The Basics of Manual Malware Identification and Removal

Discussion in 'other anti-malware software' started by Minimalist, May 15, 2018.

  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Exactly! From what I've been told it is frequently possible to bypass many Security Solutions with malware (like knives through soft butter- not that I would personally know, of course). So it is without doubt useful to have knowledge of some fast and easy checks on the efficacy of the currently used Security product.
     
  2. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,548
    Location:
    New Mexico, USA
    Which is why Comodo firewall is on my laptop. It's been on my computers for years.
     
  3. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,548
    Location:
    Nebraska, USA
    You did not read the word "before"? Do you interpret the word "before" as "may be after"?
    No it is not! That's just silly.

    A Stop sign means "stop" - a complete stop! In spite of what some drivers think, that cannot be interpreted as "go".

    Same is true in "technical" writing too - which you would have learned if you had taken any courses beyond your high school (GCE 'O' level) English class, or if you had taken any entry-level technical writing courses. That's not meant as a personal criticism, just a practical fact.

    "Technical" papers by their very nature are not meant to be open to personal interpretations. They are meant to be technically accurate. If the author says a 1/4 inch hole is to be drilled 3.75 inches from the left edge and 4.0 inches down from the top edge, we don't get to interpret that as an 1/8 inch hole approximately 3 inches from the top and left edges.

    "Before" means "before" - as in "ahead of" or "previous to" the installation of security software. Not "may be after". :rolleyes: And that's whether in a technical paper, or a work of fiction.
     
  4. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    777
    Location:
    Melbourne, Australia
    I used to think like you; I studied Elec Eng (BEng(Hons)) many, many years ago and spent many years in the tech sector. Then I did a qualitative PhD in a business subject. I had planned to do a quantitative study as I've done engineering maths and a bit of stats will be a breeze:), but I was so enamoured by the lecturers' views on bias and interpretation, I switched. It always worth being reflexive and questioning your own bias, don't you think?

    I will try to interpret your understanding of the article. You are focusing on the first paragraph, which is completely negated by the second one in my opinion. The author could lose the first para completely and not detract from the message of using autoruns and processexplorer, which is what I would have done as I don't work for a security company. However, as they are a security company it would bring the customer to question the efficacy of their product (unless they slagged off competitor products in the article) - we all know that all security products are 100% as far as the security marketing guy/gal goes - so in the first para they talk about malware on a PC before it has any security installed. Whether there was security installed or not the focus is on its removal, which, I believe, is what the author wants the reader to focus on. But this is my interpretation of the article, and what you are focusing on. You telling me and others we are wrong will not change our interpretation because we are ignoring the first para and looking at the article in it's entirety. Ask anybody to give you a sentence to sum up the article: removing malware using autoruns and processexplorer, is my take.

    I notice your tone has changed. Suffice to say, never make assumptions about somebody on a forum. You never know what experience/education they have. I always assume that people on security forums are bright as it's such a turgid subject. I would be too frightened to be condescending, and I was always told by my mum to be civil as it costs me nothing.
     
  5. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,102
    Location:
    SouthCentral PA
    I like that!

    Fact is, with all the gazillion programs being offered here at Wilders, just pick a few that appeal to you. Avoid careless, stupid surfing, and you're good to go. And have a backup/recovery strategy.
    Acadia
     
  6. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,548
    Location:
    Nebraska, USA
    You can follow the link in my sig to see if I might have some experience with technical writing.

    :eek: :rolleyes: Because you are wrong! "Before" means "before", not "after" and not "may be after". Sticking your head in the sand does not change that facts.

    You choosing to ignore the author's first paragraph so you can rationalize your incorrect interpretation/definition of the word "before" is just silly. You imply you are a PhD candidate - that's great! But then you should know that writing papers involves creating an introduction, body and then summary/conclusion. And you would know the introduction is the first paragraph(s) and explains the main point of the paper.

    The author's first paragraph asks, "what do you do if your machine gets infected before you’re able to install security programs?" The fact the author then goes on to talk about getting infected afterwards just proves the point I have been making all along - the article is misleading!

    You can take away from the article what you want - and removing malware using autoruns and process explorer is fine. No argument from me on that. That was NOT the point for me saying the article was misleading.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,444
    Location:
    Here
    @Bill_Bright
    I don't know what the big deal is if you get infected before or after you install security solution and why an article would be misleading.
    Last week I installed new Windows 7 system for my friend. I had to connect it to internet in order to update it (or download AV solution if I have chosen to do it before). System could get infected during this time and I could use similar tools to try to clean it up (although I would probably just reinstalled it if that happened). So IMO situation is definitely possible - no probable, but still possible.
    Even if you don't like an article, or see it as missleading, some members don't feel like that. So we can leave it at that, without trying to persuade each other who "got it right".
     
  8. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,548
    Location:
    Nebraska, USA
    I would have been perfectly fine with "leaving it at that" after my first post. But note you in Post #5 and others following took exception to my opinion, and tried to convince me that I was wrong. So it works both ways.

    And again, all I said was the article was misleading. I did not say it was wrong or inaccurate, or without any use.

    But I do agree and at this point, we all should just leave it at that.
     
  9. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    777
    Location:
    Melbourne, Australia
    Great! Thank you. We each saw something different, and there's nothing wrong with that.
     
  10. guest

    guest Guest

    Exactly, no one can deny that. As far as i know, not all of the Windows' users are on Win8/10. So the article isn't misleading.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,444
    Location:
    Here
    How to Perform Manual PUP Removal
    https://blog.emsisoft.com/en/31451/how-to-perform-manual-pup-removal/
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,734
    Location:
    U.S.A.
    Here we go again.:gack:

    Actually, the article is pretty good. My comment is it should never be needed if your security solution is does its job by preventing their installation in the first place.
     
  13. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,361
    Yes, but on the whole, security software does a terrible job of detecting PUPs. A notable exception is Dr Web, which detects around 3,000 different PUPs. However, while it can detect the installers, I have no idea how well it does at removing them, once they are installed, as I don't use Dr Web.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,444
    Location:
    Here
    How to Perform Manual Ransomware Removal
    https://blog.emsisoft.com/en/31793/how-to-perform-manual-ransomware-removal/
     
  15. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,522
    Somehow I found this interesting.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,444
    Location:
    Here
    How to remove fileless malware
    https://blog.emsisoft.com/en/32034/how-to-remove-fileless-malware/
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    I keep a dedicated system with that same security solution on it courtesy @cruelsister's applied rules and the sandbox containment is been magnificent in so many tests I thrown at it.

    Which is just peachy for a local user's machine. The question that rises up for me is to how well it would contain/protect the same on industry/business office dependencies where one single stitch of malicious/targeted compromised data could mean a large financial loss.

    Just hypothetical of course, but it's still an interesting thought.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,734
    Location:
    U.S.A.
    FireEye has an excellent "deep dive" article on WMI attacks here: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf.

    Note the limitations of Autoruns:
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.