Thursday, August 3, 2017

How to be certain you don't have a virus when anti-virus scanners find nothing malicious? (Windows 7)


I recently spent many hours troubleshooting a laptop that could not connect to the internet. The laptop exhibited no other unnatural behavior, and so my first thoughts were to try connecting to other networks, try a new NIC, etc... The question I posted can be found here with more detail. One of the first things I did was to check for viruses with MalwareBytes, eSet, and Panda Cloud Antivirus... All 3 scans were run separately and independently of one another, and no virus was found. I then proceeded to spend hour after hour troubleshooting, and in the end I just took the computer to a repair shop where it was discovered to have a virus.


My question is not subjective, I'm not asking what is the best anti-virus software to use. I'm asking how can I actually be certain I have no viruses when popular and generally effective anti-virus scans detect absolutely nothing?


In the past my routine would be to run through the list of running processes and start-up programs, and use online resources to try and find anything malicious. This routine seemed relatively silly to me in the face of all of these anti-virus programs, and I thought it would be more effective to run scans than to manually look on my own.


Obviously IT firms have some effective method of identifying viruses, and I doubt these companies are just running some virus scanner. Clearly experience would have led me to identify my own problem as a virus, but I feel like there are all kinds of ways an undetected virus can manifest itself, so I don't want to rely solely on experience.


Edit:


I should clarify this a little bit. I'm not necessarily looking for some "ultimate" checklist of things to do to identify viruses, but clearly there are ways to identify them when our normal anti-virus scans fail, and I'm wondering what some of these approaches might be.


Answer



No antivirus package is perfect. I had seen viruses which I submit to http://virusscan.jotti.org/en and only 2 or 3 of the packages detect them. I have also had a virus which was reported clean by them all.


So, if I need to clean/scan a machine for virus, this is some of the things I do.


Prelimary Check


Check and possibly delete the files in the temp folder and also temporary internet files.
If there are ten of thousands of files or more, deleting these can significantly reduce the time it takes to perform a full scan. It is however possible for this to delete a virus stored in these locations before it can be identified.


Stage 1


Boot off a clean CD/DVD for example a Bart CD or a special AntiVirus CD



  • Run scans with several different anti-virus, anti-malware and rootkit programs

  • Configure Explorer to show hidden files and folders and look for files that are recently added to the root folder, Windows, Windows\System32, and Program files folders. Also look for hidden files and/or folders in those places. The presence of such files does not necessarily mean an issue, but I usually try to identify them to make sure they are legitimate)


Stage 2


Boot in the operating system normally



  • Run scans with several different anti-virus, anti-malware and rootkit programs

  • Run programs such as Autoruns and Hijackthis which show everything that is started automatically or things that hook into windows (eg addons to Windows). Neither of these programs try to determine what is good and what is bad, but instead they give you information and it is up to you to decide if the entries are valid.

  • Run TaskManager or Process Explorer to see what processes are running.

  • Look in add/remove programs and see what sort of programs have been reinstalled and remove any junk. Don't want to mention any names, but there are some toolbars, poker games and some file sharing programs that always seem to cause programs and quite often the user/owner of the computer did not deliberately install them. (For example, toolbars that are bundled with other programs)


Stage 3 (time permitting)



  • Reboot into windows and connect to the internet and leave for a while and then repeat Stage 1 to make sure the machine is still clean.


Stage 4



  • Keep fingers crossed and/or pray that the machine is clean.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...