It's a sad fact of life in IT nowadays that some form of preparation for dealing with malware is part and parcel of what systems and network administrators must do. This goes above and beyond normal due diligence in warding off malware. It includes a proper appreciation of the work and risks involved in handling malware infections, and acquiring a toolkit of repair and cleanup tools to complement protective measures involved in exercising due diligence. It should also include at least two forms of insurance – one literal, the other metaphorical – that can help avert or cover an organization against costs and liabilities that malware could otherwise force the organization to incur.
Due diligence to defend against malware
When it comes to exercising due diligence to fend off or protect against malware, four elements are necessarily involved:
- Monitoring for threats and vulnerabilities in an IT infrastructure: This involves the consumption and analysis of relevant intelligence about threats and vulnerabilities and acting on warnings, workarounds and other mitigation techniques to reduce related risks.
- Employing anti-malware protection at the network boundary and on servers and clients: This is a critical protection measure to detect and block known and suspected malware as best as technology will allow.
- Using a security information and event management (SIEM) system: A SIEM keeps a close watch on systems and networks for evidence of malware exploits and activity. Security incident policies, procedures and personnel should be in place, ready to respond should a breach occur.
- Investing in education: Organizations need to educate employees and contractors, and anyone else who interacts with networks and systems, to raise security awareness and to instill best practices for safe computing.
Only when all these elements are in place can an organization be relatively sure that they've put the necessary barriers and procedures in place to block and avoid malware as best they can. Nevertheless, it's likely that security breaches will occur. In an August 2016 study, malware prevention and remediation company Malwarebytes reported that nearly 40 percent of enterprises had fallen prey to ransomware in the past year. Given that this is just one form of malware (if a particularly vexing and occasionally costly one), overall exposure in the business sector remains high, due diligence notwithstanding.
What's in an anti-malware toolkit?
Dealing with malware necessitates the use of such medical terms as "infection" or "infestation." It follows many of the same steps in a workable coping strategy, too — namely, observation and analysis of symptoms, diagnosis of the condition, treatment, and remediation or rehabilitation. The elements of the anti-malware toolkit reflect specific information gathering and handling needs associated with the various steps just described. The next two sections describe these tools and provide links to some of the more useful applications.
Data collection and diagnosis tools
Also known as anti-malware scanners, these tools correspond to observation, analysis and diagnosis; they do not run in real-time nor do they offer any protection against malware. They simply examine a file system and runtime environment for evidence of malware of many kinds.
A great variety of tools in this category are available, most from vendors who also offer anti-malware protection and endpoint protection solutions. Some excellent examples of this type of tool include TrendMicro HouseCall, Malwarebytes Anti-Malware Free (aka MBAM) and VirusTotal (works file-by-file only, but provides reports from 50-plus malware scanning tools).
Special scanning tools, particularly for rootkits (a particularly insidious form of malware that persists in the phase of device operation that occurs before an OS boots, which make them fiendishly difficult to detect and remove) are also available. These tools include Kaspersky's TDSSKiller, GMER, Dr. Web CureIt! and Sophos Anti-Rootkit.
Malware removal tools
These come in two forms: general and specific. For run-of-the-mill malware, general removal tools are usually sufficient. In this category, Malwarebytes also comes highly recommended. (A licensed version must be purchased to perform cleanup, though its free adware removal tool, AdwCleaner, also gets high marks.) Products from Symantec (Norton), Bitdefender, Kaspersky and others also get high ratings from objective third-party testing companies like Virus Bulletin.
Specialized tools include more focused removal systems such as those that focus on ransomware, spyware, adware and rootkits. These are best hunted down on a case-by-case basis, following a definitive diagnosis. In fact, most of the aforementioned general solution vendors also offer specialized removal tools to their customers, so you should check with them first even at this stage of the removal game.
But a search on Google or at specialized antimalware advice and assistance sites, such as those for HiJackThis at sourceforge, bleepingcomputer.com and forums.cnet.com, is also a good idea. Same goes for rootkits in particular (most rootkit scanners mentioned in the preceding section also provide removal capability as well).
Anti-malware insurance — real and metaphorical
Believe it or not, there's a relatively new class of commercial insurance known as cyber insurance (see this May 2016 CIO.com story for more information) that provides protection against losses resulting from various forms of cyberattack, including malware, phishing and more. Savvy organizations will learn about such offerings and use formal risk analysis techniques to determine if absorbing the costs of protection is worth passing off to an insurer costs from resulting liabilities and repair and recovery.
The metaphorical form of insurance against malware is a set of well-maintained, readily available and malware-free backups for compromised systems. As long as no important data gets lost in the process, it's not only faster to scrub a system clean and restore a malware-free backup, it's also much safer to do so. That's because rolling back the affected system to a point before the time of infection guarantees that it's absent going forward.
No matter how effective and comprehensive a malware clean-up might appear, there's always the chance that some lingering traces of the infection can rear up at some future point in time. Only a system that was never infected to begin with can be truly free of all traces of an infection.
That's what makes maintaining good backups for all systems, with appropriate and well-tested restore mechanisms, an effective form of insurance against malware. It's another reason why backing up frequently is so important, and a particularly effective defense against malware.
This story, "The essential guide to anti-malware tools" was originally published by CIO.