Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
This post by Andrew Leniart got me thinking. What exactly is my stance when it comes to infected computers? And what, if anything can make a once infected computer clean again? The conclusions I came to are true for any form of malware, from simple trojans to current ransomware.
The possible actions one might take range from the least extreme to the most extreme solutions. Some of these make perfect sense and are even logical, while others are on the fringe of insane. Whatever you end up doing, be sure it makes sense to you. This is how I believe they should rate.
Of the possible solutions, I feel the one that is the least extreme, in terms of how to remediate the problem, is most likely also the most perilous solution, which is to completely ignore the infection and hope for the best. Doing this seems to me, to be dangerous at best and more likely much, much worse. It means do nothing, even though one knows that doing so, is putting everyone, including yourself, in danger. This is not only dangerous because it leaves malware on your computer, but it also opens up the possibility that this malware can be more easily spread to other computers and any network you join. Another possible solution is to clean the infection and assume that everything is gone. This is almost as bad as the first choice, but is also a fairly common choice among members of the Experts Exchange community, even by seasoned malware cleaners 1,2. The assumption that everything is cleaned, leaves you open to all kinds of back doors that may have been installed on your computer.
The next possible solution, in the range from least paranoid to most paranoid, is to restore from a trusted backup. I personally recommend this most often when the user has been hit by something like ransomware. Many other experts on this site make similar recommendations. If one does regular backups, and those backups are of a type that does versioning, and those backups are tested (by doing a partial restore) on a regular basis, then this may be one of the easiest and one of the best solutions.
Using a cloned drive
Another very easy solution to a malware infection problem is to use a cloned drive. This is by far both the easiest solution to the problem and the most secure, assuming the cloned drive was NOT connected to the computer at the time the computer was infected (this may be hard to determine depending on your cloning routine). So how does one go about cloning a drive? There is a great video tutorial here on Experts Exchange on how to do this with a program called Casper. One can use any cloning software, I use Paragon Software's HDD Suite for this purpose. So what would one do if you have a clone drive and you get infected? Simply remove the infected drive from your computer and put the cloned drive(s) into the computer instead. Turn on the computer and you are back up and running!
Reimage the computer
Although this solution is usually used in business environments, one can reimage the computer. This is almost the same as using the recovery partition to go back to factory defaults. One ends up with a clean image of the Operating system and any other pertinent software on your computer.
Reinstall the Operating Sytem
A similar option, although one that requires more work, is to Reinstall the operating system, and any software you may need, from scratch. This also means reinstalling updates. This will most likely get rid of whatever is bothering you, assuming you use something like Darik's Boot and Nuke (DBAN) to wipe the disk before the reinstall. This is also one of the most extreme solutions.
Buy a new computer
If one is truly paranoid, and has money to throw around, just buy a new computer - it will be as clean and as secure as any new computer. This is a little on the extreme side, but it does solve the immediate problem. The only, I repeat ONLY, long term solution is better user education.
Virtual Machine Option
So of all of these, which is the best solution? It is the one I have yet to mention, using a virtual machine (vm). There are more than a few steps to both using and restoring a VM, but once you have it setup, a VM is easier to restore than any of the above suggestions. How one sets up a virtual machine is not only too lengthy to go into here, it is also covered very well in other articles here on Experts Exchange. Once the VM is setup and running, and you have installed the software you are going to use into it, you need to take what is known as a "snapshot" of the working initial setup. If one does these snapshots on a regular basis, recovering from any malware becomes trivial. Some ransomware will even self destruct if it detects that it is within a virtual machine.
So why does running in a VM make it so easy to recover from an infection? One can revert to a clean snapshot, or simply delete the VM itself. Since the virtual machine is only a file, if the file gets infected, one can easily delete it, and the malware cannot spread outside of that VM.
If you feel a little worried about setting up a virtual machine, there are plenty of instructions on how to go about doing it and even some preconfigured VMs you can download. The following links are mostly VM's of Linux distributions.
Windows XP Mode is a virtual machine of windows XP on windows 7.
Other Windows virtual machines can be found here (note you will need a license to run a Windows VM):
Trust after infection
I have often ventured the opinion that once a computer has been infected with any malware, although it can be cleaned - and there are plenty of experts here who can help one do just that, it will never be a device you can completely trust again. I write this opinion with the understanding that the device has NOT been subjected to one of the more extreme solutions. If one goes the extreme route, such as restoring from an untouched backup, or using a cloned drive, then there is an infinitesimally small chance that you will have to deal with remnants of an infection. Hence the device may be trusted again.
What does this mean for what you should do going forward?
First, you should implement a strategy you are comfortable using, before during and after such an infection. This means, simply, that if you are comfortable enough with virtual machines, then create one, stage it and install your software into it. When you are finished, you can work in the VM and therefore have implemented the VM choice I suggested above.
This also means your daily routine should now include making sure your selected choice is prepared for the worst possible malware. So, for a VM take snapshots often, for a clone drive, update it often. For every other option, do whichever task needs to be done to keep your solution up to date.
Which brings me to the first few choices I mentioned, completely ignore the problem (the head in the sand solution), do a basic clean and hope for the best (still kind of head in the sand), do a basic clean and understand that there are traces left (realistic, albeit defeatist). None of these are really good choices. Although the last of these is the one most commonly recommended (whether the recommender realizes it or not) it is not really a choice if you ever want to use the computer for anything useful again. Do you want to take the chance that there is a keylogger recording your banking password (good reason to use two factor authentication)?