{"id":1606,"date":"2021-12-07T03:16:44","date_gmt":"2021-12-07T03:16:44","guid":{"rendered":"https:\/\/people.utm.my\/azhari\/?p=1606"},"modified":"2021-12-07T03:16:48","modified_gmt":"2021-12-07T03:16:48","slug":"malware-detection-in-9-easy-steps","status":"publish","type":"post","link":"https:\/\/people.utm.my\/azhari\/2021\/12\/07\/malware-detection-in-9-easy-steps\/","title":{"rendered":"Malware detection in 9 easy steps"},"content":{"rendered":"\n

All antivirus software misses a significant percentage of malware. This is because professional malware writers design their malware and botnet ecosystems to self-update whenever they start getting detected. While antivirus engines eventually sniff out millions of malware variants, they’re always one generation behind, failing to spot the stuff that has been self-modified to avoid discovery.<\/p>\n\n\n\n

Overall accuracy rates go up and down all the time, though some products score better than others … for some period of time. But again, no AV product is 100 percent accurate. No product is going to be super-accurate over the course of an entire year.<\/p>\n\n\n\n

Maximum malware detection for all<\/h2>\n\n\n\n

Here’s what you should do: Install an antivirus product that does a decent job, has a long history of stability and decent success, and doesn\u2019t slow down your system (unless you don’t mind a little sluggishness). Then use Windows Sysinternals Process Explorer<\/a> or Autoruns<\/a> to test currently running executables against VirusTotal<\/a>\u2019s 67 antivirus engines, which offers the best accuracy you can ever get (with a small percentage of false positives).<\/p>\n\n\n\n

Step by step, do this now for all Windows computers:<\/p>\n\n\n\n

  1. Make sure your computer has an active connection to the internet.<\/li>
  2. Go to Sysinternals.com<\/a>. It\u2019s a Microsoft site.<\/li>
  3. Download Process Explorer<\/a> and Autoruns<\/a>. Both are free, as is everything on the site.<\/li>
  4. Unzip these programs. If using Process Explorer, use procexp.exe. If using Autoruns, use autoruns.exe (autorunsc.exe is the command-line version).<\/li>
  5. Right-click and run the program executable as Administrator, so it\u2019s running in the Administrator\u2019s security context.<\/li>
  6. Run Process Explorer first (I’ll explain Autoruns later). Select the Options menu at the top of the screen.<\/li>
  7. Choose VirusTotals.com and Check VirusTotals.com.<\/li>
  8. This will submit all running executables to the VirusTotal<\/a> website, which is run and maintained by Google. You\u2019ll get a message to accept the license; answer Yes. You can close the VirusTotal website that comes up and go back to Process Explorer.<\/li>
  9. In Process Explorer, you’ll see a column labeled Virus Total. It will either say Hash Submitted (during the first few seconds) or give you a ratio, something like 0\/67, 1\/67\/ 14\/66, and so on.<\/li><\/ol>\n\n\n\n
    \"Process<\/a>
    Example of Process Explorer and VirusTotal Ratios<\/figcaption><\/figure>\n\n\n\n

    As you’ve probably guessed, the displayed VirusTotal ratio indicates how many antivirus engines at VirusTotal reported the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 67, but it goes up and down all the time. I\u2019m not sure why some executables are inspected by all of the antivirus engines and not others, but regardless of the denominator (lower number), if the numerator (above the line) is greater than zero you could<\/em> have malware.<\/p>\n\n\n\n

    If it says 1\/57 or 2\/57, however, it probably isn\u2019t malware, but a false positive<\/a> instead. On the other hand, I’ve seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious. But in general, if the numerator is 1, I usually relax. If it\u2019s 2, I investigate a little bit more. But even most of the 2s end up being false-positives. The next screenshot shows examples of two false-positives, both related to the legitimate vendor, Winzip Computing.<\/p>\n\n\n\n

    \"virustotal<\/a>
    Example of VirusTotal False-Positives<\/figcaption><\/figure>\n\n\n\n

    If you are not sure, simply click on the reported ratio, and it will take you to the VirusTotal page showing which AV engines did and didn\u2019t report it as malware. VirusTotal also displays two symbols at the top of the page, one a red devil and the other a green smiley face wearing a halo. If the arrow is pointing to the green smiley face, which it usually is in these instances, that means VirusTotal\u2019s experience leads them to classify the file as non-malicious. In the example screenshot below, even though the one \u201crogue\u201d AV program (in this case, eGambit) itself claims to have 99 percent confidence that the file is malicious, none of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the selected green smiley face) doesn\u2019t agree.<\/p>\n\n\n\n

    \"virustotal<\/a>
    Example Screenshot of VirusTotal Detailed Results<\/figcaption><\/figure>\n\n\n\n

    So why would I recommend a program that often has false-positives? First, it\u2019s an inherent problem with VirusTotal and not Process Explorer. Usually the false-positives are cleared up in hours as the AV vendor does its research and clean-up. And if you can overlook the possible minor false-positives that are easy to rule out, there is no single antivirus engine that is anywhere near as accurate as VirusTotal. It may make some minor mistakes erring on the side of caution, but it more than makes up for it in detecting the stuff that many other AV misses. It uses the power of 67 different AV engines against malware writers. Your antivirus product may miss something, but VirusTotal doesn\u2019t.<\/p>\n\n\n\n

    Most malware programs are caught at a ratio with a numerator of 3 or higher (ex. 13\/67). In fact, I\u2019ve never had a false-positive when the numerator is 3 or higher. When I see anything at that numerator or higher, I right-click it in Process Explorer, note the file location path, and kill the process if I don\u2019t absolutely recognize and trust the program file.<\/p>\n\n\n\n

    Then I manually delete the files associated with the executable \u2014 but proceed at your own risk! Be forewarned: This is always a chance you might accidentally delete something you need for some application or driver to run. If you\u2019re worried, rename the file instead. That\u2019s enough to stop the malware program from re-launching using that same file. I will usually rename it to something with a file extension ending in \u201cthisismalware\u201d so that I\u2019ll remember what I did if I see it again. Usually if I\u2019m not sure if the file I want to delete is malicious, I\u2019ll rename the file, wait a week and then delete the file when I\u2019m more sure that I didn\u2019t impact anything legitimate.<\/p>\n\n\n\n

    Occasionally, malware will \u201cfight\u201d with you and not let you kill the process. If so, repeat the process above, but go with Autoruns instead. Use Autoruns to unselect the program so that it won’t load at startup. Reboot and run Process Explorer again. Usually, the malware program will not be running and you can delete it. If using Autoruns doesn\u2019t work and the file is still fighting you, you\u2019ll have to boot into Safe Mode, find the executable and then delete or rename it. I haven\u2019t run into an executable in years that fought me beyond this step, but it\u2019s possible. If this happens, use VirusTotal to identify what antivirus products detect the target file as malicious, download it, and then run on your computer to get rid of the file. Heck, you might want this to be your first eradication step if you aren\u2019t comfortable with manually killing and deleting files.<\/p>\n\n\n\n

    Put a shortcut to Process Explorer on your desktop. Always \u201cRun as Administrator. I usually right-click the executable (not the desktop shortcut), choose Properties, then the Compatibility tab, select Change Settings for All Users, and then choose Run this program as an administrator. Make sure to run the 64-bit version if you run a 64-bit version of Windows. That is very common these days. I recommend that everyone download and run Process Explorer or Autoruns at least once a week. If that’s too much, at least be sure to run it if your computer exhibits suspicious behavior<\/a>.<\/p>\n\n\n\n

    Caveat emptor: No malware detection works every time<\/h2>\n\n\n\n

    To be clear, even this detection method is not perfect. Certain malware can escape this sort of detection, although for now, it’s rare. Of course, in the future, malware writers could go out of their way to escape the clutches of Process Explorer or Autoruns. That\u2019s not true yet, so the above method is one of the best protection methods you can use.<\/p>\n\n\n\n

    The best long-term advice to avoid infection in the first place will sound familiar if you read my blog regularly: Keep your software fully patched \u2014 especially browser and browser add-in software. Most of all, don\u2019t be fooled into installing something you shouldn\u2019t. Finally, don\u2019t share passwords between different sites \u2014 or use two-factor authentication \u2014 and you\u2019ll become a top security defender. Those three pieces of advice trump any antimalware advice that you’ll ever get. <\/p>\n\n\n\n

    If your computer is connected to the internet, no defense is perfect, and you owe it to yourself to apply the best detection regimen available. Feel free to pass my detection recipe along to every friend and co-worker. It\u2019s hard to beat 67 antivirus programs for accuracy.<\/p>\n","protected":false},"excerpt":{"rendered":"

    All antivirus software misses a significant percentage of malware. This is because professional malware writers design their malware and botnet ecosystems to self-update whenever they start getting detected. While antivirus engines eventually sniff out millions of malware variants, they’re always one generation behind, failing to spot the stuff that has been self-modified to avoid discovery. […]<\/p>\n","protected":false},"author":14428,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[10,3],"tags":[],"class_list":["post-1606","post","type-post","status-publish","format-standard","hentry","category-gallery","category-news"],"_links":{"self":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/users\/14428"}],"replies":[{"embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/comments?post=1606"}],"version-history":[{"count":1,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1606\/revisions"}],"predecessor-version":[{"id":1608,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1606\/revisions\/1608"}],"wp:attachment":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/media?parent=1606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/categories?post=1606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/tags?post=1606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}