L17 - T17C - S8 – Malware Removal Tools and Methods

- Recovery Mode - OS Reinstallation

The 3 Main Points in this section

• Using Antivirus software to remediate a system

• Using Recovery Mode & Manual Virus Removal

• OS Reinstallation steps

Antivirus Software — Related Points

• Main tool used to remediate a system

  • Though if the software has not detected the virus in the first place, you are likely to have to use a different suite

• Make sure the antivirus software is fully updated before proceeding

  • May be difficult if the system is infected

  • May be necessary to remove the disk and scan it from a different system

• If a file is infected, can use to

  • Remove the infection (cleaning),  

  • Quarantine the file (the antivirus software blocks any attempt to open it)

  • Erase the file

True e.g.

• Can also choose to ignore a reported threat if it is a false positive, for instance.

True or False: You can configure the default action that software should attempt when it discovers malware as part of a scan

• Advanced Malware

• Manual

• Infection by _____ might require _____ removal steps to

  • Disable persistence mechanisms

  • Reconfiguration of the system to its secure baseline.

Tools required for manual removal of malware

• Use Task Manager to terminate suspicious processes.

• Execute commands at a command prompt terminal, and/or manually remove registry items using regedit

• Use msconfig to perform a safe boot or boot into Safe Mode,

  • Hopefully preventing any infected code from running at startup

• Boot the computer using the product disc or recovery media

  • And use the Windows Preinstallation Environment (WinPE) to run commands from a clean command environment.

• Remove the disk from the infected system, and scan it from another system,

  • Taking care not to allow cross-infection

False

• Antivirus software may not be able to recover data from infected files

True or False: Antivirus software will not necessarily be able to recover data from infected files

True

• This involves

  • Reformatting the disk,  

  • Reinstalling the OS and software  

    • (possibly from a system image snapshot backup), and  

  • Restoring data files  

    • From a (clean) backup 

True or False: If malware gains a persistent foothold on the computer, you might not be able to run antivirus software anyway and would have to perform a complete system restore

Steps for initiating a Complete System Restore — Malware has persistent foothold on computer

• Reformatting the disk

• Reinstalling the OS and software

  • (possibly from a system image snapshot backup)

• Restoring data files

  • (from a clean backup)