2.4 Given a scenario, detect, remove, and prevent malware using appropriate tools and methods. Flashcards
- Ransomware
Ransomware is a malicious program that blocks access to the system and the data until a ransom is paid. Ransomware can be installed on the system by accessing an infected or compromised website, downloading a malicious file, or opening a malicious email attachment or hyperlink.
A pop-up may appear that informs the user of a block and includes instructions on what to do next. The block may look like it is from a police or law enforcement agency.
Newer ransomware infections can even modify the MBR and/or encrypt the hard drive contents (crypto-ware). In order to unlock the computer, an amount of money must be paid in the specified anonymous manner and the user must hope that an unlock or decryption key is sent. Immediately power off the machine upon discovery of ransomware since it takes time to encrypt the files. This will lessen the impact of the encryption.
- Trojan
The symptoms of a system infected by Trojans include poor performance, increased or bogged down network and/or servers, and generally unpredictable behavior accompanied by new or deleted files in the system which often cause system failure.
Trojans are fundamentally infected versions of real files. Be careful with what has been downloaded and scan it before it is opened or installed.
This is particularly important when dealing with email attachments.
Trojans can delete files, compromise system information, and even grant access and control of the machine to the perpetrator.
- Rootkit
Rootkits are a particularly sinister malware variant. A rootkit infects a computer and grants the rootkit’s owner privileged access to the target PC without the user’s knowledge or consent. The defense against rootkits is to always keep the protection software up-to-date and to apply any and all security patches to the OS.
Rootkits are usually well hidden and undetectable by conventional means. There are Rootkit detection packages available but rootkits are often hidden inside system files where detection is impossible. This makes prevention the primary defense.
ONLY Download SOFTWARE FROM from trusted sources and be cautious of emails from unknown sources.
- Virus
(Symptoms of: A virus will reveal its presence on a system through increased network activity, sluggish system performance, or possibly by tricking the unsuspecting user with a false warning)
Viruses infect the system with the desired malicious payload and also replicate themselves onto connected devices.
Viruses can spread over a network or through infected writable devices that are shared.
Always write protect a USB thumb drive before inserting it into a system lest it becomes infected.
- Botnet
A network of computers that have been compromised by Trojan, rootkit, or worm malware, and become “zombies” controlled by a “herder” to attack a target
the infected machines towards a single purpose such as DDoS, Spam, or Malware distribution.
- Worm
Worms attack connected devices and other network hosts by exploiting vulnerabilities in the operating system. Compared to Viruses and Trojans, a Worm will consume network bandwidth and overload network servers.
The primary purpose of a Worm is to replicate itself to every possible node on a given network. Upon suspicion of a Worm infection, disconnect the computer from the network and/or Internet.
Running the antivirus program after booting to a repair disk or into Safe Mode will help. In order to prevent this type of attack, keep the protection signatures up-to-date and avoid opening odd email attachments.
- Spyware/Keylogger
s
Spyware is software that is installed on a device without the consent of the user, collecting user data and sending it to a third party. These programs can monitor and record keystrokes, browsing information including login data, credit card numbers, and passwords or PINs.
Confidential information can easily be compromised. It is important to have adequate defenses. Built into Windows is Windows Defender, offering real-time protection and background AV scanning
• Tools and methods
The current Windows RE replaced the recovery console and provides additional features to repair the system.
For systems with startup problems, the updated F8 boot menu will provide options and allow access to the Advanced startup options shown below.
From the OS>Control Panel > Recovery option and choose Restart now under Advanced startup. >can get the Command Prompt, Restore from a restore point, System image recover, and Startup settings.
- Antivirus
The best way to repair an infected machine is by booting to an antivirus repair disk or USB Drive.
This process allows the system to boot to the repair media and to thoroughly scan the system before any system files or malware programs have a chance to launch. Can use win R
scan the system in safe mode with the primary AV solution.
- Anti-malware
follow the 7 steps
IQDRSEE
1234567
Msconfig/startup /services
Browser files and Temp files are hiding spots for malware so ensure these locations get checked.
If a scan is going to be performed, do a full scan as opposed to a quick one.
(Legacy Recovery console)
Windows RE
Windows RE replaced the recovery console and provides additional features to repair the system.
For systems with startup problems, the updated F8 boot menu will provide options and allow access to the Advanced startup options shown below.
OS> Control Panel > Recovery option and choose Restart now under Advanced startup. Can access to the Command Prompt, Restore from a restore point, System image recover, and Startup settings.
- Backup/restore
In addition to File History, Windows 10 retains the Windows 7 backup and Restore utility which allows backups and system images to be stored on another disk or on the network.
The backups can be restored to their original locations. This utility can also create a system repair disk.
- End user education
The end-user is considered the weakest link in any protection plan.
Always take time to explain the cause of any problems you have resolved.
- Software firewalls
Windows Defender Firewall gives notifications for traffic on both Public and Private networks.
For portable devices, the Public settings should be carefully reviewed. You can allow or block incoming/outgoing traffic entirely or allow certain apps or features through.
The advanced settings provide precise control over the firewall activity, allowing you to control each inbound and outbound rule.
- SecureDNS
secure DNS is useful in combating Phishing attacks. This service is most effective when the IP configuration uses settings specifically recommended by the ISP.
