Defending Windows PCs
Against Malware
Course Introduction
Hi, I'm Mike Halsey, and welcome to Windows Virus and Malware
Troubleshooting. In this course, I'm going to guide you through every aspect of
troubleshooting and removing viruses and malware from PCs. Additionally, we'll
cover other subjects, such as the different types of threats and how you can
mitigate them. So, let's spend a little bit of time just looking at what we're
going to cover. In the first module, we'll look at how you defend PCs against
malware. Now, this is going to include details of all the different types of
threats that are currently out there. Then, in module two, we'll look at the
resources and tools, both are built within Windows, and also from Microsoft and
third parties that are available to help remove them. And in the last module,
we'll go through a practical example of how you physically remove malware and
viruses from a PC. Now, there's something to note here, this course is for
three different Windows versions, Windows 7, Windows 8. 1, and Windows 10. Now
generally speaking for this course, everything is the same, but there are
differences between the various operating systems, certainly in the security
features that they support. So, where there are differences between the
operating systems or where I'm doing a live demo in a particular operating
system, then these will be color coded, as you will see here.
Module Introduction
In this first module, we're going to look at the different
types of malware that can infect PCs and networks and how you can defend
against them. So let's have a look at what we're going to cover. We'll begin by
looking at all the different types of malware and virus attacks that are
currently in circulation around the world. Then we'll move on to the psychology
of malware attacks because malware infections don't happen in the way they used
to. Then we'll look at how you configure Windows Desktop Security to mitigate
against and defend against malware attacks, before moving on to specific features
in Windows that can help with your security, the first of which is Secure Boot,
and we'll look at Trusted Boot in there as well, and I'll explain to you what
these are. Then we'll look at how you browse the web securely, how you can use
best practices to make sure that you don't get infected, and then we'll round up
by looking at how you can restrict the surface for an attack on your PCs and on
your network.
Different Types of
Virus and Malware Attacks
So let's begin by looking at the different types of malware
and viruses that can affect PCs, and we'll begin with viruses and worms because viruses and worms are the best-known types of malware out there. But
they are different from one another. Viruses will spread from one machine to
another via physical contact or sharing, such as being sent via email or
transferred on a USB flash drive. So, they spread very much in a way that a
virus in you or I will spread. Worms, on the other hand, will borrow from one
machine to another across a network, and they'll specifically move in that way,
although, obviously, infection, the initial infection will come via sharing.
Viruses and worms will perform one of the actions, perhaps even more than one
of the actions described later in this section as I work through. Next up is
spyware. Now, spyware is probably the most innocuous form of malware. All it
does is a store and transmit records of your activities online, and it
can be commonly used by advertisers and major web companies to track your
activities online to help sell you stuff. Next up is adware. Now, it's kind of
similar to spyware, it's very innocuous, and it only serves one purpose, and
that's to display adverts to you in the form of popup windows or through an
adware app plug-in, such as ads that will appear over later in your apps, and
so on. Then we move on to Trojans. Now, Trojans are a package that seems innocuous but carries a hidden payload. They're actually named for the
Greeks who gave a wooden horse to the Trojans in the city of Troy around the
12th century B. C. Now, the horse actually contained soldiers who escaped from
it in the middle of the night and opened the city gates so that an invading
army could come in. So, it's actually a Greek horse and not a Trojan horse, but
we'll skip lightly over that, history doesn't seem to mind. It will commonly
hide a keylogger, a bot, or a backdoor, all things that I'll talk about
shortly. And it'll often be disguised as something that you want, like a video
playback codec, a game, an app, a plug-in, or a document. Then we move on to bots. Now, we're getting more serious. Bots are usually found for sale on
the Dark Web. There are thousands, sometimes even tens or hundreds of thousands
of bots each on infected PCs that created a Botnet. Now, Botnets are used to
perform mass activities, like Distributed Denial of Service attacks, the sorts
of things that you tend to hear on the news bringing down major websites or
major companies. Other activities performed by Botnets include the mass sending
of spam or phishing emails, you may even have read or heard about times when
Microsoft or other companies have taken down a Botnet, and as a result, the
global levels of spam for a few days or a few weeks have dropped by as much as
a third. Bots can also contain additional payloads, such as a keylogger or a
backdoor, so they are very serious malware types. Then we move on to Rootkits,
we're getting really serious now. Rootkits and Bootkits attempt to gain control
of the PC's Boot Sector, and install themselves there. Now the reason they do
this is because they can hide from security and anti-virus software,
they can load your operating system in a virtual environment in a Hypervisor or
by patching an API in Windows that's got an exploitable vulnerability in it.
From that place, they can do whatever it is they want to do, they have complete
control of your PC, and there's pretty much nothing your security software can
do about it. Then we have backdoors. Now, backdoors offer similar functionality
to remote desktop, and remote support software in they allow people complete,
unfettered, unrestricted access to a PC. Once access has been granted, all
the files, documents, and resources are available to the criminal, including
your hardware, as well, such as your webcam and your microphone. And lastly, we
come to ransomware, by far the nastiest form of malware currently available and
caveating currently, because you never know what might appear in the future. It
encrypts all your files and documents and demands that you pay a ransom,
usually in Bitcoin, the online currency, to unlock it. The unlock package will
commonly contain an additional malware payload, you can kind of expect that.
And thousands of major businesses, organizations, academic institutions, health
services, and more around the world are hit every single year, and a
great many of them secretly pay the ransom because of the embarrassment it can
cause, and because it can cost an awful lot more money to manually decrypt the
files than to pay for the unlock package.
The Psychology of
Malware Attacks
So, what is the psychology of a malware attack? How does
malware get onto a PC? Well, in the early days of viruses and malware, it was
fairly simple and straightforward. They would get on through physical media or
through sharing, such as being transferred onto a PC via a CD or a DVD or a
floppy disk, if you remember those, I do, they were lovely, I remember the big
5 and 1/4, and anyway, I digress, or USB flash drive or they're shared via an
email, and they're commonly embedded in applications or in docs, Adobe PDF
files were notoriously for many years a common way of spreading malware. Now,
things have moved on, because security on PCs and security in Windows is
significantly better than they used to be. Features such as User Account Control
can block malware dead in its tracks. So, these days, criminals are trying to
trick users into installing the malware themselves by clicking through that
User Account Control prompt. They're trying to lull the user into a false sense
of security. Now they commonly do this as I've mentioned by trying to disguise
the malware as something that the user actually wants or needs, a video codec,
a game, an app, or something else that they absolutely must install. Now, you
might say, okay, well, just tell people not to click on things. However, most
computer users are not really technically minded, so they might not know
this. Now, what you need here is something called Security Awareness, and this
is going to be a company or organization-wide policy of training to inform people
of the types of threats, how they propagate, and what it both is and is not
safe to click on. So, you'll have the IT Department, who are obviously in this
case Star Wars fans, and they will propagate this knowledge down to the
employees throughout the company, throughout the organization, and this is
everybody from the people who are on the minimum wage or the cleaners who need
to use IT systems, maybe right up to the director and board level, because don't
assume for a moment that the more somebody gets paid the more intelligent they
are, and these are people who use computers, and the criminals are incredibly
adept and incredibly clever at tricking people into installing malware. So,
company-wide training is definitely extremely important.
Configuring Windows
Desktop Security
Obviously, the first line of defense when you're trying to
protect your PCs and your network from viruses and malware is the Windows
Desktop Security, but this is going to vary from one version of Windows to
another. So, we'll look at what's available on the Windows desktop. But before
we do that, I want to look at organizational-level security. Now, I was talking
about security awareness, and organizational level security are very similar, it
is a proper organization-wide security policy. So, it's a clearly defined,
easy-to-follow set of on and off-premises policies, and it will cover things
such as data protection, privacy, file and data storage, file and data
transport, and that's going to include things like laptops, and tablets, and smartphones
that may have data, or say, USB flash drives, removable and portable media,
again, flash drives, external hard drives, DVDs if you still use them in the
company, encryption, biometrics, password enforcement, bring your own device
access if you're in a company or an organization that allows people to use
their own PCs because you have really no control over security on people's own
PCs unless they're managed properly in a BYOD environment, and also guest
device access for people who are visiting premises on your company and what
they may or may not be able to get access to. Now, when it comes to the actual
features within Windows, you've got various options available to you. Now,
you'll see here listed via Windows 7, Windows 8. 1, and Windows 10 what's
available in each version of the operation system, such as the Security Center,
which we'll look at shortly, is available in all of the Windows versions.
Windows Defender is built into Windows 8. 1 and Windows 10, but it's an
optional download in Windows 7, that's the Microsoft antivirus package. Windows
Defender Offline, if you've already been infected, is available as a download
for Windows 7 or 8. 1, but it's actually built into Windows 10, which can make
malware removal easier. The Firewall, the Advanced Firewall, and User Account
Control security, that's built into all versions. SmartScreen is a feature for
blocking malicious downloads from the internet, it's built into Internet
Explorer and the Edge browser, but it's not available in Windows 7. And the Malicious
Software Removal Tool built into Windows 10 comes down via Windows Update in
Windows 7 and Windows 8. 1. Obviously you must keep PCs patched
and updated all the time. Then we get into some of the security features I'll
detail shortly, Secure Boot and Trusted Boot. Now, these were only introduced
with UEFI firmware on PCs, they're not available with older BIOS firmware, so
they're not supported by Windows 7, because Windows 7 came out a time before
UEFI was ratified. App Containers is a way to virtualize your apps to
completely seal them off from the other operating system and other apps in
their own area of memory. There is limited support for this in Windows 8. 1
through the store. In Windows 10, there is a lot of support for App Containers,
and it's being expanded all the time. Windows 8. 1 and Windows 10 also include
a feature called Early Launch Anti-Malware. This makes sure that your
anti-virus package starts early on in the boot process so that you have maximum protection. And then there are Mandatory Security Updates. Now,
Security Updates are mandatory in all versions of Windows 10, but Windows
update in Windows 7 and Windows 8. 1 is much more flexible, and that does
greatly increase the surface for attack.
Using Secure Boot and
Trusted Boot
Now I talked a little while ago about 2 security features in
Windows 8. 1 and Windows 10 called Secure Boot and Trusted Boot, so let's have
a look at what these are in more detail. Now, Secure Boot is a system that's
built into UEFI firmware systems, and it verifies that the UEFI firmware is
digitally signed so that that firmware has not been tampered with or modified
by malware. It then queries the digital signature of the Boot loader. It checks
that it matches a cryptographic signature that's stored within the firmware
itself. Now, this helps ensure that the Boot loader has not been modified by
malware. It's kind of like a checksum that you would use to confirm that a
download has been completed successfully and the file is intact and isn't corrupt in
some way. Then if both signatures match, the operating system is then permitted
to load. Now, Secure Boot is required on all PCs, so with Windows 8. 1 and
Windows 10 from Microsoft OEM Partners. Now, these obviously are the big
players, Del, Lenovo, HP, Samsung, and the like, or other companies that get
OEM editions of Windows to preinstall on PCs. Custom PCs, some business PCs, and PCs from small businesses, for example, they may not come with Secure Boot
support or with Secure Boot enabled, so it's well worth checking when you're
buying new PCs, if is there support for Secure Boot and is Secure Boot enabled on
those PCs when they're delivered? Now, some UEFI systems support disabling Secure Boot in the firmware. Now, why would you want to disable
Secure Boot? Well, you might want to install Windows 7 in a dual boot scenario,
which doesn't support Secure Boot, and as a result, if you want to have you
have Secure Boot turned on, and you want to install an operating system that
doesn't support Secure Boot, then that operating system will not start at all,
so you'll need to disable Secure Boot in the firmware. So if you need to do
that, then check before you buy the machine that Secure Boot can be disabled,
because it can't always. Now, some, not all, but some, the big ones, anyway, of
Linux distros, do support Secure Boot. And check the website for the distro you
wish to install, Red Hat and Ubuntu and the big distributions do tend to
support Secure Boot. Or additionally, some UEFI firmware systems allow you to
mark a non-Secure Boot OS as "safe. " Now, this means that you can
have Secure Boot enabled on the PC and still dual boot into an operating system
like Windows 7 or non-Secure Boot edition of Linux, and again, it's something
that you want to check before you buy the PC. Now, next up is to talk about
Trusted Boot. Now, Trusted Boot takes over when the operating system has
begun to load, and it performs a few actions. First of all, it checks the OS
Kernel. Now, a kernel is the core operating system files, and it checks all
other operating system components, drivers, start-up files, Early Launch
Anti-Malware, say, your anti-virus package, to see if anything has been
modified, it uses this checksum approach to see if anything has been modified.
So if a component has been modified, even if it's just become corrupt, then it
will not be permitted to start, it won't be permitted to load, and then Windows
has an automatic system repair feature that will operate in the background that
will attempt to repair the damaged or modified component in the background, but
in the interim that won't be permitted to load.
Browsing the Web
Securely
So, we know that most malware is distributed via the
internet. So, if you're going to be training people in best practices and how to
use the internet, how to use the web securely, what information are you going
to give them? Well, we'll begin with the rule that you must never click
anything, anything at all, just because a map or a website has asked you to do
so, no matter how polite it may seem, no matter how innocuous it may seem.
Perhaps it's just a cat video that has been recommended, but it requires a
codec to play it-- that's guaranteed to be malware. So, never download
anything unless you have specifically gone to a website to look for that
download, and even then, check it with your virus scanner when you do so. Now,
in all browsers, here we've got Internet Explorer, Edge, and Google Chrome. The
address bar or part of the address bar will turn green when a website is known
to be safe, and a little padlock will appear. Now you can click on the padlock
as you can see in these images to bring up security information about that
site, so you can check whether the security certificate for that site matches the
website you're visiting. Now, I've included Microsoft Edge, here, but it's not
available in all Windows versions, it's only available in Windows 10. It is
significantly more secure than Internet Explorer could ever hope to be, but if
you want, Google Chrome is available for all supported versions of Windows as a
download. Now passwords are extremely important, and here is a list of the 25
worst passwords in the world. Do you recognize any? Do you even use any? These
are the most guessed, most used, most insecure passwords that exist today. Do
not use these. If you know anyone who does use these, then please encourage
them not to. But let's have a look at how we create a secure password. Now here
we have a really insecure password, and we're going to make it more secure. Now
there are several ways to do this. We can substitute capital letters for
lowercase letters, we can substitute some numbers for letters, you will see 5
looks vaguely like an S, a 3 can look vaguely like an E, a 0 can look vaguely
like an O, and so on. We can make it more secure still by using symbols. So
here I've got a couple of sets of brackets instead of an O. It still looks like a password, but you're making it much more secure. It's not completely secure
yet, though. It needs to be longer, and longer passwords are definitely more
secure and a more secure way to go. So here we have a secure password, it's got
some numbers and symbols in it, but it's not as secure as we want it to be yet.
It's more secure now because we've put more randomness into it. You'll see
here it's difficult to actually read now, it's getting hard to read. But we can
make it more secure still by making it longer. Perhaps you might want to use a
phrase as the basis for your password, rather than a word itself. Finally, you
can make the password unique. Now you'll see here, I've appended it to the end of
the password, or you can put it at the beginning or even in the middle,
something unique to the website or the service you're going to use that
password for, so here we've got a unique password for PayPal, and that means
that if this password is stolen, it can't be used anywhere else, because it is
only used on PayPal. The final rule, though, is always use two-factor
authentication if it is available. Now, two-factor authentication is supported
by all the big companies, and it will allow you to use your smartphone or email
or another device, such as a security dongle from your bank, to authenticate
that it is actually you who is trying to log onto a service. So, if two-factor
authentication is available, it will massively increase your security for any
website or service.
Restricting the
Surface for Attack
As an IT pro, you're going to want to mitigate against risk.
You're going to want to reduce or restrict the surface for malware to attack
your PCs and your networks. And given that you can't assume that users will
never click on anything they're not supposed to, what else can you do at your
end? Well, let's have a look at some of the things you can do. Firstly, only
give users or people access to the documents and files and resources they
absolutely need, because firstly, if you give them access to something they
don't need, then there may be something in it that they're not supposed to see,
or they might not use it anyway, but if they do get malware on their PC and it
wants to spread across the network, it will spread to all the network resources
on all the other PCs and all the document stores that they have access to. So,
restricting that surface for the attack is the best place to start. Make sure that
all your files and crucially all your customer and other financial data are encrypted at all times. If that data is stolen and it is unencrypted, you can
be in serious trouble. So, always keep data encrypted. Make sure you have a thorough
backup routine for onsite backups with version control, so people can roll back versions of files if they make a change they didn't mean to, and offsite and
cloud backups. Make sure that backups take place at different times and on
different schedules. Now, this is because of the threat of ransomware. If you
have a backup that takes place every day or every two days, then when you get a
ransomware attack, and I sincerely hope you don't, the chances that you will
have an unencrypted backup you can roll back to are very low. If you have other
backups taking place at different times, maybe once a week, or once every three
weeks, then it increases the chance that you'll have a backup that you can roll
back to, even if you'll lose a little bit of work or lose some modifications
and new files. So, that's very important. And always keep your PCs and device
firmware updated at all times. Make sure that Windows Update is activated at
least for security and stability patches on PCs to reduce the attack of malware
infection. Next up, consider the avenues for attack. Do you have IoT, Internet
of Things devices, on your premises, because all of these are connected to the
internet, and they're connected to your router, and therefore all of them
potentially, if they have insecure firmware, can be used as an avenue for an attack into your system? Also, what username and password do your router use?
Please don't tell me it's admin and admin, that would be horrible. Create a
guest Wi-Fi network, you can do this at home as well so that visitors to your
organization can get internet access, but not network access, because you don't
know if the laptop, tablet, or even smartphone that they're bringing in has got
malware already on it that's going to want to propagate. You can use Group
Policy on PCs in Windows Pro and Enterprise to determine what people can
download, share, and transfer to mobile devices. You can restrict copying files
to removable storage, such as DVDs and USB flash drives, for example. But
crucially, and above all else, never, ever assume that anything is secure ever
at any time. In fact, there's a great quote of "Plan for the worst and
hope for the best, " but I prefer this one, this is a quote from science
fiction author Douglas Adams, of the famous "Hitchhiker's Guide to the
Galaxy, " who wrote in his book "Mostly Harmless" in 1992,
"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete fools.
" And I think this is a great quote, it sums things up brilliantly on how
you can keep yourself, your documents, and your data safe from malware.
Summary
So let's summarize what we've covered in this module. You
need to be aware of the psychology of attack and how criminals and malware writers
will try and trick users into installing malware by disguising it as something
innocuous or as something the user wants, such as a video playback codec or a
game. You need to set up Security Awareness Training within your company or
organization. This makes sure that everybody is aware of the dangers and the
risks and they know how to keep the company and the company's data safe. You
also need to set Organizational Level Security Policies. Now, these will cover
everything from encryption to file transfer and mobile data and passwords. You
need to make sure really ideally that your PCs are using Secure Boot. You may
have all the PCs in your organization that doesn't, but when those PCs are
eventually retired and replaced, Secure Boot can really help mitigate against
malware attacks. Make sure you have an appropriate backup policy for your files
and your data as appropriate because you need different tiers of backup in
different locations and different schedules to effectively defend against
ransomware. Make sure you have strong password policies enforced in the
company because this can definitely help, and also make sure that people use
two-factor authentication where it is available. Only give people access to
what they actually need. Visitors to your organization don't need access to
your network, and quite apart from the fact that you have no idea if they have
malware infections on their devices. And always plan for the worst and hope for
the best. Never assume that anything is safe or secure ever at all because
complacency is your worst enemy.
Malware and Virus Resources and Tools
Module Introduction
While there are a great many features and utilities
available within Windows itself, in all versions of Windows, to help defend
your PC against malware and to keep it secure, there are a great many
third-party tools available and additional tools from Microsoft, and I wanted
to in this module go through what's available. So, let's have a look at what
we're going to cover. We'll begin by looking at the Microsoft Sysinternals
suite, and specifically at the two most useful tools when it comes to finding
and removing malware. Then we'll look at what else is available from Microsoft
and how it might be useful to you before moving on to look at third-party tools
and utilities. Now, there is a caveat with this. And that is that all tools and
utilities that are listed could be updated, and probably will be updated, on a
periodic, regular, or semi-regular basis. Some tools could even be
withdrawn in the future. This means that you should keep up-to-date with what's
available. You can go to the Microsoft Security website that I'll detail
shortly, or you can go to the third-party security vendors’ websites and keep
up-to-date with the tools they have available. With that in mind, let's press
on.
Microsoft
Sysinternals Suite
Microsoft Sysinternals Suite has long been a go-to set of
utilities for troubleshooting and repairing issues with Windows. But two tools in particular are invaluable in removing malware from the PC,
and we'll actually see them in use in the next module. Now, you can download
the Sysinternals Suite from the Microsoft website, you'll see the address here,
Technet. Microsoft. com/Sysinternals. There are a huge number of tools
available, and there are all manner of things that they can do. But let's
concentrate on the two most useful tools for removing malware from a PC.
Using Microsoft
Process Explorer
The first tool I want to look at is Process Explorer.
Process Explorer is an invaluable resource for finding information about
processes that are running on your PC, including their Registry keys and the
resources that they're using, everything about them. So let's have a look
around it. Okay, so here we are in Process Explorer, and you'll see there's a
list here of every running process on the PC, and many of them color-coded. And
it's not immediately obvious what the different colors are, but if you go into
the Options menu and go into Configure Colors and select that option, then a
dialog will appear showing you what the different colors are. So you can see
that pink is Services, purple is Packed Images, this cyan is Immersive
Processes, and so on. So you can check, and you can change the colors if you
want, especially useful for colorblind malware troubleshooters. Now,
additionally, under the View menu, there is a System Information option, and if
you click this, then a window will pop up showing you real-time information
about what's happening with the Graphics Processor, the networking, your memory,
your processor, and an overall summary of what's going on with the PC. This can
be useful just to show you that it's there. Now, when you click on something,
let's click on this RuntimeBroker. exe, and it'll bring up a great deal of
information about it, including all the DLLs, and dynamic link libraries, that that
executable is hooked into. So you can see you can get really detailed
information about a running process. If you double-click on it, you can get
more information. It'll show you the file location for the program on your hard
disk, whether there are any command-line switches that it's being run with,
whether it's set to automatically start with Windows, and so on. You have
performance information on what it's doing, what it's using with your processor,
virtual memory, physical memory, and so on. And there's also more information
here, such as the processor threads it's using, and networking it's using, what
its security settings are, and you can click the Permissions button to change
the security permissions for that process, what environment variables it has or
is hooked into, and so on. There is a huge amount of information here. There's
also a Kill Process button that you can see there to provide more information.
So that is briefly Process Explorer. We're going to actually use it in the next
module to remove some malware.
Using Microsoft
AutoRuns
The next tool I want to look at is AutoRuns. Now, you might
think when you look in the Task Manager at the Startup Programs list in Windows
8. 1 or Windows 10 or when you look in the MSConfig panel in Windows 7, you
might think that there is a lot of startup software running on your PC. You
have no idea how much starts with your PC, and AutoRuns gives you full
information about it. Okay, so here we are in AutoRuns, this is actually my own
PC, so you can see everything that starts on my PC when I turn it on, and it's
a very extensive list, everything here. Now, some things are even hidden. You
can see here options to hide or unhide Microsoft and Windows entries. If I
unhide the Windows entries, then there's even more that appears in the list,
but we'll hide these for now. Now, these are broken down into a list of
Services, a list of Drivers, a list of Audio and Video Codecs, and more besides.
There are all manner of different things that start. And you'll see they're
broken down here into categories, so these are all the registry entries under
this local machine software Microsoft Windodws\CurrentVersion\Run, and you can
double-click on one to open the Registry Editor with that particular key so
that key can be edited, or you can just disable things. Now, one of the
advantages of disabling things in AutoRuns is that it may stay there so that
they can be re-enabled if you later discover that you've disabled something
that you shouldn't have done, but there's plenty of information on things as
well, you can search online for information about specific things, you can open
Process Explorer to get more information about it, you can open its Properties
Panel to get more control of it there as well. And we're going to look at
AutoRuns in a live demonstration of removing malware in the next module.
Other Microsoft Tools
and Resources
In addition to the Sysinternals Suite, Microsoft provides a
large number of valuable tools and resources that can be useful for everything
from diagnosing and repairing general PC problems to helping with
malware. And I just want to take the opportunity to make you aware of what it
is that's available. Now we'll begin with the Microsoft Malware Protection
Center, and this is a website you really ought to bookmark and visit on a
semi-regular basis. It's a free online resource of links, downloads, and information about defending your PCs against malware and defending your
networks against malware. It's always kept up-to-date with the latest
information. You'll find really useful links there through to, for example,
tools to help you decrypt your files if you've been attacked by ransomware and
so on. So, that's well worth bookmarking. Next up is the Microsoft Baseline
Security Analyzer. Now, this is a tool that can detect security vulnerabilities
on individual PCs to help you identify where there are flaws. You can download
it from the address you'll see here, and it's a very good way of being able to
just assess your PCs for how secure they really are. The Malicious Software
Removal Tool comes down regularly as part of Windows Update, assuming you have
Windows Update turned on and the download is coming down automatically, which
you really should because there are huge security implications if you don't.
However, you can also download it manually yourself from the address you see on
your screen now. And it is the first line of defense against the latest threats
when a PC is infected, so if you do get a virus infection, always download the
latest version of it. Now Windows Defender Offline is, you might be aware that
Windows Defender is the free antivirus software that comes bundled with Windows
8. 1 and Windows 10. Now there is an offline version that can be run from a
bootable CD, DVD, or USB flash drive that you can download, and it will work in
Windows 7, Windows 8. 1, and Windows 10. There is a caveat with this, it is
actually built into Windows 10, and you can run it from the Settings app, but only,
only if you are actually using Windows Defender as the antivirus package on
that PC. If you are not using Windows Defender, if you're using a third-party
antivirus package, the Windows Defender Offline option will be grayed out, you
won't be able to click it, but you can still download Windows Defender Offline
manually and run it from a bootable media. Next up is the Microsoft Safety
Scanner. It was designed for Windows 7 if you're still using that, and it's an
older version of the Malicious Software Removal Tool, and it is still
available, but I wouldn't necessarily recommend it for just being, for being
certain that it's going to remove, find and remove malware. The Microsoft
Diagnostics and Recovery Toolset known as DaRT is a whole suite of tools that
can help you troubleshoot and repair system failures. You can download it from
the address you see here, and run it from a bootable CD, DVD, or USB flash
drive, and we'll have a quick look through what's available in DaRT.
The Microsoft
Diagnostics and Recovery Toolset
The following tools and utilities are available to you as
part of the Microsoft Diagnostics and Recovery Toolset. There is a Registry
Editor, which you can connect to the registry of the host PC. Remember you run
DaRT from removable media, such as a bootable CD, DVD, or USB flash drive.
There is a Locksmith tool for resetting the user password if you get locked out
from your PC and can't remember what the password is. There is a Crash Analyzer,
which is a great way of viewing or analyzing crash dump files, such as a blue
screen of death files. There is a file un-deletion utility, which is remembered as a non-destructive way of recovering files, because you're running the tool
from removable media, so it will interact with the hard disk in a non-destructive way. There is a Disk Commander utility, which you can use to repair, partition,
volume problems, or master boot record problems on a hard disk. And there is a
Disk Wipe utility to securely erase files of a hard disk as well. There's also
an offline version of the Computer Management Console in Windows that can
provide more disk tools as well. There's also File Explorer so that you can
view the contents of the hard disks on the host PC. There's a Solution Wizard
to help you find the right repair tool to use, and there's also a TCP/IP
networking Configuration tool for viewing and managing your networking settings
on a PC. There's a Hotfix Uninstall tool for removing Windows Updates if it's a
Windows update that's caused a problem on the PC. And the System File Checker
is there as well to help you repair corrupt or missing Windows files. You'll
need an install DVD to copy the replacement file from, and remember the install
DVD version has to match the currently installed version on the PC. There is a
Search tool to search a disc for specific files, and lastly, there is Windows
Defender available for you. Then there's additionally, there's a Remote Desktop
tool in there as well. Now, that's Microsoft DaRT. There's also Windows
Defender Advanced Threat Protection. Now, I mentioned this, this is really for
Enterprises, it's a tool that you need an Enterprise subscription for, and it's
a tool that runs over some time, it's not really for just finding
malware that may have infected your system. It will monitor a network throughout time, and it will look for suspicious network activity and try to
build up a profile of what's going on. As I record this, it's currently still
in development, but it's a very powerful tool that will be expanded on over the
years.
Third-party Tools and
Utilities
PC security is big business, and a great many third-party companies are offering various tools and utilities to help you to
remove malware and eliminate malware threats from your PC and defend against
them. Now, you'd probably already be aware that there are antivirus and
firewalls and other security suites available for free or paid for by Kaspersky, Symantec, ESET, and more besides, but there are specific tools for you to
be aware of as well. Now, the first of these is the ESET Offline Scanner. I'm
presenting these in no particular order. And the ESET Offline Scanner can
download for free and is a scanner that you can use to start your PC from a
DVD or CD or USB flash drive to scan for malware. Then, Symantec has a Norton
Bootable Recovery Tool, which has many of the same functions. Sophos also
provide bootable anti-virus as well, and that's the address that you can find
it at. Kaspersky have their Rescue Disk, you can see a screenshot here of it as
well. You can download that from Kaspersky's support site. Now, which one you
use may be determined by which antivirus package you personally prefer, but
you'll find that some of them will be more effective at removing specific
malware than others, so it's worth keeping an open mind about what to use. AVG
has a Bootkit Remover, a specific Bootkit Remover you will find here, and
F-Secure, again, has a Rescue CD that you can download. Lastly, here there is
a Trend Micro Rescue Disk, so there are plenty of companies providing solutions.
Now, we're not done yet, because we have a specific tool from McAfee. Now,
McAfee offers some extra tools. There's GetSusp for scanning for undetected
malware on a PC, that's an offline scanner. There's Real Protect for searching
a PC for suspicious activity, such as hacking attempts. There's a Rootkit
Remover for removing Rootkits. And there's Stinger, which is an offline
antivirus tool, and you can download all of the McAfee tools from this address
here. And we're still not done because there are also some additional tools,
there's D7II. It's not cheap, but it's a very powerful set of anti-malware
tools. You can download it from foolish. com. And there's also RKill, which
is a tool for terminating running processes and running malware on a PC. It's
to be used in conjunction with a regular antivirus package and not as a
replacement.
Summary
So let's summarize what we've covered in this module. The
Microsoft Sysinternals Suite contains essential tools for removing malware, mainly
auto runs, and process Explorer, and we'll look at these in action in the next
module. The Microsoft Diagnostics and Recovery Toolset, DaRT, has a very useful
diagnosis and repair tools for a PC. These tools might be useful if malware has
actually caused damage to your operating system. There are many other Microsoft
and third-party tools to aid in the identification and removal of malware, and
there are also specific tools being developed all the time to deal with
ransomware, and Kaspersky, one of the first companies to come up with a
specific ransomware tool, as ransomware is discovered and analyzed, then
decryption tools are developed by the security companies. This brings me to the most important point, always remember to keep an eye out for new tools as they
become available. This really does include ransomware decryption tools that can
really get you out of a bind.
Removing Malware and
Viruses from PCs
Module Introduction
So here it is, the part you've all been waiting for, unless
you just skipped ahead, which is technically cheating, the live demonstration
of how to remove malware from a PC. Now let's have a look at what we're going
to cover in this module. We'll begin by looking at best practices for
quarantining malware and quarantining a PC before you try to remove it. Then
we'll look at how you actually identify and remove the malware files on the PC
before moving on to looking at Rootkits and how you can remove those from a PC because that's much harder. Now, I just want to give a shout-out to the
security researchers at CQURE for providing a test virus, a sample virus that I
can use in this demonstration. So, that said, let's crack on.
Quarantining Malware
So what do I mean when I say you need to quarantine the
infected PC? Well, fairly obviously, this begins with isolating the PC from the
network. Now, the PC might be connected to the network via a physical Ethernet
cable. In this case, you're lucky, because all you need to do is physically
unplug and remove the cable. If it's on a laptop, you may find that the device
has a physical Wi-Fi hardware switch, most business laptops have this. But
they're not common. If there is a physical switch, then you can deactivate it, but
there are additional options. You could, for example, open the Device Manager,
open the Network Adapters panel, find your adapter, and your Wi-Fi adapter, right-click on it, and select Disable from the options. This is only if you
think that a virus if you disconnect from a Wi-Fi network is going to try and
remake a connection. If you have a particularly nasty piece of malware, and you
really do want to be absolutely certain, you can delete the Wi-Fi profile for
your local network, maybe other networks if you're not completely certain, and
you can do this from a Command Prompt Admin window, open that from the Start
menu, and these are the two commands that you will need. The nutshell commands and we have here any netsh WLAN show profiles, and this will display a list of
all the Wi-Fi profiles that are stored on the PC. Then we have a delete profile
command where you can delete an individual profile. There's no way to delete
all of them in one go, but you can delete an individual profile. And you can do
this to guarantee that a virus won't be able if it's even programmed to be
able to do that, won't be able to automatically try and connect to the internet
itself. Then ask yourself some important questions. Has anybody used the PC
since it became infected? And what might they have done? For instance, have
they opened any files or documents? Did the PC or the user have access to any
network storage, or any removable media such as USB hard disks, or USB flash
drives, so if they've had access to any network storage or indeed any cloud
storage, could the malware have been transferred onto that storage, and will
you also need to isolate other machines as well? And have any emails or files
been sent from the PC, which is obviously a common way for malware to be spread?
With these things in place, you should have the PC appropriately quarantined.
Identifying and
Removing Malware Files, Part 1
So let's have a look now at how we physically remove malware
files from a PC. Now, I'm going to demo this in Windows 10, but the process in
Windows 7 and Windows 8. 1 is identical. Okay, so here we are in our malware-infected Windows installation. And we're going to need the Microsoft
Sysinternals Suite, which I have downloaded on another non-malware-infected PC because I don't want this PC to have access to the internet. I've also
transferred it to this PC on a USB flash drive that I can format afterward to
ensure that I'm not transferring any malware back and forth. Now, the first
utility we're going to need is going to be Process Explorer. You'll see it
listed here, and we'll right-click and run it as an administrator because
we're going to need full admin rights. And we do that, click through the UAC
prompt, and now we're here in Process Explorer. Now we need to find and identify
the malware. Now, this is a list of everything that's running on the PC. Now,
you'll probably find that the malware that you have is going to be more than
one running process because they tend to look for each other to check to see
if you're trying to shut them down so that they can restart each other. So,
you can find out details on a process by double-clicking it and you can see
here the application path, the autostart location might be a registry key,
that's for Skype here. If we have a look at this as host, device association
framework host provider, we can see what's in the Windows System32 folder, and
so on. Then there's this antimalware service executable. Now, the malware might be trying to disguise itself as anti-malware to
trick you into or lull you into a false sense of security. So we'll open that,
we'll see this is Program Files\Windows Defender, we can see it up there, we
can see the registry key for it, and that looks okay. Now, if we scroll down,
we can see this temp. exe file, ~DL1BD5. tmp. ex. Now, this is actually because it's a test virus, and is actually identifying itself in its description as
malware. Trust me, a virus will not identify itself as a virus or malware, it
just won't. And remember what I said, there'll always be more than one. So we
can double-click on it and we can look at its parameters here. We can see it's
running from the Windows\Temp folder. Now that is highly unusual and irregular
for even the worst written piece of software. And so that's suspicious, to begin
with. We can also see that it's being autorun from the registry here. Now, if
we click Explore here on the Autostart location, we can open the Registry
Editor and be taken directly to the registry key for this piece of malware. You'll
see it's identified itself as malware, but obviously, in a real-world scenario,
that won't be the case, it'll be called something else. But we can see the file
here that is launching, ~DL1BD5. tmp. ex. Now, we want to delete this registry
key, so we'll right-click on it, we'll select Delete, and we'll confirm Yes we
definitely want to delete it. Right. Now we can close the Registry Editor, and we
can go back to Process Explorer. Now we want to kill the virus, but we're not
going to click the Kill Process button, not at all. Instead, we're going to
right-click on it here. Now, we've got options for Kill Process, and Kill Process
Tree, the latter of which will also shut down any dependencies. But as I've
already mentioned, you will probably find that there's going to be another
virus process that will automatically restart this as soon as you kill it. So,
instead, we're going to click Suspend, and we're going to suspend this process so that hopefully any other running virus process isn't going to see that we're
trying to kill it. So now we should have removed the malware, so the next job
is to restart the PC and see if it's still there.
Identifying and
Removing Malware Files, Part 2
Okay, so here we are back on the PC after having restarted
it, and we want to check that the malware isn't now automatically starting when
the PC starts. So we're going to run Process Explorer again as an
administrator, and well have a look down the list, and we'll see, oh, the
malware's back. And deleting the registry key didn't work. Double-click on it, and we'll have a look, we'll see, yep, it's still sitting in the temp folder, but we
hadn't deleted it. The AutoStart Location is blank, but it's still running, so
what's going on? If we deleted the registry key, what's recreating it? Okay, so
we're going to close Process Explorer, and now we're going to need another
Sinisterness tool called Autorun's, and we're going to run that as an
administrator. Now here we're going to look at the Logon tab to see if the
malware is listed, and we can see here, yep, we've got the malware listed, it's
listed as malware. Remember, it will not be listed as malware on your PC, but
anything you uncheck here, if you uncheck the wrong thing, you can always go
back into Autoruns afterward after a restart and check it, so then it should
work. But we deleted the registry key, and it was recreated. So, something else
must be going on. So I want to see what happens at logon, so we'll click the
Winlogon tab here, and we'll look to see if anything else is running at sign-on.
Now here we have a DLL that looks perfectly legitimate,
SampleCredentialProvider, winlogondll. dll. It looks perfectly fine, but
because it's pink, highlighted in pink in AutoRuns, that tells us that it's not
digitally signed, and that is, it's very, very unusual, highly unusual for a
DLL, dynamic link library, not to be digitally signed. So I'm going to uncheck
it, just in case, because I've unchecked the wrong thing, then we can always
put it back the way it was afterward anyway, but I'm going to uncheck that for
now, and then I'm going to restart the PC again.
Identifying and
Removing Malware Files, Part 3
Okay, so here we are, we've restarted, we're back in Process
Explorer, and we can now see that our malware is gone, or at least it's not
starting up with the PC anymore. We can have a good look through the list,
double check, triple check, anything that looks even remotely suspicious, but
we can see the malware is not there anymore. That's good. But we still need to
remove it. So, we're going to open the Registry Editor, and we're going to go
to the, here we can see that it's in a disabled items option it's been moved
to, so we're just going to get rid of it, and in fact, we can get rid of the
whole AutorunsDisabled folder, to be perfectly honest with you. We can see it's
not there anymore. We also want to get rid of the malware file. Now that,
remember, was sitting in the Windows temp folder, so let's go and have a look
at that. We'll see, scroll down in the Windows folder, and there's the Temp
folder, yep, we give permission to go in, and oh now, look at all these files
that we've got here. So, these are all files, some of those files associated
with a virus, so we're just going to delete them and get rid of them. We have
now cleaned this PC. That virus is gone, and it won't bother this PC anymore.
But remember what I say, it's never going to be as easy as it has been with
this sample virus. There's always going to be more than one malware executable
that's running, and there's probably going to be several registry keys and
possibly one or two Winlogon entries as well. So it's never going to be quite
that simple, especially when it comes to something like a Rootkit, which we'll
deal with next.
Removing Rootkits,
Part 1
When your PC gets infected by a Rootkit, things are really
taken up to the next level, because they don't hide in your Windows
installation as per ordinary malware, they will hide in the Boot file system.
Now, depending on which version of Windows and what type of PC you've got, your
boot system is going to be different. But to get to it, you're going
to need a portable operating system. You're going to have to boot your PC from
a CD or a DVD or a USB flash drive containing a portable operating system. Now,
for this, you can't use Windows, because Windows will prevent you from seeing
the boot partition structure. If you start from an installation DVD or from a
Windows To Go drive or similar. What you're going to need is you're going to
need a Linux distribution, and there are many that you can choose from. There
are four here, Ubuntu, Red Hat, Suse, and Linux Mint, and you can have any
other one you want, as long as you can download an ISO file that you can then
copy to a CD or a DVD and you can then start the PC from that. Now, I mentioned
that if you have a different operating-- different version of Windows or a
different type of PC, you're going to see different things. Now, if you have
BIOS firmware on your PC, or you are using Windows 7, or you are using a 32-bit
version of Windows, then you will just see one system reserved partition. Now,
here is a screenshot of a clean system reserved partition. If, on the other
hand, you have UEFI firmware, and you're not using a 32-bit version of Windows,
but you're using Windows 8. 1, 64-bit, or Windows 10 64-bit, then you will see
UEFI firmware. I'm caveating this, I'll deal with the caveat in a sec. The UEFI
firmware is different, it's typically three separate partitions, system
reserved, EFI, and a boot partition that you'll see here. There's much more in
them, but I'll deal with that caveat, and it's still possible to install
Windows on a UEFI system in a BIOS firmware state. So you may still only see
the system reserve partition. It can be quite complicated, but if you only see
one partition, that's because there is only one. If you see more than one, then
you will have your boot system reserved and EFI system partitions.
Removing Rootkits,
Part 2
Okay, so here we are in Ubuntu in this circumstance. What
I've done is I've downloaded an ISO image of a Linux installation, and you can
use any, and I've started the PC from that ISO by burning it to DVD or to a
portable USB flash drive, and I've started the operating system in its
tri-Linux mode, which is non-destructive, which doesn't install anything on the
hard disk on the host PC, but it does give you access to the host PC in a way
that a Windows To Go drive will not. Now, here what I want to do is I'm going
to look for the disk utility, and you'll see it here, it's called Disks. Now,
bearing in mind, that Linux distributions vary, they're different from one another.
So, what you see may very well vary from what you see here, but the process
is generally the same across Linux distros. So, we'll run disks, and here we
can see we've got our 136 GB Hard Disk listed, and we can see our System
Reserved partition. Now, this is a BIOS system that I've got Windows installed
in, so it's actually Windows 7 that we're looking at here in this file system.
If you're using UEFI, then you'll probably see three, maybe even four
partitions, and you may want to look at the amount and look at all of them. But the
process is the same. So, here what I've got is I have a Mount button, Mount
selected partitions. So if I mount that, you will see here that it's now a
drive that we can access. You'll see 105 MB, 80 MB is free, and now we've got a
link. Now if we click this link, we have the disk presented to us, and we
can access it, we can delete files, can modify files, can move things
around, and so on. So we can look in the Boot folder, for example, and we can
see everything that's here, including the Boot Configuration Database, the
memory test application, and more besides. Now, how do you know, if you've got
a Rootkit installed, how do you know what files it is? Well, there are two
things, well, several things you can do. You can compare what you have on the
infected PC with a clean PC, a PC that you know is not infected a Rootkit, or a
Bootkit. And you could copy files from the system reserve partition from a
clean PC over to the infected PC, and this is much more likely in a corporate
environment, where you have lots of PCs that are all set up identically,
they're all identical PCs, they're all set up identically, you'd be able to do
that. Or you can delete the Rootkit files if you can find them, and then
rebuild the boot system, which I'll show you how to do shortly. But this is how
you get access to the Boot system in Windows. As I say, you can't do this from
Windows To Go drive, and it's best to do it from a Linux installation. And you
don't need to unmount afterward, you can just restart the PC and Windows, take
your DVD or your USB flash drive out, and Windows will start as normal.
Repairing the Boot
Configuration Database
Once you've removed the files from a Rootkit from the Boot
partitions on a PC, you will probably need to affect some manual repairs, and
I'm going to show you the different things that you can do, and obviously which
you need to do will depend entirely on the circumstances in which you find yourselves.
Now, here we're going to look at the Boot Configuration Database. The Boot
Configuration Database is accessed through a little utility called BCDEdit, and
it's a binary file that stores all the details of operating systems and Boot
partitions on your PC. And a Rootkit may have modified the
Boot Configuration Database. Now, if you type BCDEdit from within a Command
Prompt Admin window, then it will display a list, which you can see here as an
example of the operating systems on your PC. Each will have an identifier.
You'll see the first one listed here is bootmgr, boot manager, and the second one is
current, it could be a long hexadecimal code as well. So, always a good idea to
have a pen and paper handy in case you need it. Now, some commands are particularly useful when it comes to repairing this if a Rootkit has
infected it. You can delete entries by typing BCDEdit with the /delete switch,
and then you'll need its identifier, and you can use the cleanup switch to make
sure all references to that entry are removed from the Boot Configuration
Database. You can set a new default loader with the /default switch with the
identifier of the Boot loader that you want to set as the default, and you'll
do this if the Rootkit has changed the default Boot loader. And you can
additionally get a full list of BDCEdit commands, there is an awful lot of
them, from the Microsoft TechNet library you see here, and it'll show you how
to add entries and much more besides, you can edit them, you can do all sorts
of things with the Boot Configuration Database.
Repairing the Windows
Boot System, BIOS
You may find that after a Rootkit or a Bootkit infection,
you need to repair the Windows Boot System. And you can do this by starting the
PC from either a recovery media, such as a system repair disk in Windows 7 or a
recovery drive in Windows 8. 1 and Windows 10 and navigating to the Command
Prompt. You can also start the PC from installation media to get here, such as
installation DVD, or USB flash drive, and click the Repair Your Computer link
instead of the Install link. Now, you'll see here on the left Command Prompt
listed in the recovery options, and that's in Windows 7, and on the right in
Windows 8. 1 and Windows 10, we get it in the advanced options in the Recovery
panel. Now, whether you have a BIOS installation or UEFI installation, the
process is slightly different for repairing the Boot system. BIOS installation
is a single system recovery drive partition, and a UEFI installation is a
tri-partition system. So let's have a look at BIOS first. Now when you're in
the Command Prompt, these are the commands you want to type. The first one,
BCDEdit with the export switch, creates a backup copy of the Boot Configuration
Database. Now you will want to do this just in case something goes wrong, and
then you can put it back later with the import switch if you need to. Then,
navigate to the C drive. Now, remember, you've actually started from removable
media here, so the C drive won't be a Windows installation, it's actually going
to be the system reserved partition. And once you're in that partition, then
change the directory to the Boot folder. Now the attrib command on BCD, we'll
actually change the read-write system and hidden attributes for the Boot Configuration
Database, so you can work on it. And then you rename the Boot Configuration
Database to BCD. old, again, so that you can rename it back if something goes
wrong. The last command and this command you can actually use on its own if
you want to, Bootrec with the /RebuildBCD will rebuild the Boot Configuration
Database, and as I say, that can be used on its own if you want to.
Repairing the Windows
Boot System, UEFI
There are three stages to the UEFI installation. The first
is to open Diskpart, which is the Microsoft Disk Partitioning command-line
utility. If you type the command List Disk, then it will show you all the hard
disks that are on the PC. Now you'll see in the image here, that there's only one
disk on the PC. So we want that, there's only one physical hard disk, so we'll
select disk 0, which will be the disk that is appearing. And if you have more
than one hard disk, then the disk number might be different. Now, with that
disk selected, type List Volume, and that will display all of the partitions
that are on that disk. And what you're actually looking for is you're looking
for a FAT32 partition that's around 99 MB in size, as you can see in the image
here, or, you're looking for a partition that's labeled boot. Now, note the
number of this partition, either the FAT32 99 MB one, or the one called Boot,
and type select volume with the number of that volume, in this case, it's 3.
Then we want to assign a drive letter to that. Now I've used F here because F
is the next available drive letter. You can see that C, D, and E are in use, so
I've assigned F to it, and then we'll exit. Now next up we can actually
recreate the repair of the boot system. So, we'll change the directory into, we'll go
into that F drive, so when you make sure you come into the F drive, then we
change directory into the EFI folder into the Microsoft subfolder into the Boot
subfolder, then we can rename the BCD database, and then we can use Bootrec to
rebuild the Boot Configuration Database, it's much more straightforward in that
regard than it is with a BIOS system. And you'll probably find if you try to
use Bootrec BCD, RebuildBCD on its own, it won't work. Then, you need to go
back into Diskpart, and you're going to go through the process again, you just
need to remove the drive letter. Now I've listed all the commands here again,
but you'll probably find that the disk is kind of already preselected, but I've
listed commands just in case. And so you can remove the drive letter then.
More Commands for
Repairing the Boot System
Additionally, there are a few other commands that you can
use to help repair problems with the Windows Boot System. Now, obviously, I've
listed Bootrec /RebuildBCD here first, that can be used on its own, not on every occasion, which is why I've given you the detailed instructions that I
have. There's also Bootrec with a /FixMBR switch. Now this will build a new
master Boot record on the PC. Or you can use the ScanOS switch. Now, this is if
the system, the Bootrec System can't find the operating system, or if you're using
BCDEdit, and it can't find the operating system, then this will scan the hard
disk and try and find any operating systems that are installed. If Bootrec
doesn't work, if it can't rebuild the Boot System, then you can use this BCD
Boot command. Now, this will completely recreate the Windows Boot structure.
Now, I've got two drive letters here, C and F. Now, the drive letters C and F
should correspond to C, in this case, being where your Windows installation is
installed, because that is where the files are going to be taken from to
recreate the Boot System, and F being the drive letter that you have assigned
using the process in diskpart that I explained previously to the system
reserved partition, the Boot partition on your PC. These commands can come in very
useful if you need to repair the Boot System after a Rootkit or a Bootkit
infection.
Summary
So let's summarize now the key points from this module.
Microsoft's free Sysinternals Suite contains essential tools for identifying
and removing malware, Process Explorer, and AutoRuns. They really are
invaluable, and there are so many other useful tools in Sysinternals as well.
It's well worth getting to know the suite. There are a lot of malware
infections that contain multiple files that will automatically restart or
install malware if they detect that you're trying to disable it. And if it
tries to reinstall it, it's going to download it from the internet, so you can
assist by making sure the PC is isolated from the internet. This is always the
very first thing you should do, isolate your PC from the internet, and
crucially from your network. And a portable operating system such as a bootable
Linux DVD is a really good way to get access to the Windows boot sector. Now, remember, because of the way Windows is set up, if you have a Windows To Go
drive, then it's going to prevent you from getting access to these boot
partitions, but you can do it with Linux. Now, if you get infected with
ransomware, that can be particularly nasty, particularly galling. So, let's have
a look at just my two top tips for protecting your documents and your files
from ransomware. So, to defend against ransomware, you need to have a
multi-tier backup policy. Now the first one is to have a local network or a
Cloud backup that takes place daily or every couple of days, you know, however
you normally would set your backup. But to also have two more Clouds or network
backups taking place on an alternating bi-weekly schedule. Now, why two, and
why alternating bi-weekly? Well, this is my view, this is my advice, my
opinion. But if you have two alternating backups, then one backup takes place
one week, another backup takes place the next week, and then the first backup
takes place on the third week. Now, if you get infected with ransomware, then
it may be going to hit on the day before your backup is
due to take place, in which case, you may never be able to defend against it.
If you have an alternating bi-weekly schedule, then you've got a week for that ransomware to do all of its damage, and you've still got a backup that
you can restore, where you're only going to lose a week's worth of work. So,
having this alternating bi-weekly schedule is, I believe, a good way to defend
your files against ransomware.
0 Comments