drive for other versions of Windows. It runs before your operating system boots and, therefore, provides a clean trusted environment in which to scan your system for malware, including rootkits.
As Windows Defender Offline is built into Windows 10, it requires no additional media in order to perform and is extremely useful if your device has a rootkit or your PC is already infected and malware prevents you from scanning or removing the virus by using your installed anti-malware software or the MSRT.
If you suspect your PC has malware, you can start a Windows Defender Offline scan from Windows Defender Settings, by following these steps:
\1.\ Log on to Windows 10 using administrative credentials
\2.\ Open Settings
\3.\ Select Update & security
\4.\ Select Windows Defender
\5.\ Click Scan Offline
Once you click Scan Offline, the Windows Defender Offline tool will log you out from Windows and then restart the PC and boot to the Windows Defender Offline console and automatically perform a quick scan of your PC.
Once complete, the tool will exit and reboot Windows. To view the Windows Defender Offline scan results, you should follow these steps:
\1.\ Log on to Windows 10 using administrative credentials
\2.\ Open Windows Defender
\3.\ Click the History tab
\4.\ Select the All detected items
\5.\ Click View Details
Any items detected by Windows Defender Offline will be listed as Offline in the Detection method column.
If you are using Windows 7, you will have to download Windows Defender Offline and create a bootable CD, DVD, or USB flash drive and then manually restart your PC, using the Windows Defender Offline media.
You can download the Windows Defender Offline (mssstool32exe or mssstool64.exe) tool directly from the Malware Protection Center or via the following URL: https:// http://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc.
It is recommended that you only download the tool at the point you need it, because the tool is regularly maintained by Microsoft to contain the most up-to-date signature definitions.
Microsoft Safety Scanner
Microsoft Safety Scanner is another antivirus tool that is a standalone virus and malware scanner that runs inside Windows. It was built for Windows 7 and later versions and has been replaced by the Malicious Software Removal Tool, although both tools are still available to download the from the Malware Protection Center. A direct download is available via www.microsoft.com/security/scanner.
The downloaded file (Msert.exe) is quite large, being 140MB, and is an on-demand scanner that may be useful if your current antivirus solution has been disabled. Because of the volatile nature of malware, the Microsoft Safety Scanner is designed to run inside Windows and expires ten days following the download. Each time you download the tool, the most up-to-date anti-malware definitions are included.
When you run the downloaded anti-malware signature package, Microsoft Safety Scanner, behaves in a near-identical manner to the Malicious Software Removal Tool that we saw earlier, in that the scan is performed while Windows is running, and it will scan and remove viruses, spyware, and other potentially unwanted programs (PuPs).
Diagnostics and Recovery Toolset (DaRT)
The Microsoft Diagnostics and Recovery Toolset provides a rich set of tools to help you troubleshoot and repair system failures, including malware hunting, and is available in 11 different languages.
You can download the DaRT from the Malware Protection Center or directly via the following URL: https://technet.microsoft.com/en-us/windows/hh826071.aspx.
The DaRT tools are available to enterprises for diagnosing an offline copy of Microsoft Windows since Microsoft acquired the ERD Commander tools from Winternals in 2006. The bootable recovery tools that are contained on the CD, DVD, or USB flash drive you create with DaRT have been extended over the years and now include many tools.
*Not available in DaRT 10
One of the main uses for DaRT is the Defender tool, with its other tools, which allows you to hunt for malware while Windows is offline. This tool is now included directly in Windows 10 and is not available in DaRT 10.
The DaRT 10 toolset is the current version and should be used for Windows 10, whereas earlier versions of DaRT (DaRT 7, DaRT 8, and DaRT 8.1, together with their service packs) should be used for prior versions of Windows.
It is now recommended that for older devices, the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool should not now be used, because the DaRT tools are infrequently updated. Users are advised to use the Windows Defender Offline (WDO) protection image for malware detection and removal.
DaRT 10 is a part of the Microsoft Desktop Optimization Pack (MDOP), and the MDOP is only available to enterprises that own a current Microsoft Software Assurance license. If you believe you have Microsoft Software Assurance or want to find more information about acquiring MDOP, visit the site at Microsoft - Official Home Page fwlink/?LinkId=322049.
Windows Defender Advanced Threat Protection
A new entrant to the established lineup of anti-malware solutions is the Windows Defender Advanced Threat Protection (ATP) detection service, which was released in March 2016. While this product ships natively with Windows 10, it requires an enterprise license in order for its benefits to be derived.
Aimed specifically at enterprise customers that need to be protected against targeted and advanced malware attacks, ATP uses the latest security machine-learning analytics, which are powered by the scale-out cloud abilities offered by Microsoft Azure.
Windows Defender ATP can capture, analyze, and detect suspicious attack-related activities on your networks. These activities are analyzed from captured behavioral signals emitted at the endpoint.
Microsoft has shared the scale at which Windows Defender ATP can leverage the intelligent security graph that is aggregated from multiple sources. This graph is informed by anonymous information connecting 1 billion Windows devices, 2.5 trillion indexed Internet pages, 600 million web page reputation lookups online, and more than 1 million suspicious files that are infected every day.
A sample NEODYMIUM attack, from May 2016, delivered via spear-phishing e-mails carrying malicious documents, contained zero-day exploit code that could cause a Microsoft Office file to generate and open an executable file. This attack is detected by Windows Defender ATP.
Windows Defender ATP is still a very new development, but it is clear to see that Microsoft has decided to move the detection and analysis of malware to the cloud, in order to reduce the time that any new potentially harmful malware is left undetected and, therefore, able to infect Windows 10 devices. Windows Defender ATP works in conjunction with the built-in Windows Defender agent to perform capabilities such as device local file scanning.
You can currently download a trial of Windows Defender ATP to be used on any of the following editions of Windows 10: Windows 10 Enterprise, Windows 10 Education, Windows 10 Pro, and Windows 10 Pro Education.
Enterprises should contact their Windows solution provider to discuss the pricing for the Microsoft Secure Productive Enterprise E3/E5 license required to deploy the product. You can sign up for a trial and gain more information via www.microsoft.com/en-us/ WindowsForBusiness/windows-atp.
If you are using a modern version of Microsoft Windows, such as 7, 8.1, or 10, you are better protected from malware than with previous versions of Windows. This protection comes with some caveats, which include using the default Windows Defender and user account control settings and being vigilant when using e-mail and the Web, especially if any Torrent or Dark Web downloads are on your machine.
To ultimately protect your personal files from malware, you should consider storing a backup of your files, separate from your computer. I recommend a physically separate backup. The cloud is a great convenience to us, but it offers little protection against a ransomware attack, which can spread within minutes to every file you have access to.
Sometimes malware-killer applications and virus cleaners won’t work. Maybe your system is too badly infected or has multiple instances of malware. Thankfully, with Windows 10, the process of resetting your PC is very simple and efficient and can be a very quick and simple way to rid a device of malware.
The final piece of the jigsaw following eradication of malware is to learn from the experience. Review how the attack occurred, where the vulnerably existed, and how you can reduce the likelihood of a repeat attack.