CompTIA A+ Core 2: Best Practice Procedures for Malware Removal

Malware is software specifically designed to compromise computers, servers, clients, or computer networks. In this course, you will learn best practices for the identification and removal of malware. Begin by exploring how to properly investigate and verify malware symptoms and how to ensure infected systems are quarantined immediately.

Discover the importance of disabling System Restore from the onset as well as steps to remediate infected systems. Explore how to schedule system scans and run updates on a system. Next, discover when to re-enable System Restore and create a new restore point in Windows.

Lastly, learn about the key points and techniques to share with end users when educating them on malware. This course helps prepare for CompTIA+ certification exam 220-1102.

Table of Contents

•     Course Overview
•     Malware Prevention and Removal
•     Malware Symptoms
•     Infected Systems
•     System Restore Points
•     System Remediation
•     System Scans and Updates
•     System Restore Considerations
•     End User Education

  

Course Overview

In this course, I’ll discuss best practice procedures for malware identification and removal. I’ll explore how to properly investigate and verify malware symptoms and discover how to ensure infected systems are quarantined immediately. I’ll discuss the importance of disabling System Restore from the onset as well as steps to remediate infected systems. I’ll explore how to schedule system scans and how to run updates on a system.

I’ll discuss when to re-enable System Restore and create a new restore point within Windows. Lastly, discover key points and techniques to share with end users when educating them on malware. This course helps prepare for the CompTIA A+ certification exam 220-1102.

Malware Prevention and Removal

Upon completion of this video, you will be able to recognize malware and how to respond to an incident caused by malware.

• recognize malware and how to respond to an incident caused by malware

So security incidents are no joke, and every organization is going to run into one at some point in time where they have some type of incident and they’re not sure what it is. It is absolutely important that the technician takes the time to validate that the incident is, in fact, a security incident and not a false positive. The reason for this is because you will have a lot of false positives, and that is fine.

You just don’t want to have a false negative occur. So by investigating your false positives, if you do determine that it is a security event, you can take the appropriate action. In order to do that, you really want to correlate the findings that you’re seeing with those of another source, so, for example, a detection and prevention tool, and this is going to give you the confidence that what you’re seeing is, in fact, a security event and not a false positive.

Oftentimes within organizations, when looking at logs, you may get a trigger that says this is unusual behavior. You go and investigate and you determine that, yes, it is unusual, but it is fairly standard for this specific use case. So it’s OK. And that is going to allow you to make sure that you’re managing your incidents well so that you’re not actually taking away network access from people when they need it.

So there are some Symptoms of a Virus that you need to be familiar with that you’re going to run into if you do have a virus on a machine, and the first one is slow performance. The next one is application crashes. So if you notice applications aren’t working the way they should, there could be something on the machine that’s causing that.

If your Windows Updates start to fail frequently, that’s an indication that there’s either something wrong with the core operating system or there’s something wrong there that could be potentially causing that, like having a virus on the machine. If the computer is shutting down frequently, that’s possibly a virus.

And once again, if you’re denied any access to files and folders on the machine, that could also be the symptoms of having a virus on the machine. But it is important to note that every one of these things may not actually be caused by a virus. They can be caused by a myriad of other potential issues on a computer.

So it’s important that you’re doing that corroboration so that you know, in fact, you are dealing with a virus and you’re not just dealing with a dying hard drive or a poorly installed application. So spyware can cause most of the same symptoms of a virus, but there are also some additional symptoms that you can look out for that are specific to spyware, and the first one is that your browser homepage has been modified or your web traffic is being redirected somewhere.

So when you go to google.com, it brings up mysupersearchsite.com. Well, that’s not where you went, but you are getting a search site, which is possibly OK, but it’s clear that your browser has been hijacked in some way. If the local firewall on the machine is suddenly disabled, that may be an indication that there’s spyware on that computer. And also you may start to see pop-up windows start appearing on the machine, giving you messages that you may have viruses on the computer.

And these are all symptoms that you need to look out for and investigate. And if you do see the fake anti-virus messages, you need to make sure, is this actually spyware on the machine or is this just a website that’s generated this?

You know? There are different types of spyware out there that you may run into, so you want to make sure that you’re finding out what specific spyware or malware variant you’re working with. So if you have determined that you have malware on a machine, well, what do you do? Well, the first thing you should do is isolate that machine, but then you’re probably going to want to do some research.

So you’re probably going to want to find out the threat name if you can, if you have any file hashes, that may be a tool that you can use to help determine what the threat is and what file format the threat is actually in on the machine.

So if you have an anti-virus system that’s picked this up, it will often give you the threat name and the file hash and the file format, and you can go out and do some research, and really what you’re looking for here is to determine what the impact is of this event. Is this local to this machine? Which, if it is, awesome, that’s really good news. If it’s not local to this machine, then you have a bigger problem.

Just, how big is that problem? And what other machines and what other systems should you be looking to isolate at this point in time? You know, having that information at your disposal is going to be key in ensuring that you’re able to actually resolve the threat.

One of the ways organizations help raise awareness of cybersecurity and help ensure that the organization is prepared in case of a cybersecurity incident, is through the use of policies. Now, every organization should mandate some type of policy that addresses the prevention of malware incidents such as a security policy.

This is important because this is going to outline how your organization deals with this and how the organization specifically secures systems. You want to make sure that this is in place, so that when the new systems restart up they’re actually following the policy and they’re not going outside of that scope.

When designing a policy, there’s some considerations you need to take into account, and the first one is, do you want to scan email attachments? Is this something that you should be doing in your organization? The answer is probably yes. So you’re probably going to want to put that in your security policy so that all email attachments are scanned and users know that they’re scanned. Are you going to scan any external storage devices as they’re plugged into a computer?

This is important because some organizations may not have the ability to do this because they may be using external storage devices for moving information around the organization, and scanning them could cause a potential issue. You also want to require anti-virus software on a computer. If so, what is the update policy for it? How often should it be updated? How often should it be monitored?

How is it monitored? How is it reported? Are you going to restrict the use of personal devices on the network or is this a bring-your-own-device type policy? Are you going to restrict software that users install or are you going to say, you install what you need to install, and we’ll just simply monitor the traffic to make sure that it’s secure?

These are all things you need to consider and you need to consider them within the confines of what’s realistic for your organization, understanding that the tradeoff for all of these things is added risk. But if you’re willing to accept that risk, there’s also added reward in the freedom of users to do things as they choose, such as bring their own device or install their own software. It is a tit for tat that you have to make sure you are balancing properly within your organization’s risk tolerance.

Malware Symptoms

After completing this video, you will be able to investigate and verify malware symptoms.

• recognize how to investigate and verify malware symptoms

So these are the procedures that are used for malware removal. These are not necessarily the procedures that are used for malware response. Those are going to be completely different. This is, you’ve identified there’s malware on a machine, so how are you going to research that malware? How are you going to identify what that malware is and how it came to be on your network?

So with step 1, you’re really looking for the signs of the malware. Now your anti-virus has typically alerted you there’s a malware or some type of intrusion detection system, endpoint protection system, has indicated there’s malware on a machine so you’re investigating it. And the first thing you’re going to want to look at, what error messages am I seeing on this machine? What error messages am I seeing in the event viewer?

What is the behavior of this specific machine at this point in time? Are you seeing a ton of different errors in the event viewer but the user is seeing nothing? Or is the user seeing a bunch of different error messages? Has everything changed on their desktop? Is everything the same? What performance issues are you running into? Is the drive completely pegged at 100% read-write? Is RAM being used? Is CPU being used?

This is information that you need to gather in order to identify what that malware is. So if you believe you have malware on a machine and you have encountered it, the first step is to identify it. So you know what it’s doing on the machine, you see some common errors, now you need to go out and try to Google that specific behavior to try to find a threat.

Now you can go over, there are different tools that you can use for this, but VirusTotal is a great one that’s going to help identify specific malware files and that’s going to help you determine what malware is on that machine. Of course, if you have an anti-virus system, chances are it’s going to tell you as well.

And then you need to take the time, and not a whole lot of it, to research what that malware does. Once again, VirusTotal Intelligence is going to help you determine what that does, as well as some other websites that are going to give you some information on that specific variant. But what you’re looking for here is, is this isolated on a machine or is this more of a global threat to the organization?

How do we need to handle this from this point forward now that we’ve identified it and we know what it is? So once you have a good handle on what it is, you need to now handle the incident. So you’ve identified the characteristics of the malware. You know what it’s doing to this specific machine, you know its typical behavior, but now you need to know, is that going to affect other machines on the network?

How do we handle this incident best? How do we isolate this machine? What other machines do we have to isolate on the network? Is this a complete network isolation moment where we unplug every Ethernet card, or is this just specifically one machine that’s infected? And then you need to identify the data sources. So this isn’t just, you know, what files are infected, but how those files got infected.

So you want to determine how and why the machine is infected with this information or with this malware, where it came from, what files it’s infected, so that when you go through and you’re doing your restore later, you’re not just restoring something that’s been laying dormant for a while, and you’re going to end up infected again. At this point, you probably want to make sure you’re isolating the machine and any other machine that needs to be isolated, but you also want to do some research on that malware just to be extra safe.

So with this, you’re going to go out and try to determine what other malware characteristics are typical of this, what other attack vectors are typical of this, and what malware specifically is being detected by the vendor that’s detecting it? So to give you an example, I use SentinelOne within my organization. I’ve seen SentinelOne classify malware differently than other anti-virus software.

So you want to make sure that you’re taking a look to determine if any other vendors that have found this specific file infected have classified it in any other way. And typically, they’re going to classify it as a malware category, so the type. Is this ransomware? Is this crypto miner? Is this a botnet?

What is this? What vulnerabilities does this actually exploit on the end user system? Does this gain root access or is this specifically running on that user’s profile? And what services are attacked on the machine? What services are potentially going to be used to attack other machines? What services has this attached itself to? Has this done a DLL injection?

All this information is important because you do want to make sure that if you’re dealing with a malware event, that you’re not setting yourself up to specifically deal with it again two to three days down the road. And I’ve seen this happen where someone has gone through, they’ve dealt with a ransomware event by restoring backups, but they did not do a root cause analysis.

And three days later they had ransomware on their machines again. They were down for a week while they did the restorations. They brought it back up only to get locked up again because they didn’t close the backdoor in that the attackers were using. So it’s absolutely important that you do your research and understand the impact that the malware is going to have on your systems and your organization.

Video: Infected Systems

In this video, you will outline the importance of quarantining infected systems.

• outline the importance of quarantining infected systems

So the procedures for removing malware now describes number 2, or step 2, as quarantine the infected system. It is important to note that step 1 and step 2 can happen in conjunction with one another. The second you have identified a machine has malware, you should have quarantined that system in some way.

Some organizations will even go as far as to quarantine on a false positive. So as soon as it’s detected, that machine is quarantined, it’s in its own VLAN, it’s by itself, and then you can go and do that investigative work. But it is important to note that this can happen at the same time. Do not wait two hours while you’re doing malware research to go and quarantine that infected system.

Every second of a malware event is precious to make sure that you’re taking the steps needed to mitigate as much damage as possible. So, your first step here should be to take a look at the system itself, take a look at that infected system, and figure out how you’re going to quarantine and self-contain that specific system. So, if it has a network cable attached to it or if it’s connected by Wi-Fi, disconnect it or move it to its own segmented VLAN or move it to its own network.

I typically like to just simply disconnect it. If I do have to do some type of packet capture to determine if it’s communicating to a command-and-control network, I will then go and plug it into its own network where it’s by itself on its own VLAN, where it can’t actually touch anything else on the network and to do my analysis from there.

You know, making sure that it’s disconnected so that it can no longer communicate with any other systems is absolutely the first step you need to take if you’re running into a malware event. And this is because you do not want it to spread to other systems within your local area network. If it’s disconnected from both the LAN and the wireless networks, you can then go in and do further analysis on that machine to determine what has happened.

Now that your machine has been isolated, you’re free to go and look at the infected files themselves. Now, typically here you’re going to have three options. The first one is to remove the file. This is the best option because the file is no longer available to be executed. There’s no longer a payload there within that file that can be executed. You can also disinfect the file.

However, disinfecting the file doesn’t always remediate the threat, because if you don’t disinfect all the infected files, it can come back again later. And you also want to make sure that, if you can’t disinfect or remove it, that you quarantine that file. And that means that that file can’t be used in order to execute code on your system.

That file is now within a quarantine where it sits. And typically, if you have a bunch of quarantine files, you can then go out and see if your anti-virus software provider or another provider has a solution for disinfecting those files. Now, not all files are created equal. Some you may not actually have the option to remove. You may want to go in and disinfect them as much as possible because of how mission-critical they are. If that’s the case, you want to try to disinfect them first.

If that doesn’t work, move them into quarantine. It is because files get infected that we have some best practices around how you store your data. As a best practice, store your data on a secure server. As a best practice, back that server up to an offline backup repository. This helps lessen the impact on productivity while that client system is restored.

For example, if you have to put in a new machine, you can quickly reimage it and redeploy it, and that user’s files can be downloaded again to that machine without impacting the user. And that gives you time to go and spend the time to do a proper analysis of the malware and ensure that this does not happen again.

It is important to note that if there were any removable media devices plugged into this machine, you’re probably going to want to destroy them. And by that, I mean you’re going to want to go and do a format of that machine or format of that device, to make sure that it is safe.

You know, when you are doing this, you must isolate everything that was connected to that machine in order to help limit the spread. That includes removable media devices. That includes things like memory sticks. That includes things like cell phones that may be connected to the machine at the time of the attack. And yes, it’s inconvenient, but you’re doing this for the safety of the organization.

You’re doing this because that malware may potentially jump to another system. And the last thing you want to be doing is fighting 100 different fires. It’s much easier to fight one than 100. This is why we try to take steps to help limit the spread of the malware.

So the first thing you need to do is try not to use any backups from that infected system within the timelines that you actually go and create when you’re doing your analysis. So, if you do your analysis and determine that this machine was infected on Friday, and then the payload was executed Wednesday, you don’t want to be restoring your backup from Monday or Tuesday because you’re just going to restore an infected system.

And I’ve seen this happen, and it’s unfortunate when it does, but it can happen. And you don’t want to take all the files from the system and simply just transfer them to a new system. So if all these files that are infected were being backed up to OneDrive, don’t just go and set OneDrive up on the new machine for that user. It’s just going to infect another machine. You want to take the time to make sure you’re limiting the spread as much as possible.

System Restore Points

After completing this video, you will be able to recognize why and when to disable System Restore in the operating system.

• recognize why and when to disable System Restore in the operating system

So now that you’ve quarantined the system, you’ve identified and researched the malware, step 3 is to disable the System Restore. Now, it’s important to note that this can be done in conjunction with step 2, because this is a fairly simple process that doesn’t take a whole lot of time.

While you’re running a scan of an infected system, going in and taking this step is not going to add a whole lot of complexity to what you’re doing. Now, a System Restore point is effectively an image that is taken of a theoretically healthy system from an earlier date or time. So what you’re doing is you’re going in and you’re going to say, OK, my system as of this day is working great. There’s no issues with it, it’s up to date, so I’m going to create a restore point and typically that is taken before you do something or that is taken at regular scheduled intervals.

Now, if you aren’t taking one because you’re about to undertake a major event on a machine such as a system update or the installation of a new application, that’s fantastic. And that’s good practice for a system administrator to get into, because oftentimes system updates or new applications can cause all sorts of problems for an underlying operating system.

As a typical methodology for deploying updates, I will typically do a System Restore point on a machine, test the system updates, confirm that they’re working, make sure that there’s no issues with the applications, and then I’ll go do a quick Google search to see if anyone else has run into any issues with these updates. If not, then I will deploy them throughout the organization. But I have a restore point there in case I go and do that system update and suddenly I can no longer boot into Windows or suddenly something isn’t working within the system.

So, I can roll back and ideally that will allow me to restore back to a working state. It’s the same thing with applications.

Any major application you’re installing that requires admin privileges on a machine, chances are it can potentially break the machine, so you want to make sure you’re taking a restore point prior to installing it for the first time so that you’re not putting yourself in a situation where you have to roll back two or three updates ago or two or three software installations previous. So you’re probably wondering, well, why is the next step we delete these things?

You know, these sound pretty great. These System Restore points are pretty awesome. Well, they, they can be infected. Quite frankly, the malware can target these restore points and oftentimes it will, or oftentimes malware may even lay dormant through several different restore points before it starts to become active.

So, in addition to any current configuration that the machine has, the malware may go infect all the previous restore points. So, if you’re restoring back even to day one, well, that’s actually infected with the malware as well. So, we didn’t get rid of the malware, all we’ve done is waste time and revert a system. And any attempt to revert back to a previously healthy configuration it’s likely going to conclude the malware with it. So, you’re not actually doing anything.

And the reason you need to delete these is because at any point in time down the road a different administrator could approach that machine, or a different user, and actually restore to that point in time and actually reinfect the machine. You may have cleaned it up fully and then do a System Restore and suddenly that machine is back to being infected.

So, like I said, this is a fairly easy thing to do. You just go into System Restore and you disable it prior to doing any cleanup. So, you just disable the System Restore. It’s that simple. That’s going to go in and delete all the restore points for you. It also deletes anything that maybe potentially have been infected within those restore points.

So you need to do this, because like I said, you can restore a virus to a machine by running a System Restore, and that’s not good, that creates potential danger for you down the road when an unexpecting administrator is troubleshooting an issue on that machine, maybe when you did your antivirus cleanup it infected some other software that now isn’t working properly, so as part of that troubleshooting process the administrator is going through and they’re, we’ll just roll back to the System Restore point six months ago, looks like it was working fine then,

And lo and behold, your system is infected with malware again and it started to infect other computers on the network. So in order to avoid that, the best practice is simply to disable it, and that will, in fact, go through and delete all the restore points on that machine.

System Remediation

Learn how to identify best practices for remediating infected systems, including updating anti-malware software and staying current on scanning and removing techniques.

• identify best practices for remediating infected systems including updating anti-malware software and staying current on scanning and removing techniques

So you know what it is, the symptoms are to expect from this specific variant, you’ve quarantined the system and the files so that you’re not really worried about this spreading to anywhere else on the network or any other machines that it may be connected to, you’ve disabled System Restore and deleted the files within System Restore so you can’t possibly go through System Restore to bring that malware back.

Now you want to go through and remediate the system. You want to bring this back to an operational state, and the reason for that is because computers aren’t free, and we can’t just turf them in the garbage. You know? You do want to reuse them whenever possible, especially servers, because they can be very expensive. So, you want to go through intermediate the infected system to bring it back online to an operational state so the users can start enjoying the services that they were getting from that machine again.

So I hate to remind individuals of this, but it should go without saying, but I’m going to say it anyways; you do need to make sure that the system maintains isolation during this period. While you are remediating the system, do not plug it back into the network. Make sure it’s disconnected from the network, it’s by itself somewhere, and it is not going to infect any other machines because if you connect it to even an isolated network with two or three other machines, chances are that will infect those two or three other machines.

So put it on its own isolated network, if you even need to have network access to that machine to do your troubleshooting. If you don’t need network access to that machine to do troubleshooting, don’t connect it to a network. Just go through and remediate the issue as is. If you do have to do it, go through and connect it to its own network. I have typically gone through and used old firewalls that I’ve gone and taken and retired and put them back into service whenever I have to do this.

So, I might plug it in, yes, it’s not going to have any advanced threat protection, I’m not really after that at this point, and I’ll plug the computer into it. And this will allow me to do some traffic captures as well on the firewall end, as well as ensure that that machine is completely isolated from anywhere else on the network.

Once you are sure that that machine is isolated, and I mean 100% sure, go through and start running through the different processes that are running on the machine. Take a capture of it and this is going to help you locate the malware on the computer. There is a bunch of different tools available that help you identify running processes.

In fact, your own anti-malware service may even have its own built-in ability to do this, but you can use things like the Windows Task Manager or Process Explorer or Task list in order to see what is running on that machine at that specific point in time.

The reason for this is because you want to see what processes are running, because chances are, one or more of those processes are likely infected with the malware and you’re going to need to go through and make sure that you’re shutting these processes off or that they’ve stopped, in order to remediate it, because if the process is still running, infecting other files, and you’re going through right behind it and cleaning up, you’re just going to be trying to catch a cat by the tail the entire time. It’s not going to work out very well for you.

Easiest way to do remediation is by using an anti-virus or an endpoint detection or response system. Ensure that it is up to date as much as possible. If you have to plug it into the Internet to do that, go ahead, as long as, once again, it is 100% isolated from anything else and make sure that you get the most up-to-date definitions possible to go through and clean up that virus. You know, definition files often change two or three times a day, sometimes more, so making sure you have the most up to date can ensure that you’re dealing with the most up-to-date variant of that specific virus that you found on that machine or that specific malware that you found on that machine.

Now oftentimes malware is going to try to prevent you from removing itself. So, in order to help combat that, you can try booting the computer into safe mode and this will just boot Windows with the minimum environment possible, and this will allow you to go through and potentially remove that malware without it running in the background.

Or you can even go and boot into a pre-installation environment like Windows PE, and that would be booting up of a memory stick and then running a virus scan, and that’s going to help to isolate the actual operating system itself so that you can go through and scan for any files that may be infected and deal with them appropriately. Now, the reason for this is because you can kill a process, and it can just restart itself over and repeatedly.

And maybe it’s gone through and infected the boot sector, or it’s infected the actual master boot record for Windows, so suddenly, yes, we’ve gone through and removed every piece of this malware, we reboot and it’s back again. Why does this keep coming back? Well, it’s because it’s put itself in a position to do so. So, booting into safe mode is a good first step. Booting into a pre-installation environment is a fantastic second step if you notice the malware is coming back time and time again.

Now, ideally, you’re not doing this manually. One of the most time-intensive things you can do is try to remove malware from a machine manually, because oftentimes with modern malware, you have to go through and delete a ton of files and then go through the registry and delete a ton of different entries. That can be very time-consuming for a technician.

It can also be very exhausting because if you miss one, chances are now you’re back to square one and you’ve got to start all over again. So, going through and using tools like anti-virus removal tools is going to be a great help in this. If it’s not an option and you know what you’re looking for, you can go through and try removing it manually through the registry. I don’t recommend it.

I recommend that if you can’t find it using a scanning utility, that’s going to automatically remove it, just nuke and pave that machine. Go through, format it, reinstall Windows, you know, consider the loss, and move on with your day.

Because I have spent days doing this specific task back in the early 2000s to mid-2000s, and I can tell you that this was not a fun task to do manually. It took a lot of time, it cost a lot of money and there is a lot of effort involved. So, it’s really, if you don’t have a utility, my suggestion is try to nuke and pave the machine as much as possible. If not an option, you can go through and do it manually, but it’s going to take a lot of time.

Now that you think you’ve got it, you think you’ve removed it, go through, restart the computer a few times, and then check on the status of the malware. Is it back? If the machine isn’t connected to the Internet while you’re testing it connect it to the Internet and test it and see if it comes back.

Maybe there’s a hidden command and control network that’s just going to put it right back on that machine. You know? You want to go through and make 100% sure that that malware is completely clean, before you go and put this computer or system back into operational mode. And the reason for that is because you don’t want to be dealing with this time and time and time again.

You know, there have been countless stories of systems administrators that have gone through, they believe they’ve gotten rid of the malware, they restart the machine once, they think they got rid of it, they go, they plug it back into the network, they go sit back at their desk, they have a cup of coffee and the user is calling them again, my computer seems to be doing that thing again, and they’re back to square one. You don’t want to go back to square one with this stuff.

It can be very stressful and time consuming, so you want to make sure that you’re doing your due diligence and absolutely ensuring you’re doing a 100% test to that system to make sure that malware has been dealt with.

System Scans and Updates

Upon completion of this video, you will be able to recognize the importance of regularly scheduled scans and updates.

• recognize the importance of regularly scheduled scans and updates

So, you’re stepping through the processes and at this point you’ve identified the malware, and you know what it is. You’ve gone through, you’ve quarantined the infected system and the files, you’ve deleted your restore points and you’ve even gone through and remediated the system. So, the virus is no longer there.

It no longer represents a threat to your organization or to that system. Congratulations. Now, you may think your work is done, but your work unfortunately is not done. There’s a lot of work still that must go on in order to make sure that there’s a full remediation in place so that the virus doesn’t find its way back onto the machine.

So, the next step here is to go through and schedule some scans and ensure that you’re running your updates on all your applications and Windows, of course. So, at this point, the machine is safe to use, but you want to make sure you have some type of anti-virus system installed on it. And with that, you want to enable your scanning options. Now, oftentimes you’re going to have a couple of options. Now, the first one is real-time scanning.

Now, what this does is this just runs in the background, it checks running processes, it checks files when they’re being opened or executed for any malicious code. And if it finds it, it will disable it or quarantine it and send you an alert.

You can also do what is called a scheduled scan, and this is where you would schedule something more like a full system scan or a partial scan in specific times or intervals that are usually outside of working hours because scanning can slow down a machine. Oftentimes today, you want to make sure that you’re employing both of these on a regular basis.

So, you want to do your real-time scanning 100% of the time, and you want to do your scheduled scans probably once a day, twice a day maybe, usually during lunchtime or after hours, so that the machine is getting scanned. And if a machine doesn’t get scanned for a while, you want it to let you know. So, if the machine is being turned off every day at 5 and your scans are scheduled for 7, chances are it won’t run very often.

So, if it’s not running, you want it to let you know so that it will run for you at some point in time. Now for scanning systems, there’s several different ways this can be configured, but typically it’s done within the anti-malware system itself or through the command-and-control network for that anti-virus system.

If a malware isn’t fully removed, it could potentially go and block the update process for that anti-malware service or for Windows Update itself. So, you want to make sure that it is fully remediated, and you may have to go in and copy the initial update to the anti-malware system over from a system that is in good working state. And this just ensures that that machine is 100% up to date and it can go through and do what it needs to do to clean that virus out.

So, if you had a virus on a machine and it went and disabled the anti-malware from doing an update and you’ve cleaned up the virus, but the anti-malware still can’t do an update, restoring over from a healthy system can help to make sure that that malware starts to do updates on a regular basis again.

Now, there are different types of updates that you can have on a machine. So, the first one is what are your definition files? And these typically are going to tell the machine, you know, look for these specific analysis options when you’re looking at a file. You know, is it doing this? Does it have this flag set?

You know, these are your definition files. These are typically done for heuristic analysis. And then you have your anti-virus engine update itself because anti-virus engine may not be good at finding a new specific type of malware, so they may need to go in and make changes to the engine itself in how it reads definition files or how it executes definition files against specific malware types.

And you want to make sure that both of these are up to date as much as possible. Thankfully, most organizations are going to have a centrally managed anti-virus solution. So, you’re going to go into your admin panel and here you’re going to see all of the different systems that are out there, when the last time they did an update is, what version of the software they’re running and if any updates are pending.

And this is going to allow you to push updates out to the computers on an as-needed basis if they’re not getting them, or at least flag to you when a system is far outside of a specific time range for their updates. You want to make sure that your updates are defined within your company’s organizational policy. You want it done as quickly as possible today because oftentimes malware variants are being released into the wild very frequently.

So, if your updates are done hourly, that’s fantastic. If your updates are done once a month by policy, that could potentially be an issue. So, you want to make sure that it’s defined in policy how often it’s happening, and you want to make sure you have remediation steps in place in case for some reason an update isn’t being applied.

Now, thankfully, these centralized systems can also let you say what you want to have scanned on the system so you can actually set policies around what’s being scanned. For example, if someone plugs it in a USB stick, how do you want that to be treated? Do you want that to be scanned? Do you want to make sure that that’s one, encrypt it and two, then scan it?

These are things that you can set within your policies, typically within the anti-virus or the endpoint detection and response administration panel. Same thing with email attachments or downloads from websites. You can make sure that you’re treating these in very specific ways based upon policy, so that it will always happen 100% of the time.

And this helps to ensure that your organization is as safe as possible from having an endpoint infected with some type of virus, because you don’t really want to have a virus sneak in through these methods, so you want to make sure that it’s happening across all systems 100% of the time.

System Restore Considerations

During this video, you will learn how to identify when to enable system to restore and create restore points in Windows.

• identify when to enable system to restore and create restore points in Windows

So, you’ve gone through and you’re up to step 6. You’ve identified the malware, you know what it is, you know what it can do, you know what the typical steps that malware takes to infect a system are, you’ve gone through, and you’ve quarantined that system.

You’ve made sure it’s not connected to the network, you’ve made sure all the files are safe, you’ve disabled the System Restore, and deleted all the restore points from that local machine so no one can accidentally restore the virus in the future, you’ve remediated the infected system, you’ve gone through, cleaned up the registry, cleaned up all the infected files, you’ve gone through and made sure that you’ve done all of your scans and run all the updates on your anti-virus on Windows, everything’s up to date, everything scanning is clean, you’ve rebooted a few times, everything’s looking good.

So, what is the next step? Well, now that you have a known good configuration, you want to create a backup at this point in time that you can then use in the future, because you don’t want to have, the next time you do a Windows Update, that it crashes the system and suddenly you’re going through and formatting the machine and restoring Windows to it that way, because you just went through all these steps to try to avoid doing that.

So, in order to do this, we go and we enable System Protection. So, you’re going to your restore settings and you want to turn on System Protection and this enables the capability of reverting the computer back to this previous point in time. Now, this is found in the System Properties on a Windows machine, so if you hold down the Windows key and press the break button, that should bring it up, and then you can go in and view your advanced System Properties from there.

Now, the idea here is that you’re creating a known good configuration backup so that from hereon forward, any changes the user makes to the machine that may potentially corrupt it is going to have the ability to restore back to a known good, so that you’re not actually going through and starting to delete files and remove files from that machine through a format.

You’re actually going to have all the data there, all the data intact. You’re just creating a restore point. To do that, you just want to go in and enable System Restore and make sure that that restore point is taken. So, you want to make sure that you go and launch your System Restore, and that you can see that the system has a known good configuration that it can restore to. That’s perfect.

That’s exactly what you want, because at this point, you’re going to go and take that computer and go put it back into service. The user is actually going to start using this computer for daily use, and with that comes all sorts of craziness they may throw at it, and with that craziness could come potential problems. And so, by having that restore point, you know that you have something you can fall back on as an administrator, in case something goes wrong in that computer.

Now, you should still take restore points going forward if you’re doing a Windows System Update or if you’re installing a new application prior to doing it; that’s just best practice, but you do have this here to fall back on until one of those events occurs. Now you’re saying, well, what if this is a non-Windows system? What if I’m running Linux? What if I’m running macOS?

What if I’m, you know, this is a firewall or something? Well, you want to go and create a backup of the system from this point in time, and typically that’s going to come with some type of third-party solution or some type of built-in solution to Linux or macOS or into the actual hardware firewall itself.

So a lot of systems will have within it the capability to generate its own backup, either into itself for System Restore or into a third-party such as a network share or into an additional drive where you can back that configuration data up. Now the reason you want this is because, if something goes wrong, once again, you do want to have something to fall back on.

No administrator wants to fall back on nothing. So you have it there in your back pocket in case something goes wrong, you can quickly restore and you’re not running into an issue where your network or your user are down for an extended period of time. So even with non-Windows systems, make sure that you have some type of backup there of a known good configuration that you can restore to.

And this would be considered a general backup of the system, and oftentimes, you’re going to have to use some type of third-party solution to do this. And even within Windows, you may want to look to a third-party solution to do this, because you may want to manage this throughout the entire organization instead of having it be system-specific or system-independent.

End User Education

After completing this video, you will be able to recognize the importance of educating end users on steps to prevent malware.

• recognize the importance of educating end users on steps to prevent malware

So, by this point you’ve gone through, you have identified the malware, you know what it did, you know why it did it, you’ve quarantined the system, you’ve made sure that it wasn’t attached to the network, you disabled System Restore so you couldn’t possibly restore the malware back onto that system accidentally in the future.

You’ve remediated the attack and gone through the registry, deleted all the files, made sure that system is not actively reinstalling the malware after reboot, you’ve gone through the Windows Software Update, you’ve made sure everything’s up to date, you’ve gone through the anti-virus, you’ve made sure your anti-virus is up to date, you have the most up-to-date definitions of everything possible, and you’ve created a System Restore point for that computer and you’re putting it back into use. You’re giving it back to the end user for them to use.

So at this point, your work is not done. There are still two steps, one that goes unnamed back home to you and one that you have to take at this point. And the one you have to take at this point is you have to educate the user and step 8, which isn’t really here, but in, technically speaking, I’d probably say there’s 15 steps, and between every one of these steps is the word document it or write it down.

So the last step, of course, would be to document everything that happens so that you know in the future how it was responded to and what it was responded to in case it comes back, and that way, you know what you did last time to resolve the issue. But at this point, you need to go through and educate that end user so that they don’t just go open up the same email attachment they had opened four hours ago when they infected the system. So, how do you do that?

Really, the most important way you do that is by creating a culture of development within your organization. So where users actively expect to have some type of education provided to them from the enterprise. You don’t want to have a situation where any type of end user education is simply going to go in one ear and out the other. You want it to be absorbed and you want users to be used to getting this type of information not only from the IT department, but from the overall organization.

And then you can go and take on some coaching initiatives within the organization, to make sure that not only are you providing them with, you know, incident-specific education, but provide them with ongoing education, one, reinforcing any previous education, and two, going through any potential new variants or new potential threats to the organization so that the user is aware, and they know how to protect themselves and the organization from it.

Now, not every organization has the luxury of being able to pull everyone into a classroom once a week to go over the newest cybersecurity threats that are out there, so, sometimes you have to rely on messaging for this and there’s various forms that messaging can take that end users can quickly ingest, that will allow them to understand potential upcoming threats to the organization, and the first one is through posters, signs, banners around the organization, just reminding them to remain diligent in their email use and web use so that they know that there’s potential for them to misclick and create a catastrophic event for the organization.

You can also use login messages as sort of a deterrent, so if someone accidentally opens up a machine, they’re not supposed to log into, it lets them know that it’s being logged, it lets it know that it’s being monitored, and it also lets them know that if they’re using this without explicit permission, it could potentially result in them having their position terminated.

You can also use message boards and emails, and these are sort of not quite as effective as the other two because a poster or a sign is very visceral. You have that sort of, you know, that in-your-face ability to get a message across very simply, a message board is often text based, so it can be very lengthy, and unfortunately, not everybody wants to read about every cybersecurity breach or cybersecurity potential issue there is out there.

So, you know, message boards are a great way to disseminate information, but you want to get in the practice of making it as concise as possible so that the end user can quickly absorb it and move on with their day. Now, there are some best practices for email requests that you can go over with the end users, specifically, if the malware variant came through email, and the first one is to remind them to never reply to emails that are requesting financial or personal information with said financial or personal information.

Even if it looks like it’s coming from a trusted source, when you hit that reply, the reply-to address may be set to something completely different. So, you want to make sure that users are practicing safe email usage as much as possible. This means not opening attachments or hyperlinks that come in a suspicious looking email. If it’s suspicious, don’t open it. Forward it over to the IT department, the IT department will take a look, and they’ll let you know.

You know what? This is suspicious, or yes, it looks suspicious, but it is actually from the trusted source, so please feel free to open it. It is legitimate. And don’t provide PIN numbers, passwords, access codes or anything over email in plain text that could potentially be used later, because that creates a record of it.

So if I gain access to your email six months from now as an attacker and I download your email, I can go through and see any passwords or PIN numbers or access codes that were given to you over that time, and then use that in my own attack against the organization later or against you later. Now, the education should also contain an awareness for the users, sort of reminding them of some basic things, like avoid opening certain file types.