Ever since the first viruses were detected, there has been a constant battle of deciding between the most appropriate...
responses to detected malware. Should security teams clean up the malware and move on or format the hard drives to start over with a clean system? Both options have their place and the right one for an organization depends heavily on the enterprise's risk tolerance, the type of system and many other factors.
This tip will explore the process of removing malware from client devices and potential best practices.
Process of removing malware from client devices
Malware appears to be becoming harder to detect and remove from client devices, but the fundamental issues have not changed. The questions of if a system was infected, what the malware is, what the malware did, where the malware hid and if it can be removed still remain. Malware, specifically rootkits, have been around since the 1990s and can burrow deep into the operating system to hide its activities. Malware has become harder to detect as malware authors make an effort to hide their activities rather than announcing that they love you. Malware has become more difficult to remove with the emergence of fileless malware, DLL injection and other advancements.
While the questions in the age of ransomware are the same, the risk of choosing the incorrect response has never been higher. If a system is infected with ransomware and the owner pays the ransom, it's possible the malware won't be removed and the criminal will come back to re-encrypt the data and ask for a new ransom. Even APT-style attacks could be persisting on a network if not completely removed from a compromised system.
One change is the depth of hardware infiltrations. If your enterprise is defending against state-sponsored attackers like the NSA, their hardware implants appear to be significantly more advanced than the attacks of the 1990s. The hardware implements have been accompanied by malware targeting firmware.
The security tools in the last 20 years have improved significantly. The standard install of most operating systems still needs additional security tools, but file integrity monitors like Tripwire, OSSEC and Samhain, as well as host-based intrusion detection system tools and whitelisting tools provide significant protection and visibility into files executing on a system.
Potential best practices for removing malware
Antimalware tool customers expect to receive instructions on removing malware, and most antimalware vendors provide some guidance. Some vendors even produce tools to remove specific pieces of malware like Microsoft's Malicious Software Removal Tool, Apple's antimalware functionality and others for Android/iOS, along with commercial tools. Every antimalware vendor will give some instructions on how to remove detected malware, so if a customer wants to try to remove the malware, they can do so. This has been true for as long as there have been antivirus tools. Enterprises that want to first try to remove malware should develop standardized procedures for helpdesk and incident responders to use when responding to a malware infection. This could include requiring password changes, using a limited admin account to investigate a system, offline investigation and more.
With the advancements in hardware implants and malware targeting firmware, it is even more difficult to determine if a system has been compromised. If your enterprise has been targeted with this level of attack, it may not be possible to recover the infected hardware. Even if an attacker isn't using this level of sophistication, it may still not be possible to fully remove malware and may be a very time consuming process. A complete reinstall may not even remove malware hidden in the boot sector of a hard drive, so a complete wipe of a system might be necessary before reinstalling or reimaging a system. In the worst case where the firmware is infected, it may be necessary to replace the hardware.
Developing an automated procedure for reinstalling an operating system is a best practice from a system deployment aspect, but also significantly aids in reinstalling a system after a malware infection. One reason why enterprises try to repair a system after a malware infection is because of the length of time it takes to rebuild a system. A completely automated reinstall could address this concern and is more secure.
One absolute best practice is ensuring proper planning for incident response. It is critical to know what tools can be used to monitor a system to detect suspicious activity on the system or on the network. These detection tools are critical for evaluating if a system is compromised. Using a host-based system or security monitor, like the previously mentioned file integrity monitoring or whitelisting tools, to monitor activities on the local system, as well as a network monitor from a separate system to monitor all network traffic, can identify any suspicious behavior. Your enterprise should determine which of these tools work best when establishing procedures.
Understanding the risk tolerance for an enterprise is critical to the efficient functioning of an information security program. It may not be possible to know exactly what happened on a malware-infected system even with careful monitoring of the system. An enterprise with a low tolerance for risk may want to require that a system is reformatted if suspicious activity is detected and an enterprise with a higher risk tolerance might find it acceptable for a professional helpdesk technician using approved procedures to remediate a malware-infected system when it doesn't have sensitive data.
Learn how to eradicate malware that reinstalls itself on Android devices
Read more about preventing and detecting advanced malware
Find out if a new tactic can help deanonymize and attribute malware attacks