If you’re fighting malware, then you’ll need the right tools. In this video, you’ll learn about the Windows Recovery Environment, software-based firewalls, secure DNS, and more.
<< Previous Video: Types of Malware Next: Social Engineering Attacks >>
If you want to stop malicious code from running on your computer, you’ll need anti-virus software and anti-malware software. You’ll sometimes see these as two separate applications, although increasingly we’re seeing them ship as a single integrated application. This is designed to identify any malicious software that may be executing in the memory of your computer. If this anti-virus or anti-malware software identifies this malicious software, then in real time, it blocks that software from running on your system.
There are also options to run on-demand scans of your system. So at any time, you can have the anti-virus or anti-malware signatures check every single file that may be stored on your computer. The latest generation of anti-virus and anti-malware software is designed to look for malicious activity executing on your system, regardless of what the underlying code might be. This means that the software doesn’t need an exact signature of a specific virus, but instead is looking for overall malicious activity on your system.
If a system is infected with malware, you may find that it’s not able to boot. And in those particular cases, you’ll need some way to get into the operating system and begin repairing the damage. One of the ways to do this is by using the Windows Recovery Environment, which is an extremely powerful front end that gives you access to the operating system. But this is also a very dangerous way to start manipulating your system, and you can make changes in the Windows Recovery Environment that may cause additional damage to the operating system.
However, this does give you complete control of the operating system. You can add and remove files, you can change the startup process, and in some cases, you can remove the malware directly from this Windows Recovery Environment. This also means that you’ll need to know exactly what you want to change with the operating system. You’ll need an understanding of what services you might want to disable during the startup process. And you may want to repair boot sectors from the Windows Recovery Environment, and you’ll need to know exactly the commands to use to perform those functions.
To use the console in this recovery environment in Windows 7, you would need to either boot from the installation media or, as the system is booting up, press the F8 key, which brings up the advanced boot menu. From there, you can choose the system recovery options and choose the command prompt option. In Windows 8, 8.1, or Windows 10, you would boot from installation media and choose Troubleshoot Advanced Options and Command Prompt. From the Command Prompt, you can then perform any of the maintenance functions that might help remove the malware or a sister system in booting up properly.
One of the best ways to recover from malware is to simply restore from a known good backup. That’s why it’s so important in any operating system to make sure that you always have a backup ready to go. There’s imaging software built into Windows 7, Windows 8, and Windows 10. In Windows 7, you can find this in Backup and Restore, and Windows 8 and Windows 10 it’s called Backup and Restore Windows 7.
Using this imaging software, you can backup your entire system to an image, and then restore either the entire image back to your system or individual files. Even if you used a malware removal tool or you manually removed the malware, you’re never 100% guaranteed that you’ve removed every part of that malware. The best possible way to be 100% sure is to delete everything and restore from a known good backup.
Many malware infestations occur because the user clicked on a link or launched software that they probably should not have launched. To be able to understand more about what they should do and what they should not do, it’s always useful to perform an end user education. This could be one-on-one personal training, or you can train the large groups in a training center.
It’s also useful to have some type of feedback constantly reminding people of what they should do and what they shouldn’t do. So it’s useful to have posters or signs or some type of messages that they could see when they log in. These log and messages tend to become invisible over time, so it’s useful to randomly switch between these different methods so that people are constantly seeing new updates of what they should remember. You might also want to keep training resources on your intranet, so there will always be a resource available for anyone who wants to know more about how they can keep their systems safe.
It’s also common to run personal firewalls or software-based firewalls on a workstation. This allows you to constantly monitor any outbound or inbound traffic to make sure that only the correct traffic flows are occurring in and out of a system. This would be especially useful if you’re monitoring those outbound communications. That way, if malware does get infected and need to communicate out, you can stop it right at the personal firewall.
There is a personal firewall built into Windows with Windows Firewall, or in Windows 10 it’s called Windows Defender Firewall. And there’s many third-party options available as well. This should be running by default. It should always be on and always monitoring for these unauthorized traffic flows.
Another useful tool for blocking malware is to have a secure DNS that is specifically designed to watch for anyone who may be visiting a known malware site. This would provide blocking services for someone who may inadvertently be trying to visit a known bad website. This means that from a browser or from software running on your system, if anyone tried to resolve the IP address of a known bad site, that IP address would come back as unresolvable and your system would not be able to visit that particular site.
The database on the secure DNS service would constantly be updated and, as known bad malware sites and park domains became known, it would also block those domains and websites as well. This DNS service is also running on a very secure platform, which also prevents somebody from gaining access to the DNS server directly and poisoning the DNS records from there.