A recent exchange on the Windows HiEd mailing list made some interesting points about malware and virus removal:
No one likes this answer, but in my opinion the best bet is to reinstall, reimage, restore from known-good backups, or perform a scripted rebuild. For staff-machines it’s usually possible to build a process around this. If you support student-systems with arbitrary hardware it can get stickier, but no more so than verifying that you’ve cleaned the malware successfully.
For folks who claim to have an effective cleanup process ask them following questions about their process:
- How do you validate that the malware you detected was effectively removed? Do you simply assume success if *some* files are found/deleted, or do you have some kind of QA process? It’s not uncommon for the dropper/downloader component to survive cleanup and re-infect the system at a later-date.
- Do you confirm that there aren’t secondary infections? The client may have contacted you with a loud and obvious FakeAV infection, but may also have an unrelated and much-stealthier banking-trojan that isn’t detected by your cleanup procedure. How do you determine whether the cleanup procedure found all malware and not just some of it.
- Do you validate that security settings haven’t been modified by the malware that will make future infections more likely. It’s common for malware to change Browser-security settings, A/V settings, or firewall-settings to make re-infection easier.
What I like most about this response is the emphasis on the process for verifying the removal of malware/viruses.
However, having worked in University environment where WDS, Active Directory and network storage are all available, I lean strongly towards re-imaging process.
Is it unreasonable to assume that infected PCs cannot be salvaged? Due to the sophistication of malware and user tendencies, I think that assumption must be made.
Further in the discussion:
However, the same presumably applies to every other OK machine on campus, for which the user has NOT got in touch saying they have a “virus problem”. As the stealthy infection is not detected by the tools, how do we know these (supposedly non-compromised) machines don’t actually have it too ??
In most cases, we don’t, and can’t.
So logically it seems a little tenuous to mandate rebuild purely on the basis of something undetectable…
Which leads me to ask: Should we as IT professionals assume that a PC will be compromised regularly and develop a re-imaging plan and process to address the problem? Are thin-clients the solution? OS as a service?