Virus/Malware Removal Best Practices
There are 7 common steps to removing and remediating malware/virus infections in a system.
1. – Quarantine the infection
Time to disconnect from the internet. You’ll need to prevent bad actors from accessing it from the WAN(Wide Area Network, internet) side and prevent lateral movement in your local LAN(Local Area Network) side.
2. Disable system restore (in Windows)
Viruses and malware are good at infecting restore points so that when you run a system restore they persist to previous points. The industry recommendation is to turn off System Restore. This will erase all previous restore points.
3. Remove the infection
You can update antivirus software via USB on a disconnected system.
I use Windows Defender so for my system so I would go to https://www.microsoft.com/en-us/wdsi/defenderupdates and download the appropriate .exe file.
Transfer it to USB and run that on the quarantined system. There are many antivirus options out there and each one may have a somewhat different procedure.
Once updated you can run the scan and appropriate removal, best practice would be to reboot into safe mode or allow the scan to restart your system and run in a Windows PE environment. This will limit the services and process running helping to prevent the virus or malware from attempting to prevent the removal.
There are people that recommend a reinstallation because at this point you simply do not know if the malware that you found was standalone. It’s not uncommon for malware to reach out and pull code to execute. This can mean that you may find and stop the source of the infection but fail to catch a secondary infection that may be undetected by antivirus software.
So because of this, some individuals prefer to wipe the system reinstall from a good image or from iso to ensure that the system is clean.
- Schedule scans and updates After removal of the malware, setup scan and updates to happen automatically. If possible, set the antivirus to continuously scan and catch malware before the infection get executed.
5. Reenable system restore
Now that the infection has been removed its time to reenable system restore.
6. Create a restore point
Create a known good restore point so if future configuration problems arise you can revert back.
7. Educate the user
Try to discover not only how the malware infected the system by why was it there in the first place and educate the end-user on identifying the signs of malware, risky clicks, and symptoms of malware.