There are times when removing malware may be the best option available. In this video, you’ll learn about identifying malware, quarantining systems, remediating the malware, and other malware removal options.
In this video, we’re going to describe a series of steps that will allow you to remove malware from a system. In the vast majority of cases, this will not be the process you use to actually remove malware. That’s because, even after going through the steps in this video, it is possible for malware to still be on that system. You’re never going to be 100% sure that you removed all of the malware from that computer.
The way that most organizations address a malware infection is to delete everything on that system, and then reimage or replace it with known good software. So if the best practice is to completely delete everything on a system and start over, why are we discussing the process of removing malware and keeping everything intact?
That’s because you will occasionally run into a system that doesn’t boot properly, but you still need the important documents that may be stored on that hard drive. If you were to delete everything on that system, you would also be deleting those files.
So this removal process should take you through the steps that will get your system running just well enough for you to remove those important documents. Once you’ve been able to recover those documents, it probably then would be a best practice to delete everything on that system and restore from a known good image.
The first step is to recognize the symptoms that could indicate that malware has been installed on your computer. Sometimes this is very obvious, where the message says, operation did not complete successfully because the file contains a virus or potentially unwanted software. Or a message may come from your Windows security that says, threats have been found, and Microsoft Defender anti-virus found some threats. Click to get more details.
But often, it’s not quite this obvious. It might be something as simple as the system is taking a bit longer to boot, or perhaps it’s running a bit more sluggish than it normally does. Or perhaps, you’re getting a message in an application that is an unusual error message, but doesn’t directly tie back to any type of malware. All of these could be symptoms of malware, so it’s always a good idea to perform some additional research and find out more about what could be causing this problem on your computer.
If you do believe that malware has infected a system, it’s time to take some action. This step two would be to quarantine this infected system away from any other devices on your network. Malware can find its way across the network, so you should disconnect the network connections, or disable those network links as soon as possible.
It’s also very easy to move malware between systems using a USB drive or some other type of removable media. And at this point, many people believe that they should back up the system to be able to restore information later. But if this system really is infected with malware, you don’t want to back up that malware, just to restore it later.
Another useful function of Windows is the system restore capability. This allows you to move your system configuration back to a previous date and time, and if you’re trying to remove malware from a system, you would think that would be an easy fix. You simply change your system to the same configurations you had last week, and that should get rid of the malware.
But the malware authors have already thought of that particular occasion. So when they infect your system, they will also infect your restore points. So you can still go back in time to a previous restore point, but you’ll effectively be restoring the malware back to your system.
If you’re in a corporate environment, you may find that the system restore capability has already been disabled. But if you’re using Windows at home, or you have a computer where system protection is enabled, you’ll want to disable that capability. When you disable system restore, it completely deletes all of your previous restore points. And if any malware is in those restore points, it will also be deleted. This will be a temporary configuration, and later on in the malware removal steps, we’ll discuss when we would want to re-enable system restore.
Now, we need to fix the malware issue that we have. One of the things we can do is to remove any files that we have clearly identified as malicious. Some malware can be identified by an anti-malware scanner. You click a button to remove those files, and the malware has been removed from your computer.
If the malware was identified in a real time scan, then those files were probably already deleted and moved to a special location on your system drive, to quarantine the files. This keeps the files available for administrators to be able to perform additional research, but it doesn’t allow the user access to those infected files.
But if you’ve ever done any type of malware removal, you know that it very often isn’t as simple as deleting a single file and rebooting. Very often, malware embeds itself within many different points inside the operating system, making it extremely difficult to completely remove.
In many cases, you will use anti-virus, or anti-malware software, to identify and then remove the malware from the system. In order for your anti-virus software to identify the malware, it needs to have the latest set of signatures. You also want to make sure that you’re running the latest anti-virus engine, so that it’s up to date with the latest version of software.
Once you’ve updated both your engine and updated the signatures, you can begin the process of removing this malware. Often, this is an automatic process. You simply tell the anti-malware software to run a scan of your system. And if it finds anything, it will remove it from your computer.
On most systems, these updates are performed automatically, so you may find that the anti-virus engine and all of the signatures are already up to date. But you might find, on some systems, that the anti-virus updates have been set to manual. Very commonly, anti-virus signatures are updated multiple times a day, so setting a system to a manual update is almost pointless, considering all of the changes that occur on a daily basis.
And if your system is infected with malware, you may find that attempting to update the signatures or update the anti-virus engine will fail, because the malware is blocking your system from performing those updates. It may require you to manually download these files on a separate system, put them on a USB drive, boot the system into a recovery mode, and manually copy the files and updates.
If the malware is affecting the boot-up process of your computer, you might be able to boot into a less capable mode known as safe mode. This will load a barebones operating system that allows you to at least get to the Windows desktop and be able to change files or delete information from your drive.
On rare occasions, this might also prevent the malware from running, which might give you some additional options during the recovery process. And if this malware has created a problem on your system, you might not even be able to boot into safe mode. In that case, you might want to take advantage of the Windows pre-installation environment, or WinPE.
This is the environment used for the Windows Recovery Console, where you can boot your system onto a command prompt and then be able to change the file system from there. You can also create your own Windows pre-installation environment using the Windows Assessment and Deployment Kit, or ADK. And if the pre-installation environment is not able to find your Windows installation, then you might have to repair boot records or modify additional information in the operating system.
At this point, you should be able to boot the system, gain access to the file system, and be able to transfer over any important documents. At this point, it’s time to delete everything and start over from the beginning. We often refer to this as a re-image process, or a reinstall process.
Most organizations will have separate images for the hardware that they use, and so they can delete everything, apply the image to that system, and in a matter of minutes, have that computer back up and running. This not only installs the Windows operating system, but all of the appropriate drivers, files, applications, and anything else needed for that company. This is also one of the reasons that we often redirect folders, or require individuals to save their documents to a network drive. This way, you can delete everything on a local computer and not have to worry that you’re deleting important documents.
Now, we’re back up and running, and we’re virus free. Now we need to set configuration options, so that this problem doesn’t occur again. It’s always a good idea to check if your anti-virus software is running in a real time mode, so it’s scanning everything going through your system in real time. But it’s also a good idea to perform periodic scans. This will check for any files that may have been added, or files that you aren’t directly accessing through the real time scanner.
Some anti-virus software is a built in scheduler for configuring anti-virus updates to the engine and to the signatures. But if your anti-virus software doesn’t support that feature, you might need to add a task into Task Scheduler, to ensure that you’re always getting the latest signatures installed onto your computer.
And of course, it’s always a good idea to check to see if your operating system update process is also configured. In Windows, you’ll want to check Windows Update and make sure that it’s also configured to download and install any new patches.
I mentioned earlier that we had to delete all of our restore points because all of them were most likely infected with malware. Now that we’ve completely deleted everything on our system, restored from a known good image, we can make sure that our system restore is enabled again. You’ll want to check the system properties under the system protection tab, and make sure that the restore settings are set to turn on system protection.
And since we’ve just turned system restore back on, you might want to click the button to create a restore point right now for the drives that have system protection turned on. This will ensure that you’ve got a good configuration that you could move back to, if you ever need to go back in time with your system config.
Sometimes malware can get onto our systems without any type of user intervention. But often, it’s the users that run the software that infects their systems to begin with. And there are some best practices your users should know about what to click, when to click it, and how to notify when they think that something may have gone wrong.
You might want to have one on one training with that individual and talk to them about IT security and how they can keep this system protected going forward. You might also want to have a broader campaign, where you might use posters and signs. You might post these right outside the elevator, so that when it opens up, everybody can see those posters on the wall. Or it might be a message board posting in the break room. So if you have a board in the break room that has information and announcements, this might also be a good place to talk about anti-virus and anti-malware best practices.
Since everyone also has to visit the login page. This is also a good place to put a message of the day. Sometimes this is information about systems that might be unavailable during different time frames, or it might include a tip or trick on how to keep your system safe And almost every organization has an intranet page. This is a perfect place to keep all of your documentation, information on who to contact, and details about anti-virus and anti-malware best practices.