Removing Malware( Comptia Objective 3.3)

Question 1

How can you go about identifying malware symptoms on your computer?

Answer 1

Step 1. Identify Malware. Check for any odd messages such as application failures and security alerts windows popping up claiming to be anti-virus software and that you are infected and the only way to clean it is to click here etc.

• Check for any system performance issues such as slow boot, slow applications etc.
• Research the malware to know what you’re dealing with and check and see what applications are running on your system to confirm they are legitimate and not malware.

Question 2

After identifying Malware on your system what is the next step you should take to remove it?

Answer 2

• Step 2 Quarantine the infected system and disconnect it from the network( keep it contained)
• Isolate all removable media such as a USB drive. Everything should be contained.
• Prevent the spread. Don’t transfer files, don’t try to backup( That ship has sailed)

Question 3

After Quarantining the malware infected system what should be your next step to remove the malware?

Answer 3

• Step 3 Disable System Restore( Restore points make it easy to rewind however malware also infects these restore points)
• This is done by Disabling System Protection( No reason to save an infected config)
• Disabling System Protection/Restore will then delete all other restore points and removes all infection locations outside of the current one.

Question 4

After Disabling System Restore what is the next step to remove Malware?

Answer 4

• Step 4a Remediate: Update anti-virus and remove
• Signature and engine will need to be updated.
• The engine is the guts of the machine and the signature updates have a very very tiny shelf life before needing to be updated again.
• Most anti-virus/anti-malware software will update automatically in the background but can be done manually as well although that is probably pointless considering how often the signatures get updated.
• It’s important to note that the malware itself may prevent you from updating your anti-virus/anti-malware software so you may need to copy data over from another computer to a removable drive and then connect to the infected computer in order to update it. After this is done it is very important not to take that removeable drive to another computer as this can infect it also.

Question 5

After updating your anti-malware/anti-virus softwares engine and signatures what would be your next step in remediation of the malware?

Answer 5

• 4b. Remediate scan and remove malware.
  Popular anti-virus apps include Microsoft, Symantec and McAfee as well as Bitdefender
• There are third party applications used to specifically focus on malware removal such as Malwarebytes.
• There are also stand-alone removal apps available check with your anti-virus company.
• Even after taking all of these steps there’s really no way to know if the malware is truly gone. So to be sure you may want to delete and rebuild/ restore from a known good backup.

Question 6

Some malware may prevent your operating system from booting up into the normal desktop if this happens how can you fix it?

Answer 6

4b Remediate: Scan and remove

• Boot into Safe Mode. This loads the bare minimum operating system just enough to get the OS running and can also prevent the bad stuff from running.
• Another option can be to boot from removable media using a Pre-installation Environment(WinPE) using the Recovery console and bootable CD/DVD’s/USBS etc. This can then allow you to boot a bare bones version of the operating system and then run the things you need to to remove the malware. You can build your own from the Windows Assessment and Deployment Kit(ADK). This then will allow you to repair the boot records and sectors.

Question 7

After the remediation process is done removing the malware what would be your next step when it comes to the malware removal process?

Answer 7

Step 5 - Schedule scans and run updates

• This is built into the anti-virus software via automated signature updates and scans.
• If your anti-virus software doesn’t have a way to automatically update you can use Task Scheduler which will allow you to run any task.
• Make sure the system is setup to run Windows Operating System updates, make sure this is enabled and working and is up to date with the latest updates in place.

Question 8

After you have scheduled scans and confirmed the OS is up to date what would be your next step in Malware removal?

Answer 8

• Step 6. Enable System Protection/Restore
  Now you’re clean put things as they were.
• Create a restore point( Start populating again). This can be done after enabling system protection and then installing an application which will automatically create a restore point or you can manually create a restore point inside of the System Properties window clicking the “create” button.

Question 9

What is the final step in the Malware Removal process?

Answer 9

Step 7. Educate the end user.

• Provide One on one personal training on how to identify malware and what to do if it’s suspected that the system is infected.
• Put up posters and signs with high visibility informing workers of signs and symtpoms of malware and what do to and not to do to prevent it.
• You could also use a message board to convey these types of messages
• Or you could provide a login message when a user logs in warning them of malware signs and symptoms and what to do and not to do to prevent it.( These can become invisible over time so is a good idea to switch them up often)
• Another good resource for educating the end user is to post something on the companies intranet page where everyone in an organization will have access to this information and is always available.