This question, however, must be answered in two parts: detection and removal.
For detection, it is great to have antivirus in an enterprise environment running at regularly scheduled times, but it is not the only vector that should be used to identify malware. Regularly review IDS logs for indications of a network-level compromise. Finally, start a new regular activity with your security team in which egress and ingress points on the network perform a full packet capture for a specified amount of time. For large networks with high network usage, this may not be for very long. After capturing the traffic, have your team identify the different network connections and check to see if the connections are valid.
The idea is to find multiple points of detection that something is wrong in the environment. This includes antivirus running while the system is in normal mode. For this question, however, I would like to emphasize that some kernel-level rootkits can hide their existence from a running kernel.
Now regarding removal, some versions of malware, like Sality, remove the registry key that allows booting into Safe Mode. So Safe Mode is not always a safe bet. With some viruses or worms, booting into a Linux environment like Helix may be the best option because the Windows operating system can no longer be trusted. Finally, antivirus running in normal mode removes a vast number of malware, so it still has value to the enterprise.
Having multiple options that you and your team are trained in is the best option. Remain flexible, the attackers certainly are.
This was first published in October 2008