Malware Protection Facts

Malicious code (sometimes called malware) is a type of software designed to take over or damage a computer, without the user's knowledge or approval.

Malware includes:

• Viruses that attach to legitimate files and spread when the files are opened.
• Worms that infect systems and spread automatically through the network.
• Trojan horse programs that appear to be useful programs but which perform secret or malicious acts.
• Spyware that tracks your computer or browser activity.
• Adware that displays pop-up advertisements based on your browser activity.
• Spam that is unwanted, unsolicited e-mail, often carrying viruses or advertisements for questionable or illegal products.

You should protect all systems with malware protection software to help prevent and control malware on your system.

Be aware of the following when protecting against malware:

• Most vendors have products that protect against a wide range of malware including spyware, adware, and even spam. Installing a software suite is often less expensive and easier to manage than installing separate programs for different types of threats.
• You can install anti-malware software on an individual host system or on a network server to scan attachments and files before they reach the end computer.
• Most anti-malware software that protects a single host uses a signature-based scanning system.
  • The malware engine is the program that provides the user interface and executes the logic on the system.
  • Signature files (also called definition files) identify specific known threats. During a system scan, the engine runs and compares files on your computer against the signature files looking for malware.
  • Software that uses signatures can only detect threats that have been identified by an associated signature file. Malicious software that does not have a matching signature file will not be detected (and you are not protected against these files).
  • It is important to keep the signature files up to date. If possible download new signature files daily (most software will check for updates automatically on a schedule).
  • Keep the scanning engine software updated to add new features and fix bugs in the scanning software.
• Some scanning software integrates with your browser or e-mail client, and automatically scans downloaded files or incoming e-mails for threats. Many e-mail services include virus scanning before messages are forwarded to your computer or before the files are downloaded.
• In addition to using scanning software, keep your operating system and browser up to date. Make sure to apply security-related hotfixes as they are released.
• Disable scripts when previewing or viewing e-mail.
• Implement software policies that prevent downloading software from the Internet.
• Scan all files before copying them to your computer or running them.
• In highly-secured areas, remove removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system.
• Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension .TXT.EXE to a file will make the file appear as a text file in an attachment, when in reality it is an executable.
• Use the Security Center in Windows Vista/7 to check the current security status of your computer. The Security Center shows you whether you have antivirus, firewall, and automatic updates running.
• Train users about the dangers of downloading software and the importance of anti-malware protections. Teach users to scan files before running them, and make sure they keep the virus protection definition files up to date.
• Network Access Control (NAC) is a network-based solution that prevents unprotected computers from connecting to the network. With NAC:
  • Computers must meet certain health requirements before they are allowed to connect to the network. These requirements might include having the latest security patches installed, having antivirus software, or having completed a recent antivirus scan.
  • Computers that meet the health requirements are given access to the network; computers that do not pass the health checks are denied full access.
  • Remediation for unhealthy computers provides resources to fix the problem. For example, the computer might be given limited network access in order to download and install the required antivirus software.
  • Network Access Protection (NAP) is Microsoft's implementation of NAC.

If you suspect that your system is infected with malware, keep the following in mind:

• Common symptoms of malware on your system include:
  • The browser home page or default search page has changed.
  • Excessive pop-ups or strange messages being displayed.
  • Firewall alerts about programs trying to access the Internet.
  • System errors about corrupt or missing files.
  • File extension associations have changed to open files with a different program.
  • Files that disappear, are renamed, or are corrupt.
  • New icons appear on the desktop or taskbar, or new toolbars show in the browser.
  • The firewall or antivirus software is turned off, or you can't run antivirus scans.
  • The system won't boot.
• Some malicious software can hide itself such that there might not be any obvious signs of its presence. Other symptoms of an infection include:
  • Slow Internet access.
  • Excessive network traffic, or traffic during times when no activity should be occurring.
  • Excessive CPU or disk activity.
  • Low system memory.
  • An unusually high volume of outgoing e-mail, or e-mail sent during off hours.
• Conducting regular system scans can detect and fix many problems.
  • Most software lets you schedule complete system scans, such as daily or weekly.
  • If you suspect a problem, initiate a full system scan immediately.
• Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take). Possible actions in response to problems are:
  • Repair the infection. Repair is possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible).
  • Quarantine the file. Quarantine moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time.
  • Delete the file. You should delete files that are malicious files such as worms, Trojan horse programs, or spyware or adware programs. In addition, you should periodically review the quarantine folder and delete any files you do not want to recover.
• If a scan reports a serious problem, disconnect your computer from the network. This prevents your computer from infecting other computers until the problem is corrected.
• Some malicious software warnings, such as those seen in pop-ups or received through e-mail, are hoax viruses. A hoax virus instructs you to take an action to protect your system, when in fact that action will cause harm. Two common hoaxes are:
  • Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer.
  • Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software.
  Before taking any actions based on notices or e-mails, search the Internet for a list of virus hoaxes and compare your notice to know hoaxes.

Recovery from malware could include the following actions:

• If scans detect malware, then repair, quarantine, or delete the malicious software.
• Some malware cannot be removed because it is running.
  • If possible, stop the program from running, then try to remove it.
  • If you are unable to stop the malware, try booting into Safe Mode, then run the scanning software to locate and remove the malware.
• If malware has caused damage to the system, it may be permanent and could require that you reinstall applications, features, restore files from a backup, or even restore the entire operating system from scratch. 
• If malware has damaged or corrupted system files, you might be able to repair the infected files using Sfc.exe.
  • Before running Sfc, be sure to remove the program that caused the damage (or it might re-introduce the problem after the fix).
  • You might need to boot into the Recovery Console to check system file integrity and repair any problems found.
• Some malware can corrupt the boot block on the hard disk preventing the system from starting. To repair the problem, try using the Recovery Console in Windows XP, or perform an automatic repair in Windows Vista/7. Use fixmbr or fixboot in the Recovery Console to try to repair the damage.
• If the organization uses imaging solutions, you can quickly reimage a machine if it is infected with malware. Reimaging or installing from scratch is often faster and more effective than malware removal and cleanup.