Partilhar via


Antimalware tools and tricks

Ah, I am back in the office and settling into to my normal day to day work.

I am fairly often asked to remove malware from systems which the anti-malware programs on that particular PC system can’t handle. In fairness, it is often not the AV products fault. Most (more than 75%) of malware is actually installed by the users of the system after some social engineering. I know that none of you out there in blog land would do that sort of thing but it does happen. We have all downloaded drivers from the web, codecs from the web and utilities. It is easy enough to get it wrong and some of the Blackhats can make some very convincing webpages and emails that would fool your brother/mother/dentist. Anyway, that is how a lot of this nasty stuff gets on systems and one of the first things that it normally does is try to break the AV solution. Sometimes it succeeds.

I am yet to find an instance in which this has happened where the machine could not be cleaned up with the SysInternals tools and a little ingenuity. I know that I have mentioned this before but I hadn’t linked to the excellent video presentation by Mark Russinovich video: https://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

I would also like to mention a really good tool called Rootkit Unhooker. This was written by a Russian team who have since joined Microsoft. It is excellent for finding hijacks in the kiservicetable, hidden files and processes and similar rootkit tools. If you work with malware on a regular basis and haven’t tried this tool then you might want to search it out. I have had considerable success with this tool where some others have not been as useful.

Anyway, hopefully I will be back to some more code related posts soon but thought that this tools update could prove useful

Signing off

Mark