3.3 Given a scenario, use best practice procedures for malware removal.

  1. Investigate and verify malware symptoms.
  2. Quarantine infected systems.
  3. Disable System Restore in Windows.
  4. Remediate the infected systems.
    1. Update the anti-malware software.
    1. Scanning and removal techniques (safe mode, pre-installation environment).
  5. Schedule scans and run updates.
  6. Enable System Restore and create a restore point in Windows.
  7. Educate the end user

Malware Removal

How do we remove malware?  We should follow the procedure in the table below.

Identify SymptomsHow do you know that this is malware vs a legitimate program?

What kind of malware is it?  A trojan, a virus, spyware, etc.?

You need to figure out exactly what your computer is infected with so that you can fix it.

You also need to understand the larger implications (is the company a target of some hackers? has any user data been compromised?)  
Quarantine the SystemsIsolate the systems from the network so that the malware does not spread.

That might require you to physically disconnect the computer.  
Disable System RestoreDisable system restore. You do not want system restore to save the virus.

Remediate the Infected system Remove the malware.

The more deeply embedded the malware, the more difficult it is to remove.

Some types of malware (such as adware) can be removed by deleting the file and/or uninstalling the program from the control panel.  This would apply to adware that the user voluntarily installed.

A good antivirus program will detect and remove most forms of malware automatically. 

If the malware has infected critical system files or the boot sector, you may try to remove it by booting from a recovery USB/DVD and running a malware removal application., or by reimaging the computer.

A very rare type of malware can infect device firmware (including the BIOS).  This type of malware can’t be removed without replacing the hardware.  
Schedule Scans/UpdatesMake sure that the antivirus program you installed is up to date and schedule regular scans  
Enable System Restore/Create a Restore PointEnable system restore and create a restore point.

This ensures that you have a restore point where the system is clean.  It also ensures that system restore is functioning (we disabled it in a previous step).  
Educate the End UserIt is easier and more cost-effective to educate the end user than to come back and remove more malware.

Show the end user how to detect malware (suspicious e-mail attachments, adware programs, etc.) so that they don’t install them in the future.

I have seen a single piece of ransomware spread across a network and infect 30,000+ computers in a matter of days, bringing a multi-billion-dollar corporation to a halt.  The company did not take security seriously until after this incident.