The Basics of Manual Malware Identification and Removal

Discussion in 'other anti-malware software' started by Minimalist, May 15, 2018.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://blog.emsisoft.com/en/31002/basics-manual-malware-identification-removal/
     
  2. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    That article is somewhat misleading. Note at the bottom it clearly says,
    Note too with Windows 8 and Windows 10, Windows Defender is enabled by default right from the start (in fact, early on) of the installation process. So the article asking about your machine getting infected before you install security programs really makes no sense.

    If you are installing W7 and you start surfing the Internet recklessly, being click-happy everywhere you go before you bother to fully upgrade Windows and install your security, then you are foolishly careless and are just asking for trouble.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Any AM solution can miss malware sample, so knowing some manual cleaning procedures doesn't hurt.
     
  4. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    I agree. But as you noted in your quote, that article is about getting infected BEFORE you install an AM solution. And again, it states it is for demonstration purposes only.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, you're right. If you get infected after you install AM solution, this article is not valid. :rolleyes:
    [/sarcasm]
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    the ordinary emsisoft spam from your mails...
     
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Hey Guys! I really think you are being much too hard on Emsisoft. Personally I found the article to be an excellent starting point for those that want to ensure their system is actually clean. Common knowledge is that if one uses whatever primary AV and then does a scan with any number of 2nd opinion scanners and no infections are found the system must be clean.

    However this is frequently far from the case! As an example, consider WMI Ghost. One can come across this guy in a number of ways (either through an emailed Doc, carried on the back of an exploit kit, or just by it being piggybacked on to another application). As I hope all know, it is childsplay to make an existing malware file a true zero day file (ask my cat) and so bypass any traditional security solution. A pre-existing infection can also pose issues when changing the primary solution from product A to Product B. So assume an infection- how will any 2nd opinion scanner assist us?

    In the case of WMI Ghost, not very well (Big Hint to Emsisoft). Very few 2nd opinion scanners will either pick up the forked process or acknowledge the presence of the persistence mechanism in the WMI database. AutoRuns, however does indeed detect the persistence entry (Fun Fact- the autoruns clone in Comodo Cleaning Essential will ignore it) and highlights it with a Red Entry. It can then be seen and dealt with.

    So, let's assume that the User has Avast as a Primary, and Malwarebytes as a 2nd opinion scanner. That user would be blissfully unaware that something like scrcons.exe is connecting out to God Knows Where doing God Knows What. However using Autoruns and a bit of manual work would resolve this issue, which was the true point of this article.

    Anyway, my compliments to Elise for this article. The only downside to it is that I didn't write it myself.

    (ps- An outbound alerting Firewall would have also alerted the User that something was amiss. Sadly WF would not. So for all those who think WF is enough, please slap yourselves on my behalf).
     
    Last edited: May 15, 2018
  8. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    But that is not the stated premise for the article. The stated premise is (my bold added), "what do you do if your machine gets infected before you’re able to install security programs?" That's why I say it is misleading.

    You are defending the article using an example that the user has already installed Avast and Malwarebytes! You use another example where the user is already receiving email!

    Therefore, you missed the whole stated point of the article!

    Yeah right. Maybe back in XP days before SP2 was released. You need to slap yourself back into reality.

    Does the article provide some good information? Yes. But does it also mislead readers? You just proved it did.

    I agree with Bremmelchen. While it may not be spam, per se, it is marketing.
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    @cruelsister no doubt about the article but if i want to read emsisoft news i can enter the list. i also could post any other news from other vendors mails here thus i would bother most people here. posting more or less unwanted content like this i would define spam.
    and yes, i had left emsisoft newsletter because it is another form of spam - bla bla bla, try <our product> to find out
    a description of emsisofts unilateral view of malware to sell its software at least. but again - no doubt about their software, i used some of it until they decided to abandon it. (years ago) pity they bought a great firewall to abandon it. i am one of those who wont forget about this and other vendors who bought and abandoned.
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Bill- Looks like we saw the article from different viewpoints (reminds me of English Lit- "And what is the theme of Hermann Hesse in Magister Ludi? Oh God KMN).

    What I read was that one should neither assume that previous security product installations were effective, nor would a new installation of a different security product necessarily guarantee a clean system even after initial scan (and thus my example). So the point for me was that one should hone manual skills before trusting anything.

    But that's just my take (ps- I got an A on the Hesse paper).
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    "Many moons ago" AV products were really not that good at detecting malware on the front-end as is the case today. They therefore became quite proficient on backend detection and cleaning methods. Symantec of old was one of the best at cleaning malware. Over the years, the emphasis has shifted from post-infection to pre-infection. As such, manual detection and cleaning methods and discussion is much needed since many of the current generation are clue-less in this area.
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Could not agree more!
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    Gee whiz! Do you read into everything you read what YOU want it to say? :rolleyes:

    How can you read that when the author clearly said, in plain black and white print (and I quote - adding my underline bold again - so there are no accusations that my own biases are affecting what I "see" and "read"),
    IF the focus of that article was supposed to be about post-infection malware removal AFTER "previous security product installations", then that is what the article should have said it was for. But it didn't. Therefore it was misleading.

    And many moons ago, there were 100s of forums like this that were dedicated to malware removal. Many of those forums have gone away or vastly scaled back those services. Why? Because specialized services are not near as much in demand any more. Anti-malware products are much more effective, as are common, easy to use malware removal program. And operating systems are much less vulnerable, and much more quickly patched too. This is exactly why bad guys have been concentrating less and less on Windows based home systems and concentrating more and more organizational/corporate servers.

    There's a reason the focus has shifted to pre-infection - it works! If a system gets infected that means there was a failure in the pre-infection stage and that most likely was caused by the user failing to "practice safe computing". That is, they failed to keep their system updated and/or they participated in risky behavior.
     
  14. guest

    guest Guest

    @Bill_Bright dont ignore Bioskits/bootkits, i mentioned them earlier , seems you overlooked it...

    https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/

    then the Emsisoft article isn't misleading, guess you learned something today.
     
    Last edited by a moderator: May 18, 2018
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Comments like this really sadden me as it puts the blame for any system infection on the poor User while at the same time making the assumption that those that provide Services are perfect. To show the fallacy of this argument consider:

    1). Remember Ccleaner? The developer, Piriform, through shoddy internal protection had both their Credential Signing codes as well as their FTP credential stolen. This allowed Blackhats to both maliciously recode their product AND upload it to their website. Could the User have had any reasonable expectation that they were actually downloading and installing malware? To be fair, this was a targeted attack and the Home user had nothing to be concerned about, although everyone Freaked Out.

    2). My personal favorite is another targeted attack- this of Forbes.com. One of the MANY times crappy protection by Forbes led to this totally legitimate website being hacked, in 2015 an APT group from a certain LARGE Asian country broke into Forbes and replaced the "Thought of the Day" section with a malicious script. Although once again targeted (for those connecting from an IP known to be from a Defense Contractor, etc), all a person had to do was to open the main Forbes.com page to be infected (this attack was based on a couple of previously unknown zero-day vulnerabilities).

    (Fun Fact- the above are examples of "Watering Hole" attacks- only specific people and/or those from specific places would be prone to the final malware vector).

    Point being, no matter if one practices "Safe Surfing" or not, if nasty things like Blackhats (or my Cat) want to Get you, you will be Got. And the fault is not yours...
     
  16. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    It IS sad!!!! I agree 100% That's why we need more articles on preventing infections in the first place! We (as advisers) need to be teaching users about and how to spot socially engineered methods of malware distribution - by far, the most prolific and successful method used by the badguys.

    But the fact remains, malware infections, including bootkits (which are extremely rare and not cleaned by the steps in that article!!!) are always the result of user failure. The exception might be when a hard drive is intentionally infected before it even leaves the factory or computer maker - but those events are even more rare these days. Now I admit it may not be the end-user in those extreme cases, but someone failed to do their job.

    Nope, not from you for sure. And since that article does NOT address bioskits, rootkits or bootkits or even mentions the BIOS or UEFI, I guess you learned something today - that article is misleading.

    The continuing use of the CCleaner example is, once again, not applicable here because you cannot install CCleaner without having an OS installed. And for the record, the problem was not caused by Piriform but by Avast their parent company, and a security company that should have known better. :( Also, according to reports, it only affected 32-bit systems and was caught before any damage.
    Yes, if a professional wants to get you personally and is specifically targeting you, you are hosed. Are you really suggesting that extremely rare exception/example is the intent of that article?

    Exceptions don't make the rule. That is why using rare exceptions to prove a point is really pointless.
     
  17. guest

    guest Guest

    Indeed, it is about ALL malware, and as far as i know , bioskits are still malware, and some examples given in the article are exactly what bioskits do.

    anyway your "disliking" of Emsisoft is clearly visible, which is out of the scope of the thread which talk about malware removal , not misleading vendors.
     
  18. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    No where did I, or have I ever said I dislike Emsisoft.

    But worse, no where did I say anything about a "vendor" being misleading. I said no less than 5 times that the "article" is misleading. What is clear is you are like cruelsister and you read into what others say what YOU want to see, not what they actually said.

    But even worse yet is you making up falsehoods about what other posters on this forum said. That is really sad. Your true colors just came through. :thumbd:

    I'm done here.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The best disinfection method is backup images if at all possible. If you can switch your network from a primary system to a secondary system while restoring an image to prevent downtime then I would take that route if it's supported. Remediation is usually easy for servers ran in a VM. It just depends on the Network, and Database design. Antivirus disinfection is not nearly as important as prevention, and detection.
     
  20. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    That's a great "recovery" option but I would not necessarily call it the best disinfection method. The problem with image (or any, for that matter) backups is if the system is already compromised when the backup is made (whether the payload has deployed or not), you may restore the malware or infected file back to the drive too.
    Exactly.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    +1 :)

    ok, this thread moves away from its original - not too bad. i read a line where some1 of you wrote that todays people are not aware of what is malware or not. a/v can help to flag it and user can learn what and why it was blocked. educational purpose. therefor it is important from my view, to give a details message about the type of malware. PUP/PUM is nice, a general "trojan" or "virus" alert is pointless, because it dont differ download tools/online installers and real trojans, although the behavior is similar.

    concerning the newsmail again - news dont activate itself, it was ordered. users spending time on such news are investigating and i would they they would be fast on a level where antivirus is getting futile, maybe only running as a second opinion. they improved. but the mass dont care. thats reason why people using adwcleaner the first time are impressed about the amount of founds.

    my last newsmail from emsisoft arrived 2016. was again the try to scare common people with the "evil" web.
     
  22. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    The best made malware today is so cleverly disguised that even the best white-hat security experts cannot immediately spot it. What's important is to always remain suspicious. Don't be "click-happy" just because a link looks like it came from a friendly source.
     
  23. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Bill- Before reading, please understand that I mean neither disrespect nor do I want to start any argument. But please consider the following (The first being that the User was just a victim of circumstance, the second which is infection that is not the result of user error, and the third malware that only AutoRuns could give a clue about- except for Outbound Firewalls, but no one ever listens to me...):

    1). A few years ago I was called away on an Emergency Beach Post Mortem ( SEP being bypassed by a Scriptor- who would guess?). When I got to where I had to go to I found that I left my lipstick at home (not that I actually NEED lipstick). I went to Sally Beauty and bought some using my AXP card. A month after the purchase I heard that Sally Beauty was beached; 6 months after that I had a charge for a one way First Class ticket from Beijing to Toronto, certainly not made by me.

    Was this my fault?

    2). When I was at Paris Station a large French Automaker's website was breached. Anyone who went there and clicked on further information on their most popular model got the info they sought as well as a malicious surprise.

    Was this the User's fault?

    3). Ophelia (my cat) recently coded malware that as a true zero-day was invisible to all AV's, but the vector was obvious to autoruns.

    In this case, do you still feel that the article in question is without use (in spite of your reservations about the title)?

    It's not that the web that is evil, it's that many websites are either clueless as to security or just don't care.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Do you lend your cat out for coding assignments?:D
     
  25. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Yes, but one must wait until she finishes her probation (and I hope you have oodles and oodles of 10 year old Cheddar- from Wisconsin, of course).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.