There are few experiences worse than your PC being infected by malware. Normal reactions to being struck with a virus include shock, panic, and fear. Depending on where personal data, such as family photos, correspondence, and downloaded files is located, your level of anxiety can become extreme.
Help is at hand, and there are many options available to you to protect and recover your machine from the grip of malware.
In this chapter, you will learn not to panic and to approach the cleanup task in a methodical and measured way that should help give you the best chance to make a full recovery.
Chapter Goal
How the reader can use the tools and utilities available from Windows and third parties that can help identify and remove malware from a PC.
Malware Protection Center
Microsoft Baseline Security Analyzer
Windows Defender
Third-Party Malware and Malware Removal Tools in Depth
Windows Defender Advanced Threat Protection
Malware Protection Center
All current versions of Windows can access the security software offered by the Malware Protection Center at www.microsoft.com/en-us/security/portal/mmpc/default.aspx . Microsoft has curated a dedicate security portal for business and consumer Windows users. You should bookmark the web site and take some time to review the various tools and resources that are available and which could help restore your PC to good health following a malware attack.
Because the resources are maintained online, you can be assured that they are accessible and up to date, regardless of a malware infection on your device. On the Malware Protection Center, there are three key resources areas: Get updates, for security software; Get protected, to download security software; and Get Microsoft support, to explore support options, as shown in Figure 5-1.
Figure 5-1. Microsoft online Malware Protection Center
Get Updates for Security Software
Within the update section, Microsoft provides step-by-step guidance on how you can update your Microsoft anti-malware and anti-spyware software. There are useful links for obtaining the security software and on how to troubleshoot Windows Update if it stops working. Within the advanced troubleshooting area, there is also a guide showing you how to mitigate malware that prevents you from using Windows Update and a list of potential error codes that your security software can issue.
Considerations that may prevent Windows Update from obtaining the latest anti-malware signatures covered in the resource pages include
Freeing up space on your PC, to allow for updates to be saved
Updating your security software and running a full scan
Updating vulnerable software with the latest patches and service packs
Using the Microsoft Safety Scanner or Windows Defender Offline to clean malware from your device
Viewing the extensive encyclopedia for known malware and any special instructions on removal and cleanup.
How to restore your PC from a backup
From the portal, you can download antivirus and anti-spyware updates for the following supported security applications:
Microsoft Security Essentials
Windows Defender in Windows 8.1 and Windows 10
Windows Defender in Windows 7 and Windows Vista
Microsoft Diagnostics and Recovery Toolset (DaRT)
Forefront Client Security
Forefront Server Security
Forefront Endpoint Protection
System Center 2012 Configuration Manager
System Center 2012 Endpoint Protection
Windows Intune
To check that you have the most up-to-date version of your anti-malware software, you should navigate to the help or settings menu and select About, which will provide the current versioning details, as shown in Figure 5-2, for Windows Defender.
Figure 5-2. Windows Defender version information
Download Security Software
When you click the Get protected link on the Malware Protection Center portal, you are provided with a matrix of options that relate to the security software that is available, including the following:
Microsoft Security Essentials
Windows Defender
Malicious Software Removal Tool
Safety Scanner
Windows Intune
Windows Defender Online
Microsoft Diagnostics and Recovery Toolset (DaRT)
System Center 2012 Endpoint Protection
Microsoft provides free client protection against malware and other threats, by offering Windows Defender, which is built into Windows 8.1 and Windows 10. Support is still available for Windows 7 and Windows Vista through the Microsoft Security Essentials package. Both tools work the same to protect you from malware.
The current available client support against malware is summarized in Table 5-1.
Table 5-1. Microsoft Security Software
Client Operating System | Microsoft Security Essentials | Windows Defender |
|---|---|---|
Windows XP* | N/A | N/A |
Windows Vista | Free** | N/A |
Windows 7 | Free** | N/A |
Windows 8.1 | N/A | Free, Built-in |
Windows 10 | N/A | Free, Built-in |
Both Microsoft Security Essentials and Windows Defender are free. Despite the price, they are very credible security solutions and fully supported by Microsoft. Table 5-2 compares the two solutions.
Table 5-2. Comparing Windows Defender and Microsoft Security Essentials
Feature | Microsoft Security Essentials: Windows Vista, Windows 7 | Windows Defender: Windows 8, Windows RT, Windows 8.1, Windows RT 8.1, Windows 10 |
|---|---|---|
Real-time protection against spyware, viruses, rootkits, and other malicious software | X | X |
Online system scanning and cleaning | X | X |
Dynamic signature service | X | X |
Offline system scanning and cleaning | X | X |
Enhanced protection against rootkits | X |
You will notice that Windows XP does not have a Microsoft-supported anti-malware solution. As of April 8, 2014, technical support for Windows XP stopped including updates that help protect Windows XP PCs against attack.
Get Microsoft Support
The final option on the Malware Protection Center portal allows you to seek specialist help from the various Microsoft support channels in relation to Windows security.
On the support page, you can search for help, drill down to a specific product, and locate product support. You can also submit questions to the community of Microsoft experts, by clicking the Ask the Community option.
Once on the community page, you can fine-tune the resources available, by selecting the version of Windows and the category, such as virus and malware, and the type of solution, from the available Microsoft security solutions. Finally, select the type of help you require, such as the scanning, detecting, and removing threats, and click Apply. An example of community search results relating to viruses and malware is shown in Figure 5-3.
Figure 5-3. Detailed help from Microsoft Community
One of the biggest hindrances to cleaning up after a malware attack is that most users are unaware of the help and support that Microsoft and other security vendors provide. This information has to be shared, so that the fear of malware, and any guilt, panic, and shame felt following an attack, can be alleviated.
If you want to keep up to date with the very latest security trends and methods to detect and thwart malware attacks, you should regularly download your preferred security vendor’s newsletter. For Microsoft, you can read the Microsoft Security Intelligence Report, shown in Figure 5-4, which is produced twice a year and is available from www.microsoft.com/security/sir/default.aspx .
Figure 5-4. Microsoft Security Intelligence Report
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) has been available for a number of years across many versions of Windows. The MBSA tool tries to identify security vulnerabilities on your system.
I have found that despite the MBSA being around for a very long time, only a few users are aware of this free tool. MBSA 2.3 is the current version, and it works with Windows 8.1 and previous versions of Windows. It can be downloaded from www.microsoft.com/en-gb/download/details.aspx?id=7558 .
After downloading the MBSA file (1.7MB), you should install it and then launch the analyzer. MBSA allows you to choose to scan a single machine, a range of IP addresses, or to review an existing security scan report.
If you check for security updates, which is recommended, MBSA must first download the latest security update information from Microsoft, which may take up to ten minutes. The tool will then automatically continue with the security scan, and the finished summary, shown in Figure 5-5, will be presented and can be saved or printed.
Figure 5-5. MBSA security report
The tool produces a user-friendly report that can be used to benchmark devices and confirm that your system is not missing patches and common security vulnerabilities. The majority of issues MBSA identifies relate to missing security patches and others relating to user accounts. You should review the findings and implement the recommendations.
Note
You can find more information about MBSA at https://technet.microsoft.com/en-us/security/cc184924.aspx .
Windows Defender
Windows Defender was originally known as Microsoft AntiSpyware and was eventually included with Windows Vista and Windows 7.
Windows Defender offers every Windows user a perfectly good anti-malware package at an affordable price: free. If you have no loyalty to another third-party tool, save your money and stay with the official bundled anti-malware solution that is recommended and integrated into the operating system that it is trying to protect.
Windows Defender runs as a background process (MsMpEng.exe) and monitors your system continuously by default. You should, however, take the opportunity to check that it is running and also whether automatic updating of the virus and spyware definitions are up to date, as shown in Figure 5-6. Start Windows Defender by typing “defender” into the Search Windows box and select Windows Defender.
Figure 5-6. Windows Defender Home screen
Windows Defender should display a green bar with the title “PC status: Protected.” If it displays a red bar and “PC status: At risk,” it is likely that someone has turned off real-time protection, cloud-based protection, or that malware may have infected your PC. To restore the protected status, click the Turn On button on the Windows Defender Home tab or use the following steps:
Open Settings
Update & security
Windows Defender
Turn on Real-time protection
Turn on Cloud-based protection
Open Windows Defender and perform a Quick Scan
If Windows Defender finds malware or a potentially harmful or suspicious file, it will immediately move it to quarantine, where it is safe from you or from other malware accessing it.
To view any malware that has been detected, you can click the History tab within Windows Defender, select All detected items, and click View details. The list of files will appear in the table following, as shown in Figure 5-7.
Figure 5-7. Malware detected by Windows Defender
If you have harmful files that have been detected, you should maximize the Windows Defender screen, then you can see the file name and location path belonging to the malware. At the bottom of the detected file information is a Get more information about this item online link that will direct you to a page within the Microsoft Malware Protection Center that provides information, technical data, and removal advice relating to the item, as shown in Figure 5-8.
Figure 5-8. Detailed malware information
If the files that Windows Defender detects as malware are, in fact, safe, this is known as a false positive. You can use the Add an exclusion setting within the Windows Defender settings to exclude monitoring specific files and areas on your device, such as excluding files, folders, file extensions, and processes, including .exe program files.
Windows Defender is normally updated through Windows Update , which is enabled by default, and if this is disabled, Windows will provide you with a warning that your system is not protected.
It is worth mentioning that some users may never encounter malware, while for others, it may be a constant battle. Allowing Windows to maintain a continual watch over your system will certainly help to mitigate the ever-present threat of malware.
Third-Party Malware and Malware Removal Tools in Depth
Antivirus protection is absolutely necessary if your device is connected to the outside world, such as the Internet, e-mail system, or even external media such as CDs and USB drives.
You have already seen that there are many antivirus packages available. Some are free and others follow a monthly or annual subscription payment model.
Which should you choose? I recommend the built-in Microsoft anti-malware solutions that are discussed throughout this book, but there are others that you should consider.
I have chosen some third-party tools , shown in Table 5-3, based on their longevity and consistency in scoring well in antivirus scanning tests over the last few years.
Table 5-3. Selection of Third-Party Tools
Tool | URL | Description |
|---|---|---|
AVG Antivirus FREE | This tool is free but includes an optional professional version available for a fee. AVG has long been considered one of the best free anti-malware packages for Windows 7 and later operating systems. Among its key features, it stops viruses, spyware, and other malware; warns against unsafe web links; blocks dangerous e-mail attachments; and scans quickly and quietly. | |
Norton Security | Norton was an early pioneer in providing malware scanning for Windows, and it now offers a comprehensive suite of tools. Choose the most appropriate suite from an easy-to-view feature table. The entry-level product, Norton Antivirus Basic, includes the following features: defense against viruses, spyware, malware, phishing, software vulnerabilities, and other online threats and safeguards to protect your identity and online transactions. | |
Trend Micro Antivirus+ Security | A highly effective antivirus package. No free layer, but it contains many features, including protection against ransomware, the ability to block 250 million+ daily threats, and safeguards against e-mail scams. | |
Kaspersky Anti-Virus | Kaspersky is highly regarded among loyal users, who post positive reviews and cover the standard features to protect your PC, including protection against viruses, spyware, and more, without performance degradation, and easy, simple online controls. |
In addition to these third-party tools available, there are also some additional tools that Microsoft maintains to help you recover from a malware attack, such as a virus, rootkit, or ransomware.
These tools can be found in the Malware Protection Center, covered earlier in this chapter, and they are summarized following.
Malicious Software Removal Tool
This tool is an essential first action when you believe your device is infected, and your current anti-malware solution has been ineffective. You can download the standalone Malicious Software Removal Tool (MSRT) from the Malware Protection Center or directly, using the following URL: www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx .
After downloading the MSRT file (approx. 45MB), you install the application and allow the tool to scan your device. The tool is able to detect and remove the most prevalent malware and allows three levels of scans, as shown in Figure 5-9.
Figure 5-9. Scan options in the Malicious Software Removal Tool
Once started, the tool will scan your PC and search and attempt to remove any infected files it can find. The tool is fast, taking only a couple of minutes to complete, and provides you with a detailed report detailing the scan results.
The MSRT is updated monthly, on the second Tuesday of each month, and you should use the latest version available. The current version includes detection and removal support for well-known and prevalent malware, including Blaster, Sasser, and Mydoom.
Windows Defender Offline
This tool is a powerful offline scanning tool you boot to from Windows 10, or via CD, DVD, or USB flash drive for other versions of Windows. It runs before your operating system boots and, therefore, provides a clean trusted environment in which to scan your system for malware, including rootkits.
As Windows Defender Offline is built into Windows 10, it requires no additional media in order to perform and is extremely useful if your device has a rootkit or your PC is already infected and malware prevents you from scanning or removing the virus by using your installed anti-malware software or the MSRT.
If you suspect your PC has malware , you can start a Windows Defender Offline scan from Windows Defender Settings, by following these steps:
Log on to Windows 10 using administrative credentials
Open Settings
Select Update & security
Select Windows Defender
Click Scan Offline
Once you click Scan Offline , the Windows Defender Offline tool will log you out from Windows and then restart the PC and boot to the Windows Defender Offline console and automatically perform a quick scan of your PC, as shown in Figure 5-10.
Figure 5-10. Windows Defender Offline Quick scan
Once complete, the tool will exit and reboot Windows. To view the Windows Defender Offline scan results, you should follow these steps:
Log on to Windows 10 using administrative credentials
Open Windows Defender
Click the History tab
Select the All detected items
Click View Details
Any items detected by Windows Defender Offline will be listed as Offline in the Detection method column.
If you are using Windows 7 , you will have to download Windows Defender Offline and create a bootable CD, DVD, or USB flash drive and then manually restart your PC, using the Windows Defender Offline media.
You can download the Windows Defender Offline (mssstool32exe or mssstool64.exe) tool directly from the Malware Protection Center or via the following URL: https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc .
It is recommended that you only download the tool at the point you need it, because the tool is regularly maintained by Microsoft to contain the most up-to-date signature definitions.
Microsoft Safety Scanner
Microsoft Safety Scanner is another antivirus tool that is a standalone virus and malware scanner that runs inside Windows. It was built for Windows 7 and later versions and has been replaced by the Malicious Software Removal Tool, although both tools are still available to download the from the Malware Protection Center. A direct download is available via www.microsoft.com/security/scanner .
The downloaded file (Msert.exe) is quite large, being 140MB, and is an on-demand scanner that may be useful if your current antivirus solution has been disabled. Because of the volatile nature of malware, the Microsoft Safety Scanner is designed to run inside Windows and expires ten days following the download. Each time you download the tool, the most up-to-date anti-malware definitions are included.
When you run the downloaded anti-malware signature package, Microsoft Safety Scanner, as shown in Figure 5-11, behaves in a near-identical manner to the Malicious Software Removal Tool that we saw earlier, in that the scan is performed while Windows is running, and it will scan and remove viruses, spyware, and other potentially unwanted programs (PuPs).
Figure 5-11. Microsoft Safety Scanner
Diagnostics and Recovery Toolset (DaRT)
The Microsoft Diagnostics and Recovery Toolset provides a rich set of tools to help you troubleshoot and repair system failures, including malware hunting, and is available in 11 different languages.
You can download the DaRT from the Malware Protection Center or directly via the following URL: https://technet.microsoft.com/en-us/windows/hh826071.aspx .
The DaRT tools are available to enterprises for diagnosing an offline copy of Microsoft Windows, since Microsoft acquired the ERD Commander tools from Winternals in 2006. The bootable recovery tools that are contained on the CD, DVD, or USB flash drive you create with DaRT have been extended over the years and now include many tools, as listed in Table 5-4.
Table 5-4. DaRT Tools
DaRT Tool | Description |
|---|---|
Registry editor | Edits Windows Registry |
Locksmith | Resets user account password |
Crash Analyzer | Analyzes crash dumps |
File Restore | Restores deleted files |
Disk Commander | Repairs volumes, master boot records, and partitions |
Disk Wipe | Irrecoverably erases data from hard disk |
Computer Management | Provides computer management |
Explorer | File manager |
Solution Wizard | A guidance tool that helps user choose the proper repair tool |
TCP/IP Config | Displays and modifies TCP/IP configuration |
Hotfix Uninstall | Uninstalls Windows hotfixes |
SFC Scan | System File Checker—replaces corrupted or deleted system files by copying them from the Windows installation source |
Search | Searches a disk for files |
Windows Defender* | An antivirus that scans a system for malware, rootkits, and potentially unwanted software |
One of the main uses for DaRT is the Defender tool, shown in Figure 5-12 with its other tools, which allows you to hunt for malware while Windows is offline. This tool is now included directly in Windows 10 and is not available in DaRT 10.
Figure 5-12. DaRT 8.1 tools
The DaRT 10 toolset is the current version and should be used for Windows 10, whereas earlier versions of DaRT (DaRT 7, DaRT 8, and DaRT 8.1, together with their service packs) should be used for prior versions of Windows.
It is now recommended that for older devices, the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool should not now be used, because the DaRT tools are infrequently updated. Users are advised to use the Windows Defender Offline (WDO) protection image for malware detection and removal.
DaRT 10 is a part of the Microsoft Desktop Optimization Pack (MDOP) , and the MDOP is only available to enterprises that own a current Microsoft Software Assurance license. If you believe you have Microsoft Software Assurance or want to find more information about acquiring MDOP , visit the site at https://go.microsoft.com/fwlink/?LinkId=322049 .
Windows Defender Advanced Threat Protection
A new entrant to the established lineup of anti-malware solutions is the Windows Defender Advanced Threat Protection (ATP) detection service, which was released in March 2016. While this product ships natively with Windows 10, it requires an enterprise license in order for its benefits to be derived.
Aimed specifically at enterprise customers that need to be protected against targeted and advanced malware attacks, ATP uses the latest security machine-learning analytics, which are powered by the scale-out cloud abilities offered by Microsoft Azure. Windows Defender ATP can capture, analyze, and detect suspicious attack-related activities on your networks. These activities are analyzed from captured behavioral signals emitted at the endpoint.
Microsoft has shared the scale at which Windows Defender ATP can leverage the intelligent security graph that is aggregated from multiple sources. This graph is informed by anonymous information connecting 1 billion Windows devices, 2.5 trillion indexed Internet pages, 600 million web page reputation lookups online, and more than 1 million suspicious files that are infected every day.
A sample NEODYMIUM attack, from May 2016, delivered via spear-phishing e-mails carrying malicious documents, contained zero-day exploit code that could cause a Microsoft Office file to generate and open an executable file. This attack is detected by Windows Defender ATP, as shown in Figure 5-13.
Figure 5-13. Windows Defender ATP showing an alert for an exploit
Windows Defender ATP is still a very new development, but it is clear to see that Microsoft has decided to move the detection and analysis of malware to the cloud, in order to reduce the time that any new potentially harmful malware is left undetected and, therefore, able to infect Windows 10 devices. Windows Defender ATP works in conjunction with the built-in Windows Defender agent to perform capabilities such as device local file scanning.
You can currently download a trial of Windows Defender ATP to be used on any of the following editions of Windows 10: Windows 10 Enterprise , Windows 10 Education, Windows 10 Pro, and Windows 10 Pro Education.
Enterprises should contact their Windows solution provider to discuss the pricing for the Microsoft Secure Productive Enterprise E3/E5 license required to deploy the product. You can sign up for a trial and gain more information via www.microsoft.com/en-us/WindowsForBusiness/windows-atp .
Summary
If you are using a modern version of Microsoft Windows, such as 7, 8.1, or 10, you are better protected from malware than with previous versions of Windows. This protection comes with some caveats, which include using the default Windows Defender and user account control settings and being vigilant when using e-mail and the Web, especially if any Torrent or Dark Web downloads are on your machine.
To ultimately protect your personal files from malware, you should consider storing a backup of your files, separate from your computer. I recommend a physically separate backup. The cloud is a great convenience to us, but it offers little protection against a ransomware attack, which can spread within minutes to every file you have access to.
Sometimes malware-killer applications and virus cleaners won’t work. Maybe your system is too badly infected or has multiple instances of malware. Thankfully, with Windows 10, the process of resetting your PC is very simple and efficient and can be a very quick and simple way to rid a device of malware.
The final piece of the jigsaw following eradication of malware is to learn from the experience. Review how the attack occurred, where the vulnerably existed, and how you can reduce the likelihood of a repeat attack.
If malware does strike, and you cannot clean your machine using the tools highlighted in this chapter, you may have to resort to manually cleaning the infection. This will be covered in the next chapter and will require you to roll up your sleeves and go malware hunting!