Answers to common security questions - Best Practices

Best Practices for Safe Computing - Prevention of Malware Infection

Common sense, good security habits, safe surfing, understanding security and safe computing are essential to protecting yourself from malware infection. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice these principles and stay informed. Knowledge and the ability to use it is the best defensive tool anyone could have. This includes educating yourself as to the most common ways malware is contracted and spread as well as prevention.

• Simple and easy ways to keep your computer safe and secure on the Internet
• Tips to help protect from infection

Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• Importance of Layered Security in Cyber Defense
• The Importance Of Layered Network Security
• Seven Layers of IT security
• The 7 Layers Of Cybersecurity
• What are the 7 Layers of Security? Understanding the Fundamentals

Important Fact: It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.

• Are Humans the Weakest Link in Cyber Security?
• Humans and Cybersecurity— The Weakest Link or the Best Defense
• Why Are Humans The Weakest Link In Cybersecurity?
• Studies prove once again that users are the weakest link in the security chain
• Humans are the weakest link in any cyber security strategy

Therefore, security begins with personal responsibility.

Tips to protect yourself against malware infection:

Keep Windows updated with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. Keep your Web Browser updated as well. Regardless of which browser you use, vendor's routinely release updates which include fixes for exploits and vulnerabilities. Internet Explorer will no longer be supported after June 15th, 2022...it is being retired in favor of Microsoft Edge. Going forward, folks should avoid using Internet Explorer if it is still on your operating system...consider it a security risk.

Avoid keygens, cracked software, warez and any pirated software. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, ransomware, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS.

Avoid peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk (unsafe practice) which can make your computer susceptible to malware infections. File sharing networks are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. Malicious worms, backdoor Trojans, IRCBots, Botnets, and rootkits spread across P2P file sharing networks, gaming, and underground sites. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. If you must use file sharing, scan your downloads with anti-virus software before opening them and ensure Windows is configured to show file known extensions.

Avoid Bundled software. Many toolbars, add-ons/plug-ins, browser extensions, screensavers and useless or junk programs like registry cleaners, optimizers, download managers, etc, come bundled with other software (often without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, pop-up ads browser hijacking which may change your home page/search engine, and cause user profile corruption. Thus, bundled software may be detected and removed by security scanners as a Potentially Unwanted Program (PUP), a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Since the downloading of bundled software sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer." Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. If you install bundled software too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. The best practice is to take your time during installation of any program and read everything before clicking that "Install" or "Next" button. Even then, in some cases, this opting out does not always seem to work as intended.

Beware of Rogue Security software and crypto ransomware as they are some of the most common sources of malware infection. They spread malware via a variety of attack vectors...through social engineering (trickery) and user interaction, opening a malicious or spam email attachment, executing a malicious file, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads, downloading software cracks, pirated software, fake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs) and RDP bruteforce attacks, a common attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside as explained here.

• Anatomy of a ransomware attack
• Anatomy of a Linux Ransomware Attack
• Spotlight on Ransomware: Common infection methods
• Spotlight on Ransomware: How ransomware works
• The realities of ransomware: Five signs you’re about to be attacked

For the most effective strategy to protect yourself from malware and ransomware (crypto malware) infection, see my comments in Post #14...it includes a list of prevention tips.

Keeping Autorun enabled on flash drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.
* Microsoft Security Advisory (967940): Update for Windows Autorun
* Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7 and above, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

Always update vulnerable software like browsers, Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these and several other popular programs have vulnerabilities that malicious sites can use to exploit and infect your system.

• Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
• Time to Update Your Adobe Reader
• Adobe Security bulletins and advisories
• Microsoft: Unprecedented Wave of Java Exploitation
• eight out of every 10 Web browsers are vulnerable to attack by exploits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware.  These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

Tools of the Trade: Exploit Kits

To help prevent this, you may want to install and use a Software Updater to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.

Note: The winget command line tool  enables users to discover, install, upgrade, remove and configure applications on Windows 10 1709 (build 16299) or later and Windows 11 computers. Windows Package Manager winget command-line tool is available on Windows 11 and modern versions of Windows 10 as a part of the App Installer. To perform cyclic "update all applications" on your computer, use the following command:
winget upgrade --all --include-unknown --accept-source-agreements

Use strong passwords and change them anytime you encounter a malware infection, especially if the computer was used for online banking, paying bills, has credit card information or other sensitive data on it. This would include any used for taxes, email, eBay, paypal and other online activities. You should consider them to be compromised and change all passwords immediately as a precaution in case an attacker was able to steal your information when the computer was infected. Many of the newer types of malware are designed to steal your private information to include passwords and logins to forums, banks, credit cards and similar sensitive web sites. Always use a different password for each web site you log in to. Never use the same password on different sites. Ransomware disguises .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. A common tactic of malware writers is to disguise malicious files by hiding the file extension or by adding double file extensions and/or extra space(s) to the existing extension so be sure you look closely at the full file name.

• Password Security 101: All the Steps You Need to Make Them Unbreakable
• How Do I Create a Strong and Unique Password?
• Four Methods to Create a Secure Password You'll Actually Remember
• How to Create a Strong Password (and Remember It)
• Choosing Secure Passwords

Know how to recognize Email scams and do not open unsolicited email attachments as they can be dangerous and result in serious malware infection. For example, Zbot/Z-bot (Zeus) is typically installed through opening disguised malicious email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers.

• Using Caution with Email Attachments
• How to Avoid Getting a Virus Through Email
• Safety tips for handling email attachments

Beware of Phony Emails, Phone Calls, Tech Support Scams, Ranscams & Extortion/Sextortion Scams (Post #13)

Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license...Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes...Do not trust unsolicited calls. Do not provide any personal information.

For more specific information about these types of scams, please read this topic.

Important !!! Allow Windows to show file extensions. Malware can disguise itself by hiding the file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to “show known file types”

Finally, back up your important data and files on a regular basis. Backing up data and disk imaging  (redundancy) are among the most important prevention tasks users should perform on a regular basis, yet it's one of the most neglected areas.  Some infections may render your computer unbootable during or before the disinfection process. Even if you're computer is not infected, backing up is part of best practices in the event of hardware or system failure related to other causes.

• The smartest way to stay unaffected by ransomware? Backup!
• Encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.
• 3-2-1 Backup Strategy
• The Backup Rule of Three

If infected with ransomware, without having backups to restore from, your data most likely is lost forever.

Backing up Data & System Imaging Resources:

• What’s the Best Way to Back Up My Computer?
• How to Protect Your Backups From Ransomware
• Backup and Restore in Windows 10/11
• How to Make System Image Backups on Windows 11
• How to Create a System Image in Windows 11 and Windows 10
• How to Create an image backup in Windows 10

It is a good practice to make a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.). Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistant to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made.

For the average home user, it is simpler to just buy an external hard drive, copy your critical data to it, disconnect the device and store it in a safe/secure location rather than try to monitor and maintain a complex backup system. Program like SoftByte Labs Comparator make doing backups easy for home users as well as professionals before creating an image.

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups (offline) to a device that is not always connected to the network or home computer so they are unreachable. If not, you risk not only malware infection but ransomware encrypting your backups and any backups of the backups when it strikes. In addition to encrypting data, many ransomware developers are now routinely searching for and destroying backups or simply deleting your backups.

• Ransomware’s Next Target: Backup Data
• Ransomware Attacks Have Entered the Realm of the Insidious and Vile

As such, some imaging/backup software (such as Macrium Image Guardian, Acronis True Image) automatically restore and/or prevent targeted backup files from being encrypted by ransomware.
.

Other topics discussed in this thread:

• Choosing an Anti-Virus Program
• Why should you use Antivirus software? - Safe Steps for Replacing your Anti-virus
• Do I need antivirus software on my smartphone - Smart Phone Best Practices
• Supplementing your Anti-Virus Program with Anti-Malware Tools
• Choosing a Firewall
• Understanding virus names and Naming Standards - Malware Naming Conventions
• Glossary of Malware Related Terms
• Why you should not use Registry Cleaners and Optimization Tools
• I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud
• What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?
• About those Toolbars and Add-ons which change your browser settings
• There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?
• Keygens, Cracks, Warez, Pirated Software, Torrents and File Sharing (P2P) are a Security Risk
• What are Cookies and are they dangerous?
• Beware of Phony Emails, Phone Calls, Tech Support Scams, Ranscams & Extortion/Sextortion Scams

Ransomware Related Topics:

• Best Defensive Strategy against ransomware (crypto malware)
• Preventing Ransomware - List of Ransomware Decryptor Tools
• Ransomware Encryption: The math, time and energy required to brute-force an encryption key
• Decryption vs Data Recovery of Ransomware
• Should you pay the ransom? - Reporting Ransomware
• Submitting Ransomware Samples
• Brief History of Ransomware - Types of Operating systems affected

Updated: 02/04/24

Choosing an Anti-Virus Program

Choosing an anti-virus is a matter of personal preference, your needs, your technical ability and experience, features offered, user friendliness, ease of updating (and upgrading to new program release), ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include detection rates and methods, scanning engine effectiveness, how often virus definitions are updated, the amount of resources the program utilizes, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone and there is no single best anti-virus.

• Consumer Reports: Antivirus Software Buying Guide
• SANS Institute Choosing Your Anti-virus Software

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-virus vendors before they can add a new threat to database definitions. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Malware writers have the advantage since no matter how hard security vendors attempt to stay on top of new threats, there is always a short time-frame in which a new malicious file goes undetected and can infect a computer without detection. Just because one anti-virus or anti-malware scanner detected threats that another missed, does not mean its more effective.

Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. Scanning engines may use Heuristic Analysis, Behavior-based Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

Security is all about layers and not depending on any one solution, technology or approach to detect and prevent the latest threats from cyber-criminals. The most important layer is you...the first and last line of defense. Thus, a multi-layered defense using an anti-malware and anti-exploit solution to supplement your anti-virus combined with common sense and following Best Practices for Safe Computing provides the most complete protection.

Keep in mind that most anti-virus vendors who offer free products are bundling toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software.

• Beware: Free Antivirus Isn’t Really Free Anymore
• Has the antivirus industry gone mad?!

If pre-checked by default that means you need to uncheck that option during installation if you don't want it. This practice is now the most common revenue generator for free downloads by many legitimate vendors and is typically the reason for the pre-checked option. Also keep in mind that free anti-virus constantly "nag" you with pop-up prompts to upgrade to their paid product.

I no longer recommend avast as a free alternative anti-virus solution...I explain why in this topic.

I no longer recommend AVG as a free alternative anti-virus solution...I explain why in this topic.

.

Microsoft Defender Antivirus (Windows Defender) with free built-in (integrated) anti-virus and anti-malware solution, is just as good as any other antivirus solution (and probably easier to use for the novice) without bundled toolbars or nagging popups. Windows Defender provides a higher level of protection against malware as Microsoft Security Essentials (MSE) provided on older operation systems plus enhanced protection against rootkits and bootkits and protection against potentially unwanted programs if that feature is enabled. Windows 10 Anniversary update introduced Limited Periodic Scanning which allows you to also use a third party anti-virus program as your primary protection.

• Microsoft Defender Antivirus and antimalware software: FAQ

Starting with Windows 10 version 1703 Update, Windows Defender Antivirus was renamed Microsoft Defender Antivirus...it still consists of real-time protection, behavior monitoring and heuristics to identify and block malware based on known suspicious and malicious activity.

Microsoft has incorporated a number of significant improvements which make it competitive with other major anti-virus vendors including many paid for products.

• Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
• Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
• Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
• Exploit Guard designed to lock down a system against various attack vectors and block behaviors commonly used in ransomware attacks.
• Controlled Folder Access Anti-Ransomware that allows you to protect files in certain folders to that they cannot be modified.
• A dedicated Ransomware Protection section in Windows Security under the "Virus & threat protection" settings.

Microsoft Defender Exploit Guard has four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Microsoft Defender Exploit Guard is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here. To further secure Windows against attack, Microsoft added new security features to include Core Isolation and Memory Integrity as part of Microsoft Defender Exploit Guard.

• Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
• How Windows Defenders Exploit Protection Works
• How to Create an Exploit Guard policy
• What Are Core Isolation and Memory Integrity in Windows 10?

"Controlled Folder Access" Anti-Ransomware is a feature that allows you to protect files in certain folders to that they cannot be modified by unknown applications. This protects the files within these folders from being encrypted by a ransomware infection. 

What's new in Windows 10 Spring Creators Update (version 1803)

• The Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
• The Virus & threat protection area in the Windows Defender Security Center now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings.

Starting with Windows 10 Version 1809, Windows Defender Security Center was rebranded as Windows Security and allows management of all security needs including Microsoft Defender Antivirus (Windows Defender) and Windows Firewall.

Is Microsoft Defender Antivirus (Windows Defender) Good Enough?  The results are mixed but more positive than negative.

• What's the Best Antivirus for Windows 10 and 11? (Is Microsoft Defender Good Enough?) - 2023
• Is Windows Defender good enough for my new laptop? - 2023
• Windows Security review: Basic but effective protection built into Windows - 2023
• Is Windows Defender good enough to use in 2023 (yes and no)
• Is Windows Defender Good Enough in 2021?
• Is Microsoft Defender good enough for your PC – or do you need a better free antivirus - 2021
• Is Windows Defender Good Enough to Protect Your PC by Itself? - 2020

Note: I found a few reviews which said Windows Defender was not very good but those sites were pushing Norton and Total AV. In fact, while reading these reviews I encountered several advertising links and popups prompting me to purchase those products.

Since 2019 Microsoft Defender Antivirus has received very good test results for protection on a yearly basis from AV-TEST, an independent IT-Security Institute. Those results were surprising to securty experts who perform reviews and conduct their own testing.

• Still Think Microsoft Defender Is Bad? Think Again, Says AV-TEST
• Windows Defender Gets Perfect Scores in Antivirus Test
• Windows Defender Achieves 'Best Antivirus' Status
• Windows Defender ranked one of the best antivirus solutions according to AV-Test

If you are adamant about using a paid for product, I generally recommend ESET NOD32 Anti-Virus or Emsisoft Anti-Malware as they leave a small footprint...meaning they are not intrusive and do not utilize a lot of system resources. 

ESET Antivirus and Smart Security uses multiple layers of technologies which includes a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET's Exploit Blocker is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes [script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

• ESET Antivirus Technology and Features
• Advanced Memory Scanner, Exploit Blocker. enhanced Botnet Protection module  to protect against ransomware
• What is HIPS (Host-based Intrusion Prevention System) in ESET Smart Home Products?

Emsisoft Anti-Malware is an antivirus platform that includes anti-malware protection and offers live cloud-verification for superior detection and removal of malware. Emsisoft uses two scanning engines, combining its technology with Bitdefender Anti-Virus and three security levels (or layers) of protection to prevent the installation of malware. These layers consist of surf protection, a dual-engine file guard, and advanced behavior blocking analysis which is extremely difficult to penetrate. Emsisoft’s Behavior Blocker continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. Emsisoft relies on the built-in Windows Firewall and their Firewall Fortification feature which blocks illegitimate manipulations of Windows Firewall rules to ensure its settings can’t be manipulated by malware from the inside. 

• An in-depth look at the Emsisoft scanner technology
• Emsisoft’s dual-engine scanner Behind the scenes
• Why is layered malware protection important? Surf Protection
• Emsisoft’s Behavior Blocker
• Emsisoft Anti-Ransomware Protection Layer
• Emsisoft and Windows Firewall: Your questions, answered

Both ESET Antivirus and Emsisoft Anti-Malware also have the added advantage of warning and detecting the installation of most Potentially Unwanted Programs (PUPs) (such as adware, spyware, unwanted toolbars, browser hijackers) if you enable that feature.

Virus Scanners for Linux

• Security Tools to Check for Viruses and Malware on Linux
• Best Tools to Scan Your Linux Server for Malware and Security Flaws

.
 

IMPORTANT NOTE: Using more than one anti-virus program with real-time protection simultaneously is not advisable. In addition to causing virus threat interception conflicts and false positive virus detection, it can slow down computer performance with excessive strain on system resources and other issues except for Limited Periodic Scanning in Windows 10 Anniversary Update and thereafter, Microsoft Defender Antivirus (Windows Defender) which is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. This feature allows you to run occasional scans with Windows Defender without conflicting with a third-party anti-virus. When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them. The Limited Periodic Scanning feature is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. Windows 10 will use the Windows Defender scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them.

• Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection
• Windows 10 Limited Periodic Scanning explained

Even if one of the anti-virus programs is disabled for use as a stand-alone on demand scanner, it can still affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Microsoft and major Anti-virus vendors recommend that you install and run only one anti-virus program at a time.

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Microsoft: Do not install more than one antivirus program

• Kaspersky: Is There a Problem Running More Than One Antivirus?
• Emsisoft: Why it isn’t a good idea to run multiple full antivirus products at the same time
• McAfee: Less Is More: Why One Antivirus Software Is All You Need
• AV Comparatives: Why you should never have multiple antivirus programs on your computer

Edited by quietman7, 23 February 2024 - 12:20 PM.

Why should you use Antivirus software?

Antivirus is crucial, like seat belts or airbags. If you never actually need them, that’s great. But when you do need them, there’s no warning, and they can be the thing that saves you.

Who doesn’t need antivirus?

• Why You Need Antivirus Software
• Do I Really Need Antivirus?
• Do I Need Antivirus Software?
• Antivirus Software and Why I Need It?
• 40 Reasons Why You DON’T Need An Antivirus

Using unprotected computers on the Internet is a security risk to everyone as they are prone to attack from hackers, Botnets, zombie computers and malware infection. Using anti-virus software will help minimize the risk and help to prevent the computer from being used to pass on infections to other machines. When infected and compromised, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more zombies are created to perpetuate the cycle.

How do folks who claim they do not use an anti-virus and never get infected know for certain that their computer is malware free? Many of today's attackers employ advanced techniques which involve sophisticated Botnets, Backdoor Trojans and rootkits to hide their presence on a computer. Without proper security tools including an anti-virus which can detect such malware, you can never be absolutely sure your computer has not been infected.
 

Do I need antivirus software on my smartphone? - Smart Phone Best Practices

Just like with computers, security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense. Humans are still the weakest link in any cyber security strategy. Therefore, using "Smart Phone Best Practices" is your strongest defense.
 
1. Apply Android/iOS security patches and software updates quickly.
2. Lock your phone.
3. Only install necessary Apps - Only use Apps from the Google Play Store for Android & Apple App Store for iOS.
4. Use Two-factor authentication (2FA).
5. Use strong password management.
6. Review & Manage App permissions.
7. Use device encryption.
8. Turn off your Wi-Fi (and Bluetooth) when it's not in use and do not use public networks.
9. Do not jailbreak or root your device
 
Security vendors who sell antivirus products will tell you smartphones need their software for complete protection but if you engage in "Smart Phone Best Practices", then I would say an antivirus is unnecessary. 

Apple iPhones use the iOS operating system which incorporates certain restrictions which limit what the device can do and how much it can be modified by the user. As such, many users engage in the practice of jailbreaking which involves taking away those restrictions. This practice can make using the iPhone a security risk especially if installing dangerous apps which include those not approved by the official Apple App Store for iOS. The lack of security updates for a jailbroken iPhone makes the device more vulnerable to exploits used by hackers. This all means that potential security holes, bugs and unauthorized third-party apps could compromise your iPhone and put your data and identity at risk.

There are similar risks for Android phones when installing apps outside the official Google Play Store for Android and not following Smart Phone Best Practices. To avoid this risk never install apps outside of the Apple App or Google Play Store. 

Mobile malware is more accurately described as "any malicious software deployed against a consumer that has adverse effects on the device. Most of the known Android and iOS malware are usually installed at the back of suspicious and/or third-party applications. Usually when a smartphone is infected with malware there most likely will be obvious indications (signs of infection)  and malware symptoms that something is wrong. "

Smartphone security mostly depends on how you use the device, what kind of data you keep on it and what level of security you want in your device. There is no hard and fast rule that you should or should not use an antivirus on your smartphone.

• Does Your Android Phone Need an Antivirus App?
• Do I need antivirus software on my smartphone?
• Do I need antivirus software on my smartphone?
• Android Antivirus Apps Are Useless -- Here's What to Do Instead

Samsug phones are embedded with Samsung Knox Security (Samsung Knox Platform Whitepaper).

Safe Steps for Replacing your Anti-virus
 

IMPORTANT: Before removing (or reinstalling) your existing anti-virus, you should download and save the setup file for the anti-virus you are going to replace it with. Also download any specialized removal tools available from the vendor for your current anti-virus in case you need them. If is not uncommon for some anti-virus programs to not completely uninstall itself using the usual method of Apps & features in Windows 10/11 or Program Features in Control Panel for older operating systems.

• How to uninstall programs and apps in Windows 11
• Uninstall or remove apps and programs in Windows 11
• How to uninstall programs and apps in Windows 10
• Uninstall or remove apps and programs in Windows 10
• How to uninstall a program in Windows Vista, Windows 7, and Windows 8 using Program Features in Control Panel

Note: Sometimes the uninstall works more effectively if you first stop and disable the program's service (and associated processes in Task Manager) or perform the removal in safe mode so there are less processes which can interfere with the uninstallation.

In rare cases when all else fails, you can try using a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo provides a listing of all installed software by installation date and when removing a program, Revo does a more comprehensive job of searching for and removing related registry entries, files and folders than many other similar tools. However, in most cases such third-party tools are not necessary.

• How To Use Revo Uninstaller Hunter Mode
• How To Trace a Program with Revo Uninstaller Pro

Note: If you already attempted to remove the program and failed, use Revo Uninstaller Pro (free for 30 days) which has an audit feature you can enable in order to track all changes made during the install.

In many cases anti-virus vendors also provide clean-up utilities or removal tools on their web sites to remove remnants left behind after uninstalling or for a failed uninstall so always check there first. It's best to download directly from the vendor's site to ensure you are using the most current version of the uninstall utility as it is not uncommon for third-party hosting sites to have outdated versions which may not work properly.

Comprehensive List of Uninstallers and Removal Tools for Antivirus Software

• Microsoft Wiki: List of anti-malware product removal tools by Stephen Boots, MVP
• ESET: List of Uninstallers (removal tools) for common antivirus software
• Bitdefender: Removal tools (uninstall tools) for common antivirus software
• SingularLabs: Uninstallers – Security Software
• List of Antivirus removal tools
• Antivirus Removal Tool
• Comprehensive List of 26 Uninstallers and Removal Tools for Internet Security and Antivirus Software

Summary of steps to replace an existing anti-virus

• Before removing your old anti-virus, download and save the setup file for the anti-virus you are going to replace it with (unless you plan on activating and using Windows 8 Defender.
• Download any specialized removal tools available from the anti-virus vendor for your current anti-virus in case you need them.
• Disconnect from the Internet.
• Uninstall your current anti-virus following vendor's instructions - sometimes uninstalling in safe mode works better.
• Run the anti-virus vendor's specialized cleanup utility if needed.
• Reboot normally and install the replacement.
• Reboot again if prompted to ensure the anti-virus is working properly before reconnecting to the Internet.
• Connect to the Internet and immediately download the latest definition database updates.

Updated: 03/05/24

Supplementing your Anti-Virus Program with Anti-Malware Tools

An anti-virus program alone does not provide comprehensive protection and cannot prevent, detect and remove all threats at any given time. Anti-virus software is inherently reactive...meaning it usually finds malware after a computer has been infected. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats.

In simplistic terms, Anti-virus programs use massive databases with different scanning engines and detection methods to scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.

Anti-malware programs use smaller databases and generally tend to focus more on adware, spyware, unwanted toolbars, add-ons/plug-ins, browser extensions, browser hijackers, potentially unwanted programs and potentially unsafe applications which are classified differently and do not fall into any of those categories...that is the primary reason some anti-virus programs do not detect or remove them.

Anti-virus and Anti-malware solutions with anti-exploitation features protect against zero-day malware, drive-by downloads, exploits, exploit kits and ransomware.

Therefore, you need both an anti-virus and an effective anti-malware solution with real-time protection for maximum protection. However, there can be some overlap in functionality and detection features depending on the program's scanning engine, how the vendor defines a specific threat and what Malware Naming Standards are used.

• The Difference Between Antivirus and Anti-Malware
• Malware Remover vs. Antivirus Software: What's the Difference?
• Antivirus and Antispyware Software: What's The Difference?
• What Is the Difference Between Antivirus & Antispyware?
• Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks

Since no single product is 100% foolproof, it is recommended to supplement your anti-virus by using trustworthy security tools with real-time protection and performing routine scans.

• Malwarebytes: How to scan and remove malware from your computer
• Emsisoft Anti-Malware: How to scan and remove malware from your computer
• Zemana AntiMalware: How to run a scan with Zemana AntiMalware Free
• SUPERAntiSpyware: How to use to scan and remove malware from your computer

Just like with anti-virus programs...There is no universal "one size fits all" solution that works for everyone and there is no single best anti-malware. Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. You may need to experiment and find the one most suitable for your needs.

Note: Using Multiple Anti-Malware products:

As a general rule, using more than one anti-malware program like Malwarebytes, SuperAntispyware, Emsisoft Emergency Kit, Zemana AntiMalware, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and the others as stand-alone on demand scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. Using different signature databases will aid in detection and removal of more threats when scanning your system for malware.
 

Security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavior-based Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes.

• Behavior-based security vs. signature-based security
• Advanced Malware Detection - Signatures vs. Behavior Analysis
• Analysis of Signature-Based and Behavior-Based Anti-Malware Approaches
• What is Heuristic Analysis?
• What are Heuristics?
• Understanding Heuristic-based Scanning vs. Sandboxing

Further, each vendor uses their own naming conventions to identify various types of ransomware / malware detections so it's sometimes difficult to determine exactly what has been detected or the nature of the threat/infection. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is...all of which can be renamed at any given time. Since there is no universal naming standards, all this leads to confusion by the end user and those attempting to provide assistance. See Understanding virus names {Post #6) for more information.

If using multiple anti-malware real-time resident shields together at the same time, there can be conflicts as a result of the overlap in protection. These conflicts are typical when similar applications try to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while anti-malware programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.

List of Free Scan & Disinfection Tools which can be used to supplement your anti-virus and anti-malware or get a second opinion:

• Emsisoft Emergency Kit
• Emsisoft Anti-Malware Free
• Malwarebytes 3.x Free
• Zemana AntiMalware
• RogueKiller Anti-malware
• SUPERAntiSypware Free - SUPERAntiSypware Portable
• AdwCleaner
• Kaspersky Virus Removal Tool
• Sophos Virus Removal Tool
• Panda Cloud Cleaner - How to disinfect computer with Panda Cloud Cleaner
• Dr.Web CureIt
• ESET Rogue Applications (ERA) Remover - How do I use the ESET Rogue Application Remover (ERAR)
• AVZ Antiviral Toolkit by Kaspersky
• Avira PC Cleaner
• Hitman Pro
• SecureAPlus Freemium
• MicroWorld eScan Anti-virus Toolkit (MWAV)
• Microsoft Safety Scanner (MSS aka MSERT)
• Norman Malware Cleaner
• Windows Defender Offline
• botfrei EU-Cleaner
• ClamWin Free Anti-virus - ClamWin Portable
• McAfee Stinger Tool - How to use Stinger
• Trend Micro Fake Anti-virus (FakeAV) Removal Tool
• Trend Micro System Cleaner
• herdProtect Anti-Malware Scanner
• VIPRE Rescue
• List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities

Many of these tools are stand-alone applications contained within zipped files...meaning they require no installation so after extraction, they can be copied to and run from usb drives.

Emsisoft Free Emergency Kit and Kaspersky Virus Removal Tool are two of the more effective scanners recommended for use on a usb drive.

You can always supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

• ESET Online Scanner <- one of the more effective online scanners
• F-Secure Online Scanner
• Trend Micro HouseCall

.
 

Edited by quietman7, 05 February 2024 - 02:08 PM.

Choosing a Firewall

Choosing a firewall is a matter of personal preference, your needs, your technical ability/experience, features offered, user friendliness, ease of updating, ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include effectiveness, the amount of resources it utilizes, how it may affect system performance and what will work best for your system. A particular firewall that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone. You may need to experiment and find the one most suitable for your use and your system. For more specific information to consider, please read:

• Understanding and Using Firewalls
• HTG Explains: What Firewalls Actually Do
• What’s the point of having a firewall?

While some folks believe they need a separate, independent Firewall, there is always the option to just use Windows built-in Firewall. Most concerns you may have heard or read about the Windows Firewall were in the XP operating system so many users were advised to use third-party alternatives. Microsoft significantly improved the firewall to address these concerns in Vista and then added more improvements in Windows 7/8/10/11.

• 5 Reasons Why the Windows Firewall is One of the Best Firewalls
• Is Windows 11 Firewall Good Enough?
• Windows Firewall: Your System’s Best Defense
• Why You Don’t Need to Install a Third-Party Firewall (And When You Do)
• Using Windows Firewall with Advanced Security

Best practices for configuring Windows 10/11 Firewall
How to configure Windows Firewall in Windows 11/10
Adjust (Configure) Windows 10 Firewall Rules & Settings

In Windows 10, the Windows Firewall hasn’t changed very much since Vista. Overall, it’s pretty much the same. Inbound connections to programs are blocked unless they are on the allowed list. Outbound connections are not blocked if they do not match a rule. You also have a Public and Private network profile for the firewall and can control exactly which program can communicate on the private network as opposed to the Internet.

 
Quick History of Windows Firewall
 
Windows Vista Firewall offered two-way filtering for better security than it did in XP but it was still limited. The firewall is combined with IPsec, turned on by default and set to a basic configuration that works in tandem with the Windows Service Hardening feature. If the firewall detects activity that it considers prohibited behavior according to the Service Hardenings preset rules, the firewall will block the suspicious activity. Another feature in the Vista firewall is that it can set rules based on three different types of networks using the Rules Wizard so creating firewall rules is much simpler.

By default, most (not all) outbound filtering is turned off (outbound connections are allowed) and inbound filtering is turned on (inbound connections are blocked/not allowed). Why? This is what Microsoft has to say:

Matt Parretta, a former spokesperson for Microsoft's PR agency, Waggener Edstrom, offered this defense: "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. After they upgrade to Windows Vista or purchase a new PC with that OS, they will be prompted on the first launch of every application that touches the network: Instant Messaging, IE, e-mail, Windows Media, iTunes, every self-updating app such as Adobe, and so on. Unless they click 'allow', the app will be broken and won't function properly. The out of box experience would be poor, and they would soon be desensitized to the prompts."

Although most outbound filtering is disabled, Vista’s firewall does provide limited outbound filtering which users may not be aware of as it is essentially invisible.

Jason Leznek, Microsoft senior product manager, told Computerworld that outbound filtering rules "are enabled by default for core Windows services as part of Windows Service Hardening, which enables the firewall to understand specific behaviors Windows services should have, and block them if they are doing something unexpected (ie, via an exploited vulnerability). Windows Firewall also protects the computer by blocking certain outgoing messages to help prevent the computer against certain port scanning attacks."

Outbound filtering can be configured to provide an additional layer of security and it does provide corporate and business administrators control over applications (i.e. peer-to-peer file sharing) they may want to restrict. Any such applications that require outbound access must be added to the rules list by using the firewall with the Advanced Security Microsoft Management Console (MMC). Configuration may be confusing for some and there is no practical way to to configure outbound filtering to stop all unwanted outbound connections. Inbound filtering can be turned on or off and through various tabs and configuration settings.

For more specific information about configuration and security, please refer to these articles:

• Windows Vista Security and Data Protection Improvements
• Understanding Windows Firewall settings
• The Windows Vista Firewall explained
• How to Allow a program to communicate through Windows Firewall
• Netsh Commands for Windows Firewall with Advanced Security

Windows 7 Firewall was similar to Vista and also offers two-way filtering for inbound and outbound traffic. However, Windows 7 adds a few new features in the firewall and related network-safety areas such as separate configuration settings for private (Home or Work) and public networks. What's new in the Windows 7 Firewall? 

The Vista firewall was built on a new Windows Filtering Platform (WFP) and added the ability to filter outbound traffic via the Advanced Security MMC snap-in. With Windows 7, Microsoft has tweaked the firewall further and made it much more useable, especially on mobile computers, by adding support for multiple active firewall policies.

The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open. Many users, including some IT professionals, were unaware that you could filter outbound traffic, monitor and otherwise perform advanced configuration tasks for the Vista firewall, because none of that was apparent from the Firewall applet in Control Panel. With Windows 7, Microsoft has created a built-in host firewall that is much more functional than its predecessors and now poses a viable alternative to third party host firewall products.

As with Vista, the basic settings for the Windows 7 firewall are accessed via the Control Panel applet. Unlike Vista, you can also access the advanced settings (including configuration of filtering for outbound connections) through the Control Panel instead of having to create an empty MMC and add a snap-in...

The Vista firewall allows you to choose whether you are on a public or private network. With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks...With All-Network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately,...

 
Windows 8/10/11 also comes with a built-in Microsoft Windows Firewall that is similar to the one found in Windows 7 and includes even more advanced features.

• Using Windows Firewall with Advanced Security

Windows Firewall Tools which can be used to extend the default Windows firewall behavior and used for quick access to define rules and configure the most frequently used options.

• Windows Firewall Control for Windows 10, 8, 7, Vista
• Windows Firewall Notifier for Windows 10, 8, 7, Vista
• Windows 10 Firewall Control
• TinyWall for Windows 10, 8, 7
• Firewall 3.0

IMPORTANT NOTE: Using more than one software firewall on a single computer is not advisable. Why? Using two firewalls could cause issues with connectivity to the Internet or other unexpected behavior. Further, running multiple software firewalls can cause conflicts that are hard to identify and troubleshoot. Only one of the firewalls can receive the packets over the network and process them. Sometimes you may even have a conflict that causes neither firewall to protect your connection. However, you can use a hardware-based firewall (a router) and a software firewall (i.e. Kerio, ZoneAlarm, Comodo, etc) in conjunction.

• The Differences and Features of Hardware & Software Firewalls
• Choosing a Firewall: Hardware v. Software
• Are firewalls a waste of time? No. Here’s why

Edited by quietman7, 03 December 2023 - 06:54 PM.

Understanding virus names and Naming Standards - Malware Naming Conventions
 

Each security vendor uses their own naming conventions to identify various types of  ransomware / malware detections so it's sometimes difficult to determine exactly what has been detected or the nature of the threat/infection. Names are created for in-the-wild malware which has been released to infect computers, non-wild ("Zoo" viruses and worms) created by labs and anti-virus vendors to test their ability to detect new threats, proof-of-concept viruses created by ethical groups, generic malware and zero-day malware...all of which can be renamed at any given time. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. Since there is no universal naming standards, all this leads to confusion by the end user and those attempting to provide assistance.

• Malware Naming Hell Part 1: Taming the mess of AV detection names
• A Virus by Any Other Name: Virus Naming Practices
• Microsoft Malware Names
• How Microsoft names threat actors
• Computer Antivirus Research Organization (CARO) Malware Naming Convention
• Current Status of the CARO Malware Naming Scheme
• List of computer viruses: Naming

Note: Names with Generic or Patched are a very broad category. Generic detections are a type of detection used by anti-virus and anti-malware programs to identify files with malicious characteristics...meaning they have features or behaviors similar to known malware or possible new malware. Thus, a generic detection does not necessarily always mean the file is malicious.

Further, security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavior-based Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes.

• Behavior-based security vs. signature-based security
• Advanced Malware Detection - Signatures vs. Behavior Analysis
• Analysis of Signature-Based and Behavior-Based Anti-Malware Approaches
• What is Heuristic Analysis?
• What are Heuristics?
• Understanding Heuristic-based Scanning vs. Sandboxing

.

Glossary of Malware Related Terms

• What Is the Difference: Viruses, Worms, Trojans, and Bots?
• Common Malware Types: Cybersecurity 101 for beginners
• Dialers, Trojans, Viruses, and Worms Oh My!

What is Malware?
What is Spyware?
What is Adware?
What is Rogue software?

What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?
What is a Drive-by download? - Anatomy of a drive-by download web attack
What is an Exploit kit?
What is Ransomware?
What is a Spyware Dialer? - Understanding Spyware, Browser Hijackers, and Dialers
What is a Worm?
What is a Trojan Horse
What is a Backdoor Trojan? - Backdoors explained
What is a Banking Trojan

What is a Botnet?

What is an IRCBot?
What is a Backdoor.IRC.Bot
What is a Zombie Bot?
What is a Botnet (Zombie Army)?
What is a Clickbot
What is a Remote Access Trojan (RAT)?

What is a Virus?
What is a File infecting virus?
What is a Boot sector virus?
What is a Polymorphic virus?
What is a Metamorphic virus?
What is a Script (Macro) virus?

Camouflage in Malware: from Encryption to Metamorphism
The Difference Between a Virus, Worm, Trojan Horse and Blended Threats
What is the difference between viruses, worms, and Trojans?
Trojan FAQs: Common Trojans and how they work

What are Alternate Data Streams (ADS)?
What is Spam?
What is a Spambot?
What is a Web Crawler?
What is Whistler Bootkit
What Is A Rootkit?
What is a TDSS rootkit?
What is a ZeroAccess rootkit

What is Distributed Denial-of-Service Attacks (DDOS)
What is Denial-of-Service Attacks (DOS)
How Distributed Denial of Service Attacks Work
Understanding Denial-of-Service Attacks (DOS)
What everyone needs to know about DDoS
How Zombie Computers Work: Distributed Denial of Service Attacks

For information about malware vectors, please read:

• Malware Infection Vectors: Past, Present, and Future
• How Malware Spreads - How your system gets infected

.
Who Writes Malicious Programs and Why? Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

• Who is Making All This Malware — and Why?
• Who creates malware and why?
• Who Writes Malicious Programs and Why
• What goes through the minds of hackers?
• Why do people write viruses?
• Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)
• What Makes Johnny (and Janey) Write Viruses?
• Hidden Backdoors, Trojan Horses and Rootkits...Hacker Tools of the Trade

Updated: 02/05/24

Why you should not use Registry Cleaners and Optimization Tools

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product. I would not trust any results such programs detect as problematic or needing repair nor recommend using the options to fix them.

Comparatives "Rogueware library" of useless, misleading or fraudulent, malicious software (the link to this quote has been removed).

Some "classic clean-up software" such as "Ccleaner" are classified as "Useless" in this database because the Windows registry does not need any maintenance except if you are victim of a malware infection and because tweaking the windows registery does not speed up a computer at all. It does not mean that Cleaner and similar tools are not good for sweeping your harddrive and help to keep your privacy. Registry cleaners have been become social engineering products (e.g. Iobit Advanced System Care, CCleaner, Wise Registry Cleaner, etc.) and paying for this particular function is just a waste of money.

Further, these types of junk optimization programs are often bundled with other software you download and most are considered Potentially Unwanted Programs (PUPs) so they may be detected or even removed by some security scanners which specifically look for PUPs and adware.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Further, some vendors who offer registry cleaners use deceptive advertisements and claims which are borderline scams. They may alert you to finding thousands of registry errors which can only be fixed to improve performance if you use or buy their product.

Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Official Microsoft support policy for the use of registry cleaning utilities (KB2563254)

...Windows continually references the registry in the background and it is not designed to be accessed or edited. Some products such as registry cleaning utilities suggest that the registry needs regular maintenance or cleaning. However, serious issues can occur when you modify the registry incorrectly using these types of utilities. These issues might require users to reinstall the operating system due to instability. Microsoft cannot guarantee that these problems can be solved without a reinstallation of the Operating System as the extent of the changes made by registry cleaning utilities varies from application to application. A damaged Windows registry can exhibit a range of symptoms including excessive CPU utilization, longer startup and shutdown times, poor application functionality or random crashes or hangs.  These random crashes and hangs can ultimately lead to data loss due to the systems inability to save data back to the storage location during the occurrence.

• Microsoft does not support the use of registry cleaners...
• Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
• Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Unless you have a particular problem that requires a specific registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly is dangerous and could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great. The major source of orphaned registry entries is poorly uninstalled programs so using a good uninstaller program is a much better way to keep the registry clean.

• Ed Bott's Webog: Why I don’t use registry cleaners
• Are Registry Cleaners Safe to Use?
• Registry Cleaners are the Digital equivalent of Snake Oil!
• Registry Cleaners and System Tweaking Tools
• PC Cleaning Apps are a Scam: Here’s Why
• Why Using a Registry Cleaner Won’t Speed Up Your PC or Fix Crashes
• 10 Types of System Tools and Optimization Programs You Don’t Need on Windows

If you want to improve computer performance, please read: Slow Computer/Browser? Check here first; it may not be malware

 
Note: Driver Update utilities are just as bad as registry cleaners. Most are junk programs often bundled with other software you download from the Internet and many are classified/detected as potentially unwanted programs (PUPs) by security scanners.

• Driver Updaters: Digital Snake Oil, Part 2
• Never Download a Driver-Updating Utility; They’re Worse Than Useless
• HTG Explains: When Do You Need to Update Your Drivers?

Updated: 02/16/24

I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud

A great deal of hacking is the result of attackers using stolen (compromised) passwords obtained from online data breaches. Potential victims can check if they have an account that has been part of an online data breach at Firefox Monitor and Have I Been Pwned?.

If your system was hacked, you should disconnect the computer from the Internet and from any networked computers until it is checked and cleaned of possible malware.

If you need individual assistance with malware removal or possible hacking, you should follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.

After disinfection you should create a new Restore Point and purge the rest to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then to remove all but the newly created Restore Point, use Disk Cleanup.

Note: There are no guarantees or shortcuts when it comes to malware removal. In some cases or when dealing with a severe malware infection it may be best to just reformat and reinstall the operating system. See When should I reformat?.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised.

If using a router, you also need to reset it with a strong logon/password before connecting again. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:

• Router Password
• Default Password List
• Default Username and Password of Router

These are general instructions for how to reset a router:

• Unplug or turn off your DSL/cable modem.
• Locate the router's reset button.
• Press, and hold, the Reset button down for 30 seconds.
• Wait for the Power, WLAN and Internet light to turn on (On the router).
• Plug in or turn on your modem (if it is separate from the router).
• Open your web browser to see if you have an Internet connection.
• If you don't have an Internet connection you may need to restart your computer.

For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Banking and credit card institutions should be notified immediately of the possible security breach. You should file a report with the FBI and your local law enforcement agency which most likely will have a Cyber Unit specializing in tracking down hackers and prosecuting them. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

If you were the victim of Internet/Phone fraud or a scam, you should also file a report.

For more detailed instructions as to what you should do, please read:

• Identity Theft: What to Do if It Happens to You
• Internet Fraud Tips for Victims of ID Theft
• Warning Signs of Identity Theft
• What Should I Do If I've Become A Victim Of Identity Theft?
• Email and web scams: How to help protect yourself

Reporting Fraud, Phishing & Extortion Scams:

• USDOJ Reporting Consumer Fraud and Scams - USFTC How to Report Fraud and Scams
• USA.GOV: Where to Report Frauds and Scams
• ConsumerFraudReporting.org: How to Report a Fraud or Scam
• Report a phishing Page to Google - Avoid and report phishing emails to Google
• Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov
• Scambook.com: Submit complaint
• Scamguard.com: Submit complaint
• PissedConsumer.com: Submit complaint
• ComplaintsBoard.com: Submit complaint

Reporting Phone and Tech Support Scams:

• Reporting Phone Scams
• FTC ReportFraud Assistant
• WhyCallMe Complaint
• Report a technical support scam to Microsoft
• How to Report the Microsoft phone scam
• Action Fraud: UK’s national reporting centre for fraud and internet crime

Reporting Internet Fraud and Identity Theft:

• FBI Common Fraud Schemes - Internet Crime Complaint Center (IC3): Filing a Complaint
• FTC Identify Theft Site - FTC ReportFraud Assistant
• USFTC Identity Theft.gov: Report identity theft
• Reporting Computer Hacking, Fraud and Other Internet-Related Crime
• Find and file a report with your local FBI Office
• Report Internet Crime around the World
• Fraud.org File a Complaint: Online Incident Report
• USA.gov: Reporting Internet Fraud
• ConsumerFraudReporting.org: How to Report a Fraud or Scam

Note: Below are resources for determining if you have been hacked and how to identify the attacker. While these are suggestions you can try, it is strongly recommended to allow law enforcement authorities to conduct the investigation if the hacking is confirmed and you have been the vicitim of fraudulent financial transactions or stolen funds...they have the resources and expertise to identify hackers and prosecute them.

How to Tell if someone has accessed your computer:

• How to Detect a Remote Access to My Computer
• How to Know when Your Computer Was Last Used
• Has Someone Used Your PC? 3 Ways to Check
• Quickly Find Out Who's Connected To Your Computer

• How do I know if my computer has been hacked?
• How to detect computer & email monitoring or spying software

Investigating Hacking:

• Windows Forensics: Have I been Hacked?
• Tracing a hacker...Using TCPView and other tools
• How To Identify Unknown Network Connections In Windows with TCPView
• How to Track Hackers with netstat and tracert ip
• How to use the Tracert command-line
• Using Tracert - Example: How to Use the Traceroute Command

Always remember...no amount of security software is going to defend against hackers, scammers and malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software. Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• 20 ways to keep your internet identity safe from hackers
• 7 practical tips to keep yourself from getting hacked
• 5 Ways to Keep Your Social Media Accounts Safe From Hackers
• Ten tips to help beat the hackers and stay safe online
• 10 Tips To Stay Safe Online

Security begins with personal responsibility, common sense, safe browsing habits and following Best Practices for Safe Computing are all essential to protecting yourself from hackers and scammers.

Updated: 01/03/24

What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?

A Potentially Unwanted Program (PUP) is a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually containing adware or bundled with other free third-party software as a common practice by legitimate vendors to include unwanted toolbars, add-ons/plug-ins, browser extensions, browser helper objects (BHOs), pop-up ads and browser hijackers. PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes bundled and installed without the user's consent since they are often included when downloading legitimate programs. Some, users intentionally install programs with PUP characteristics because they are willing to trade-off the undesirable effects for the benefits provided by using them.

 
When a vendor includes bundled software, they do so as a way to "pay per install" and recoup associated business costs. This practice is now the most common revenue generator for free downloads and is typically the reason for the pre-checked option...see Third-Party Bundling. If pre-checked by default, that means you need to uncheck that option during installation if you don't want it. If you install too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. Since this sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer."
 
Some programs falling into the PUP category have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Since PUP detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further. If a particular program you recognize and want to keep is detected as a PUP by a security scanner, it usually can be restored from quarantine and added to the exclusion or ignore list.
 
PUPs may also be defined somewhat differently by various anti-virus and security vendors, and may or may not be detected/removed based on that definition. That fact adds to confusion and a lot of complaints from folks asking why a detection was made or not made on a particular program. Some anti-virus vendors are much more aggressive than others in their detection methodology in most cases to protect the end user who may not be too security-minded. For example, Malwarebytes has an aggressive PUP Policy and has even taken a tougher stance against PUPs...see here.

• Malwarebytes: What are the 'PUP' detections, are they threats and should they be deleted?
• Sophos: Potentially unwanted applications
• Kapersky: What is a PUP (Potentially Unwanted Program)?
• Bitdefender: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• Eset: What is a potentially unwanted application or potentially unwanted content?
• Norton: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• Avira: What are Potentially Unwanted Applications (PUAs)?
• How Microsoft identifies malware and potentially unwanted applications
• Lavasoft: What are Potentially Unwanted Programs (PUPS)?
• McAfee White Paper: Potentially Unwanted Programs
• AVG FAQ 2340: Potentially Unwanted Programs
• Wikipedia: Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)

A Potentially Unwanted Application (PUA) (like a potentially unwanted program (PUP)) is a broad category of software and many of these programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. PUAs do not fall into the same categories as viruses, Trojans, worms, rootkits and bots. That is the primary reason some anti-virus programs do not detect or remove them. Since PUA detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further.
 
PUAs may also be defined somewhat differently by various anti-virus and security vendors, and may or may not be detected/removed based on that definition. Again, some anti-virus vendors are much more aggressive than others in their detection methodology in most cases to protect the end user who may not be too security-minded.

• Eset: Potentially Unwanted Applications (PUAs)
• Eset: What is a potentially unwanted application or Potentially Unsafe Application
• Trend Micro: Potentially Unwanted Applications (PUAs)
• Norton: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• Bitdefender: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• F-Secure: Potentially Unwanted Application (PUA)
• Avira: Potentially Unwanted Applications (PUAs)
• Microsoft: Potentially Unwanted Applications
• Microsoft: How Microsoft identifies malware and potentially unwanted applications
• Wikipedia: Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)

A Potentially Unwanted Modifcation (PUM) is a possible unwanted change made to a computer's registry or settings at the system level. PUMs are considered "potentially unwanted" (not necessarily malicious) because the security program making the detection cannot determine if the modification was set by the user, an administrator, a legitimate program or by malware. Potentially Unwanted Modification detections are not false positives or actual infections but rather settings which you may or may not have made. Some anti-virus and security tools will scan and flag certain registry key modifications (i.e. StartMenu, Desktop, SecurityCenter, HomePageControl, NewStartPanel, Internet Explorer HomePage/StartPage, SearchPage (SearchScopes), etc and various other Windows registry policies) but cannot determine if they were made intentionally and who or what made the changes. Since that is the case, the tool may flag these changes to ensure the user is aware of the modification(s). If you did not make the change, then most likely it was made by some type of potentially unwanted program (PUP). In most cases if you made the modification, recognize the PUM, you can ignore the detection. If you don't recognize the detection, then you may need to investigate further as to what or who made the modification(s).

You may also want to read Understanding virus names and Naming Standards - Malware Naming Conventions (Post #6).

Many programs, toolbars, add-ons/plug-ins, and browser extensions come bundled with other free third-party software you download from the Internet (often without the knowledge or consent of the user). In some cases, they may be included in Installers or Downloaders found at hosting sites such as CNET, Download.com, BrotherSoft, Softonic, FreewareFiles and Tucows. These bundled packages, installers and downloaders can often be the source of various issues and problems to include Adware, pop-up ads, browser hijacking which may change your home page and search engine, and cause user profile corruption. As such, they are typically classified as Potentially Unwanted Programs (PUPs).

When a vendor includes bundled software, they do so as a way to "pay per install" and recoup associated business costs. This practice is now the most common revenue generator for free downloads and is typically the reason for the pre-checked option....see Third-Party Bundling. If pre-checked by default, that means you need to uncheck that option during installation if you don't want it. If you install too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. However, in some cases, this opting out does not always seem to work as intended..

Sometimes, PUPs will just naturally be bundled into pseudo-legitimate applications and you won’t even get the option to not install it.

Encountering the Wild PUP

Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. Since this sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer."

Regardless of where you go to download software, you always have to be careful with deceptive download links. Clicking on the incorrect link may redirect to another download site which uses heavy and confusing advertising with more download links. On almost every site, including safe software download sites, you may encounter an obtrusive green "Download Now" button as a type of advertisement. These buttons ads come from third party ad networks and work well because many users are capricious by nature. Clicking on one of these "Download Now buttons" (thinking its the one you want) often results in downloading a program the user did not intend to download.

Folks need to take some personal responsibility and educate themselves about the practice of bundling software.

• Safe software download sites – Beware of deceptive download links & PUPs
• Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.
• How downloading one program can give you six (!) PUPs
• Here’s What Happens When You Install the Top 10 Download.com Apps
• How-To Geek: Why We Hate Recommending Software Downloads To Our Readers
• Potentially Unwanted Programs and how to avoid installing PUPs
• Even Microsoft bundles software

Toolbars, add-ons and bundled software can install themselves in various areas of your operating system to include your browser and Windows Registry. Since some of their components and behavior are determined to be harmful, some anti-virus and anti-malware tools may detect them as Potentially Unwanted Programs (PUPs) and/or Potentially Unwanted Applications (PUAs) which do not fall in the same category as malicious files such as viruses, Trojans, worms, rootkits and bots.
 

Again keep in mind that not all toolbars and add-ons/plug-ins are bad. Many of them also come bundled with other free software as a common practice by legitimate vendors. Even Anti-virus and security vendors bundle toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software except Bitdefender Free...see Has the antivirus industry gone mad?!

Downloading TIPs - Best practices:
Always try to download software directly from the vendor's official home site. Look for and read the End User's License Agreement (EULA) carefully as well as any other related documentation.

Sometimes looking at the name of the setup file before saving it to your hard drive, will give a clue to what you are actually downloading so you can cancel out of it. If the file name does not appear correctly, do not proceed. This is especially important when using third-party hosting sites which are known to use special installers which bundle other software. Some third-party hosting sites like CNET.com publish a Software bundling Policy which you should always read.

Take your time during the installation of any program and read everything on the screen before clicking that "Install" or "Next" button.

Turn on file extensions in windows so that you can see extensions. Ransomware disguises .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. A common tactic of malware writers is to disguise malicious files by hiding the file extension or by adding double file extensions and/or extra space(s) to the existing extension so be sure you look closely at the full file name.

If you must use CNET or similar sites, check the digital signature of the .exe file you download for validity and who actually signed it. Doing that will let you know if the file has been changed.

TIP: Open your browser, go to View > Toolbars and check the Status Bar box (Internet Explorer) or Add-on bar (Firefox). If you place your cursor over a link, the actual URL address will show up in the Status Bar or Add-on bar at the bottom of the browser window.

TIP: When searching for free software, visit the vendor's website and look for a "slim" or "zipped" version of the product as they generally are stand-alone applications in a zipped version that do not bundle or install anything else.

As more and more legitimate vendors are bundling software to recoup business expenses, folks need to take some personal responsibility and educate themselves about this practice.


TOOLBAR & ADD-ON REMOVAL TIPS:

Many toolbars and Add-ons can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Add/Remove Programs or Programs and Features in Control Panel, so always check there first. With most adware/junkware it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In most cases, using the uninstaller of the adware not only removes it more effectively, but it also restores any changed configuration.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

In some cases you may need to reset or restore all browser settings.

Note: Resetting browser settings is not reversible. After a reset, all previous settings are lost and cannot be recovered. All add-ons and customizations are deleted, and you basically start with a fresh version of your browser.

Uninstalling and reinstalling your browser may not resolve all issues related to toolbars and add-ons. Why? Uninstalling does not completely remove all files and folders. User Profiles are generally not removed during a typical uninstall. Thus, reinstalling does not change the existing User Profile where some browser settings may have been modified so they are automatically restored after the reinstall. That means you may still have some symptoms of browser hijacking afterwards. Another solution is to just create a new user profile and delete the old one. 

After performing the above steps...you can you can run specialized tools like Malwarebytes Anti-Malware, Windows Defender Offline, Emsisoft Emergency Kit, Microsoft Safety Scanner (MSERT) and AdwCleaner to fix any remaining entries they may find. These tools will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants. They also remove related files and folders wherever they hide...to include those within the AppData folder and elsewhere.

Updated: 11/24/23

There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?
 

Stop Trying to Clean Your Infected Computer! Just Nuke it and Reinstall Windows

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots and rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. These types of infections are dangerous because they not only compromise system integrity, they have the ability to download even more malicious files. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

When dealing with Remote Access Trojans (RATS), there is a greater chance the computer has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed. In some cases, such as with a polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

The severity of infection will vary from system to system, some causing more damage than others. The longer malware remains on a computer, the more opportunity it has to download additional malicious files which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes. Since infections and severity of damage will vary, it may take several efforts with different, the same or more powerful security scanners/tools to do the job. Even then, with some types of infections, the task can be arduous and still is impossible to be 100% sure that all malware has been removed.

Security vendors that claim to be able to remove file infectors and backdoor Trojans cannot guarantee that all traces of the malware will be removed as they may not find all the remnants or correct all the damage. Wiping your drive, reformatting, reinstalling/ refreshing/resetting Windows or performing a clean install / factory reset removes everything and is the safest action but I cannot make that decision for you.

Many experts in the security community believe that once infected with this type of malware,the best course of action is to wipe the drive clean, reformat and reinstall the OS with your Windows CD/DVD installation disk, restore from a disk image or use the factory restore (system recovery) disks provided by the manufacturer.

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Quote

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

If your computer was compromised also be sure to read: I have been hacked...What should I do?

Keygens, Cracks, Warez, Pirated Software, Torrents and File Sharing (P2P) are a Security Risk
 
The practice of using pirated software, fake/illegal activators for Windows & Office, warez, torrents, keygens and other cracked software is not only considered illegal activity in many countries but it is a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, identity theft and ransomware resulting in the encryption of all your most valuable data, in many cases beyond recovery. That means your personal data (documents, pictures, videos) may be lost forever.

Keygens, Cracks, Warez, and Pirated Software

Of six counterfeit Microsoft Office disks tested, they found that five were infected with malware. Of the twelve counterfeit Windows disks tested, they found that six could not install and run, and so could not be tested. They were duds!

Of the six counterfeit Windows disks that could run and be tested successfully:
* Two were infected with malware;
* 100% of the six copies had Windows Update disabled;
* 100% of the six copies had the Windows Firewall rules changed.

In total of the twelve counterfeit software copies that could be installed successfully (six Office and six Windows) and tested:
* Seven copies (58%) were infected with malware
* A total of 20 instances of six different types of malware code found

The Hidden Risks of Using Pirated Software

Recent research shows that websites and programs related to software piracy are likely to be infected with malware due to the way they are distributed...over 50% of all pirated files are infected with malware that are constantly repacked to evade even the most up-to-date anti-virus programs. Software piracy acts as a gateway for cybercriminals to infect computers, leaving individuals and their personal data vulnerable to malware infection.

File Sharing, Piracy, and Malware

...pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware...downloading pirated software and software cracks is among the fastest and likeliest ways to infect your computer with something that ultimately hands control over of your PC to someone else.

Software Cracks: A Great Way to Infect Your PC

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

TrendMicro Warning

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

* IDC study on The Dangers of Counterfeit Software
* IDC White paper: The Dangersous World of Counterfeit and Pirated Software
* Software Piracy on the Internet: A Threat To Your Securiy
* File Sharing, Piracy, and Malware
* Pirated software carries malware payload that can cost billions

When you use these kind of programs, be forewarned that some of the most aggressive types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Using these types of programs or the websites visited to get them is almost a guaranteed way to get your system infected!!
.
 
 
File Sharing, Torrents, and Peer-to-Peer (P2P) Programs

File sharing networks/torrent sites are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge.

...It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

Software Cracks: A Great Way to Infect Your PC
 
Some file sharing programs are bundled with other free software that you may download (sometimes without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, Potentially Unwanted Programs (PUPs), and browser hijackers as well as dangerous malware. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, have targeted and spread across P2P files sharing networks because of their known vulnerabilities.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. Some P2P programs are also configured to allow other P2P users on the same network open access to a shared directory on your computer by default. If your P2P program is not configured correctly, you may be sharing more files than you realize. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat by hiding a file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.

• US-CERT: Risks of File-Sharing Technology
• A Study of Malware in Peer-to-Peer Networks
• SANS Institute Peer-to-Peer File-Sharing Networks: Security Risks
• More malware is traveling on P2P networks these days
• File Sharing, Piracy, and Malware

Many security forums ask members to remove P2P software before assisting them with malware disinfection. The nature of such software and the high incidence of infection or reinfection is counter productive to restoring the computer to a healthy state...see here.

Using P2P programs, file sharing or browsing torrent sites is almost a guaranteed way to get your system infected!!
.

Updated: 01/27/24

What are Cookies and are they dangerous?

Cookies are NOT a "threat" in the typical sense we think of malware infection. As text files, cookies are inherently harmless and cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Cookies are text string messages given to a web browser by a web server. Whenever you visit a website or navigate different pages with your browser, the website generates a unique session ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server.

A cookie is essentially a piece of information that is added to a hard disk when a user visits a website...it is used to track and record their preferences as they use that website. The cookie can be retrieved later by websites and web servers to authenticate the user's identity, speed transactions, monitor user behavior, streamline user experiences, track personal information, auto-fill personal information on web forms and more.
 

Microsoft's Description of Cookies

A Cookie is a small text based file given to you by a visited website that helps identify you to that site. Cookies are used to maintain state information as you navigate different pages on a Web site or return to the Web site at a later time...

Cookies cannot be used to run code (run programs) or to deliver viruses to your computer. The purpose of a cookie is to tell the Web server that you have returned to a specific Web page.

Do cookies pose a security risk?

Cookies are short pieces of data used by web servers to help identify web users. The popular concepts and rumors about what a cookie can do has reached almost mystical proportions, frightening users and worrying their managers.

• Fact and Fiction: The Truth About Browser Cookies
• Misconceptions about cookies
• The Unofficial Cookie FAQ
• Web Browser Cookie Forensics

The primary purpose of cookies is to identify users and prepare customized web pages for them. There are two different types of cookies.

• Persistent cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site. Essentially, these cookies help websites remember you and your settings when you visit them again. Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted.
  .
• Session cookies (transient or Non-persistent cookies) are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session. Session cookies are not saved to the hard drive since they only last one session, do not collect any information and have no set expiration date.

Cookies can be categorized as:

• Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
• Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
• Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.

Beware of Phony Emails, Phone Calls, Tech Support Scams, Ranscams & Extortion/Sextortion Scams

 
Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware", “all your files are encrypted", "suspicious ransomware activity" and other fake messages has become an increasing common scam tactic over the past several years. The scams may involve phishing emails or web pages with screenshots of fake Microsoft (Windows) Support messages, fake reports of suspicious activity, fake warnings of malware found on your computer, fake ransomware and fake BSODs many of which include a phone number to call in order to fix the problem. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

• Anatomy of a support scam website

More recently, these criminals have diversified their techniques to target customers of ISP (Internet Service Providers), computer manufacturer, and anti-virus software, especially if your personal information was compromised (hacked) from any of those companies.

• Cold-calling Scammers Target Antivirus Customers, Diversify Their Tactics
• Phone Scams Getting More Sophisticated
• Trojan.Tech-Support-Scam Family of Badware

Tech Support scams have become so prolific that the FBI and other government agencies have released warnings to the public.

Ranscam (Fake Ransomware) Scamming is where the criminals use various scare tactics and threats to coerce victims into to paying a bitcoin ransom demand. A common tactic used by these scammers is warning the victim that they will delete or publish all their files if payment is not made usually within a certain time period. The criminals behind Ranscam just delete victim's files...they have no intention (and most likely no capability) of decrypting files after the ransom is paid since they never intended on providing a means to retrieve or recover the victim’s files in the first place. This type of scam is another example of why criminals cannot be trusted even if the victim complies with the ransom extortion demands.

• Ranscam - When Paying Out Doesn't Pay Off
• Malware And Ransomware Scam
• Ranscam Ransomware Deletes Victims’ Files Outright
• Ranscam doesn’t care if you pay the ransom
• Ranscam ransomware and the advent of the cut-rate cybercriminal
• How to tell if you've been hit by fake ransomware
• Scammers Attack Email Inboxes With Fake Ransomware Threats
• Fake Ransomware Attacks Are Tricking Businesses Into Paying

Extortion/Sextortion Scamming is a tactic involving phishing emails / email spoofing sent to unsuspecting victims where the criminals make various threats with demands for money in exchange to keep personal, salacious, derogatory information (photos, videos) or other sensitive  information they allegedly claim to have collected about you from being published or sent to family, friends, coworkers, social media contacts, etc. The scammers may claim they hacked your computer, know your password and have access to all social media accounts, email, chat history and contact lists. They may also claim to have had access to your webcam and have compromising photos or videos of you watching pornography on an adult web site or pleasuring yourself while watching porn. Scammers often indicate they were able to obtain these photos or videos by installing malware with a keylogger and using Remote Desktop Protocol (RDP) to remotely control your computer screen and webcam. In addition to visiting websites with adult content, the personal information collected or captured on video or photographs could relate to any number of accusations such as compromising sexual situations, inappropriate behavior with a child, infidelity, stealing from your employer, etc. There is an example of an Extortion/Sextortion Email noted in this news article.

The next part of the scam is a threat to expose (release) those videos, photos or other sensitive information via email and social media unless you pay them a certain amount of money usually in Bitcoin. The scammers typical claim they have access to your email accounts and all personal contacts and threaten to release what they have to your spouse, family, friends, law enforcement authorities or government related agencies which may be interested. Scammers may even claim they have stolen sensitive business records or financial data from your computer which they intend to release, publish or destroy unless you pay them. This is all a ruse intended to scare a victim into paying the extortion demands.

These are a few examples of Extortion/Sextortion Scam reports and news articles.

• Large email extortion campaign underway, DON'T PANIC!
• Beware of Extortion Scams Stating They Have Video of You on Adult Site
• Sextortion Scam Stating Xvideos Was Hacked to Record You Through Webcam
• Extortion email scam claims to have video of email recipient “self-abusing”
• Sextortion Email Scheme Sent by ChaosCC Hacker Group
• Big change in the plague of Blackmail, Sextortion Scam attempts
• Sextortion Email Variant: With QR Code (Quick Response Code)
• Sextortion Scam Uses Recipient’s Hacked Passwords
• Attempted Blackmail scam watching Porn
• ‘Fake-tortion’ email scam demanding payment in Bitcoin
• The "Your Password" Email extortion scam
• Is the Porn Blackmail Scam Real?
• More tagged articles on Sextortion Scams

Extortion scams have become so prolific that agencies like the FBI, U.S. Department of Justice and others have released Extortion Scam Alerts to warn the public.

• FBI warns of companies exploiting sextortion victims for profit
• Email sextortion scams are on the rise — here’s what to do
• What is a Sextortion phishing scam  — How to protect yourself
• The Basics of Extortion Scams

In the majority of Tech Support Scam and Extortion (Sextortion) Email Scam cases the scammers use social engineering to trick a victim into spending money for unnecessary technical support or to buy an application which claims to remove malware. They typically use bogus error or warning messages (web page redirects & pop-ups) to falsely indicate that your computer is infected or has critical errors. This is done as a scare tactic to goad you into calling a phony tech support phone number shown in the pop-up alert and allowing the scammer remote control access to your computer in order to fix the problem. In some cases you are instructed to download malicious software which will actually infect your system. If the victim agrees, the support usually costs hundreds of dollars and often leaves the victim's computer unchanged or intentionally infected with malware.

Sometimes the scam tactic involves tricking their victims into believing that their computer is infected by having them look at a Windows log that shows dozens of harmless or low-level error entries. The scammer instructs their victim to type "eventvwr" in the RUN box to open Windows Event Viewer and points out all the warnings and error messages listed under the various Event Viewer categories. The scammer then attempts to scare their victims into giving them remote access to the computer in order to fix it and remove malware. More nefarious scammers will install a backdoor Trojan or Remote Access Trojan in order to steal passwords and other sensitive personal information.

• Beware of US-based Tech Support Scams
• FTC cracks down on tech support scams
• Information on Tech Support Scams
• Tech Support Scams – Help & Resource Page
• How to Protect Yourself From Tech Support Scams

The scammer may claim to be an employee affiliated with Microsoft or Windows Support. However, there have been reports of scammers claiming to be affiliated with major computer manufacturers such as Hewlett Packard, Lenovo and Dell, well known security vendors like Symantec, Panda, McAfee, etc. and even popular ISPs.

• Microsoft Help Desk Tech Support Scam
• Fake Windows Defender Prevented Malicious Software Scam
• Fake Microsoft 1-844-879-7840 Suspicious Activity Tech Support Scam
• Scammers target Dell customers after apparent data breach
• Latest tech support scam stokes concerns Dell customer data was breached

“Hello....I am calling you from Windows.....”

Microsoft and others have been warning folks about Tech Support Scams for years.

• Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer
• If a pop-up or error message appears with a phone number, don’t call the number. Error and warning messages from Microsoft never include a phone number.

Microsoft does not make unsolicited phone calls, display pop-up alerts in your browser to call a support number or send unsolicited email messages to request personal or financial information or to fix your computer.

• Protect yourself from tech support scams
• How to spot a tech support scam
• The fight against tech support scams
• Is that call from Microsoft a scam?
• Avoid scams that use the Microsoft name fraudulently
• Microsoft Scams: Identify & avoid scams that fraudulently use the Microsoft name
• No, Microsoft Won’t Call You About Your Computer
• Microsoft calling? Mind the tech support scammer!
• Ask Leo: I got a call from Microsoft and allowed them access to my computer. What do I do now?

Not answering any questions and hanging up the telephone is the best way to deal with phone scammers...then report them to the appropriate authorities.

Tech Support Scamming using browser pop-up alerts with telephone numbers from "so-called Support Techs" advising your computer is infected with malware has also become an increasing common and prolific scam tactic. In some cases, the scam may be a web page which looks like a BSOD and includes a tech support phone number to call in order to fix the problem.

In other cases, tech support scammers will use web pages with screenshots of fake anit-virus software displaying warnings of bogus malware infections. Instead of enticing their victims to purchase a license key to remove the fake malware, the scammers scare them into calling a toll-free support number in order to continue the scam, often selling useless high priced support plans. Programs that are part of the Rogue.Tech-Support-Scam use legitimate utilities bundled with Trojans that display fake alerts that try to scare you into calling a remote tech support phone number.

• Avoid this BSoD Tech Support Scam
• Tech Support Scammers Bring Back FakeAV
• “Your PC Is Infected” Round-up…
• Your PC/Device needs to be repaired BSOD Tech Support Scam
• Tech Support Scams – Help & Resource Page

As with phony email and phone scams, the warning alert may claim to be affiliated with Microsoft or Windows Support. Again, Microsoft does not contact users via web page messages, phone or email and instruct them to call tech support to fix your computer.

Closing the web browser and then relaunching it usually eliminates the bogus warning message and is the best way to deal with these scams. If the browser freezes or hangs, you may have to close it with Windows Task Manager by selecting End Task. Afterwards, you should also clear your browser cache.
 
Scammers and cyber-criminals are very innovated...see Tech Support Scams use new Tricks to Hold Browsers Hostage. They are always developing creative and more sophisticated techniques to scare their victims into providing personal information or stealing their money for financial gain. The criminals can target specific browsers like Microsoft Edge, Google Chrome, specific devices like Apple and even your iPhone or iPad.

• Microsoft Edge...Can Be Abused for Tech Support Scams
• Tech support scams and Google Chrome tricks
• Scammers target Apple customers
• Fake iOS Crash Reports hijack your iPhone or iPad

Some scam sites may lock up the browser, load the page in full-screen mode or spawn an infinite loop of repeating fake alert dialog boxes that prevent the victim from closing the web page or navigating away from it. This repeating "dialog loop" essentially is a script that reloads the fake pop-up alert every time victims attempt to close it. Microsoft Edge in Windows 10 includes Dialog Loop Protection that enables Microsoft Edge users to stop repeating dialog loops via a checkbox in order to escape or close the page. Google Chrome has a feature to "Prevent this page from displaying additional dialogs". Some Tech Support scams have similar alerts while others are simply made up and clicking OK can produce the opposite effect. If you are dealing with this type of scam, click the OK button at the bottom of the alert and you should then see a box that says "Do not allow this site to create new pages". Check that box and close the window.
 
If the warning alerts continue to appear after closing and reopening the browser, they could be the result of an ad-supported browser extension, adware or potentially unwanted programs typically bundled with other free software you download and install. In that case, you may need to check for and remove unfamiliar browser extensions and add-ons/plug-ins or reset your browser to its default settings. After that you may want to perform security scans with programs such as as Malwarebytes Anti-Malware, Emsisoft Emergency Kit, Hitman Pro, AdwCleaner and Zemana AntiMalware.

• How to remove Tech Support Scam Popups in your Browser
• How to Remove Adware from a PC
• How to use Emsisoft Anti-Malware to scan and clean malware from your computer
• How to find and clean malware infections with Emsisoft Emergency Kit
• How to use Malwarebytes Anti-Malware to scan and clean malware from your computer

If you need individual assistance from our experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs Forum, NOT here, for assistance by the Malware Response Team.

Email & Attachments: Resources for How to Protect Yourself:

• Common phishing scams and how to prevent them
• Avoiding Social Engineering and Phishing Attacks
• Breaking Down the Anatomy of a Phishing Email
• How to Deal with Phishing Scams - Report phishing emails and texts
• How to Spot a Phishing Email
• 5 Examples To Help You Spot A Fraud Or Fake Email
• How to spot SPOOF (fake) eBay + PayPal phishing emails
• Risks of opening email attachments

Reporting Phone and Tech Support Scams:

• Reporting Phone Scams
• FTC ReportFraud Assistant
• Avoid and report Microsoft technical support scams
• Report a technical support scam to Microsoft
• Action Fraud: UK’s national reporting centre for fraud and internet crime

Reporting Fraud, Phishing & Extortion Scams:

• USDOJ Reporting Consumer Fraud and Scams - FTC ReportFraud
• USA.GOV: Where to Report Frauds and Scams
• ConsumerFraudReporting.org: How to Report a Fraud or Scam
• Report a phishing Page to Google - Avoid and report phishing emails to Google
• Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov
• Scambook.com: Submit complaint
• Scamguard.com: Submit complaint
• PissedConsumer.com: Submit complaint
• ComplaintsBoard.com: Submit complaint

Updated: 01/04/24

Best Defensive Strategy against ransomware (crypto malware)
 
The most effective strategy to protect yourself from malware and ransomware (crypto malware) is a comprehensive approach to include prevention and backing up data. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin, close Remote Desktop Protocol (RDP) if you do not need it. An anti-virus solution alone is not enough protection since many ransomwares will deactivate (disable) it before encrypting data.
 
Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• Importance of Layered Security in Cyber Defense
• The Importance Of Layered Network Security
• Seven Layers of IT security
• The 7 Layers Of Cybersecurity
• What are the 7 Layers of Security? Understanding the Fundamentals

No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.

• Are Humans the Weakest Link in Cyber Security?
• Humans and Cybersecurity— The Weakest Link or the Best Defense
• Why Are Humans The Weakest Link In Cybersecurity?
• Studies prove once again that users are the weakest link in the security chain
• Humans are the weakest link in any cyber security strategy

Your best defense against ransomware infection is backing up data on a regular basis.

• The smartest way to stay unaffected by ransomware? Backup!
• Encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.
• 3-2-1 Backup Strategy
• The Backup Rule of Three

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis in order to mitigate the risks of a ransomware attack. The only reliable way to effectively protect your data and limit the loss with this type of infection is to have an effective backup strategy...keeping a separate, isolated (offline) backup to a device that is not always connected to the network or home computer so they are unreachable. Without having backups to restore from, your data most likely is lost forever.
 
Backing up data and disk imaging (redundancy) are among the most important prevention tasks users should perform on a regular basis, yet it's one of the most neglected areas.
 

Backing up Data & System Imaging Resources:

• What’s the Best Way to Back Up My Computer?
• How to Protect Your Backups From Ransomware
• Backup and Restore in Windows 10/11
• How to Make System Image Backups on Windows 11
• How to Create a System Image in Windows 11 and Windows 10
• How to Create an image backup in Windows 10

For the average home user, it is simpler to just buy an external hard drive, copy your critical data to it, disconnect the device and store it in a safe/secure location rather than try to monitor and maintain a complex backup system. Program like SoftByte Labs Comparator make doing backups easy for home users as well as professionals before creating an image.

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups (offline) to a device that is not always connected to the network or home computer so they are unreachable. If not, you risk not only malware infection but ransomware encrypting your backups and any backups of the backups when it strikes. In addition to encrypting data, many ransomware developers are now routinely searching for and destroying backups or simply deleting your backups.

• Ransomware’s Next Target: Backup Data
• Ransomware Attacks Have Entered the Realm of the Insidious and Vile

As such, some imaging/backup software (i.e. Macrium Image Guardian, Acronis True Image) automatically restore and/or prevent targeted backup files from being encrypted by ransomware. 
 
 
How Ransomware Works - Stages of Encryption Process:
 
The time factor involving the process of crypto malware (ransomware) infection and encryption can vary, however, attacks are typically conducted over time, ranging from a day to a month or longer, starting with the criminals breaching a network. After the attackers gain access to an individual computer or computers on the network, they can steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here by Lawrence Abrams, site owner of Bleeping Computer. The same principles apply if the infection is the result of a direct attack or downloading a malicious file with ransomware...at some point the malware is going to communicate with the attackers or install a backdoor Trojan giving access to the criminals.
 
In simplistic terms, crypto malware is usually packed by some kind of obfuscator or packer in order to conceal itself and goes through various stages before actual encryption of data and before most victims become aware of it's presence.

1. The first stage of an attack occurs when the criminals access a victim's system, then download and execute a malicious file.
2. The second stage involves the malware connecting to the criminal's Command and Control server (C&C) in order to send information about the targeted computer.
3. During the third stage, the ransomware scans local drives, connected removable media (USBs, external hard drives) and any accessible network locations (mapped drives, network shares) searching for files to encrypt.
4. The encryption stage begins with encrypting all identified data (file formats) using some form of an encryption algorithm. Many encryption schemes are optimized on the CPU (computer's specifications) allowing the malware to encrypt blocks of data very fast...in a matter of a few seconds, a few minutes to several hours depending on a variety of factors to include the amount and size of data files as well as the intentions of the malware developers.
5. The last stage is usually the appearance of the ransom demand in the form of a screen message or ransoms notes dropped in every folder where files were encrypted.
 
With the latest generation of ransomware there is also the possibility of encountering an infection with a time-bomb feature designed to delay the execution of an attack. This involves a gestation period where the ransomware does not immediately encrypt data by design to maximize revenues and overcome any backup defense. Following this stage the ransomware will lie dormant and not delete or encrypt backup files. The ransomware may lie dormant for one, two or several months before finally beginning the encryption stage. However, when encryption begins, that process can start and finish very quickly.

• Ransomware Can Destroy Backups In Four Ways...Plant a ransomware “time bomb.”
• Ransomware Attacks Have Entered the Realm of the Insidious and Vile
• Ransomware operators lurk on your network after their attack

Between 2017-2019, FireEye researchers have found that most ransomware gets executed three days after initial infiltration. This is a deliberate tactic which allows the attackers to delay encryption so they can use the extra time to harvest victims' data and use it as leverage to make victims pay the ransoms under the threat of leaking the stolen information.

• Ransomware: How an attack works
• Anatomy of a Ransomware Attack...Five Stages of Crypto-Ransomware
• Anatomy of a Linux Ransomware Attack
• Spotlight on Ransomware: How ransomware works
• How Ransomware Works
• The realities of ransomware: Five signs you’re about to be attacked

Some ransomware (STOP Djvu, LockFile, BlackCat (ALPHV), Qyick, Agenda, Black Basta, LockBit 2.0, DarkSide, BlackMatter, Ryuk, Nemty, Play) only partially encrypt a file (first so many KB's at the beginning and/or end especially if it is very large). This is deliberate in order to avoid detection and encrypt the data as quickly as possible (before anyone notices) so it does not actually read/write/encrypt the entirety of data. 

• Ransomware Developers Turn to Intermittent (Partial) Encryption to Evade Detection
• Intermittent Encryption Analysis
• Ransomware gangs switching to new intermittent encryption tactic

Unfortunately, partial (intermittent) encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data.

• Partial Encryption can corrupt large files
• Ransomware can partially encrypt files and cause corruption

Further, many encryption algorithms are optimized on the CPU (computer's specifications) allowing the malware to encrypt blocks of data very fast...in a matter of a few seconds, a few minutes to several hours depending on a variety of factors to include the amount and size of data files as well as the intentions of the malware developers.

 
US-CERT Alert (TA13-309A) has previously advised that many ransomware families have the ability to find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives (if connected) and even some cloud storage drives if they have a drive letter. Some ransomware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other ransomware will use a white list of excluded folders and extensions that it will not encrypt. By using a white list, the ransomware will encrypt almost all non-system and non-executable related files that it finds.

Most crypto malware (ransomware) typically will run under the same privileges as the infected user account and encrypt any files that are accessible to that user. Ransomware needs write-access to files it encrypts so it will not be able to encrypt files owned by another account without write-access while running as a non-admin account. If the user account is member of the Administrator group then the ransomware can install itself to run for all users. Executables can run as the user who started it or can ask for elevated privileges to run as Administrator.

Ransomware will encrypt any directory or file it can read/write to regardless if previously encrypted by disk encryption software or another ransomware variant. In simplistic terms, encryption converts (scrambles) readable information (plain text) into unreadable information (cipher text). Encrypted files are not locked or immune to secondary or ransomware encryption so encrypting your files before an infection will not help. Ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt) them again and again if it has access.

• Why Encrypting Your Data Won’t Protect You From Ransomware
• How Can Ransomware Encrypt Encrypted Files?
• Can ransomware affect already encrypted devices and files
• Can Ransomware Encrypt Already Encrypted Files?
• Can Ransomware Encrypt Files That Are Already Encrypted?
• Can Bitlocker encryption be attacked/disabled by ransomware?
• Can ransomware encrypt files in a drive locked by BitLocker?
• What happens if infected with ransomware and files is already fully encrypted with TrueCrypt?

As such, ransomware can be responsible for double (multiple) encryptions since it will encrypt any directory or file it can read/write to regardless if previously encrypted by another ransomware variant. Again, ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt them again and again if it has access. Even the same ransomware can encrypt data multiple times with different strains and that means the files may get corrupted multiple times. Any file corruption complicates possible decryption solutions.

• Double encryption ransomware: What to be afraid of...
• Double Encryption: When Ransomware Recovery Gets Complicated
• Double-Encrypting Ransomware
• Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data)
• Dual ransomware attack victims now get hit within 48 hours
• Fake ransomware decryptor double-encrypts desperate victims' files

Double (multiple) infections also means having to deal with all ransom demand payments and different decryptors created by the criminals in order to decrypt data if the encryption was caused by different ransomware families. Unfortunately there is not much you can do in scenarios like this especially if any of the ransomwares are not decryptable. 
 
Decreasing your chances for recovering data with multiple infections is possible corruption caused by the victim if they tried to use another victim's decryption key, removed the extension or attempted to fix the files by renaming them first. Further, using a faulty or incorrect decryptor (one intended for another specific type of ransomware) usually causes additional damage which corrupts the encrypted files even more.

 
Types of Ransomware & How it Spreads:
 

There are several different classifications and types of ransomware.
1. File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. 
2. Wiping ransomware which destroys (overwrites data)...meaning the affected data is not recoverable...it is destroyed beyond repair. 
3. Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer. Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.
4. Ransomware as a Service (RaaS) involves criminals renting access to a ransomware strain hosted anonymously by the ransomware author who offers it as a pay-for-use service. The author may handle all aspects of the attack (from distributing ransomware to collecting payments and restoring access) in return for a percentage of the ransom demand collected.
 
Ransomware can be further classified as:

• Polymorphic Ransomware
• Wiping Ransomware
• Publishing Ransomware (Doxware)
• Time-Bomb

Ransomware spreads via a variety of attack vectors...through social engineering (trickery) and user interaction, opening a malicious or spam email attachment, executing a malicious file, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads, downloading software cracks, pirated software, fake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs) and RDP bruteforce attacks, a common attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside as explained here.

• Spotlight on Ransomware: Common infection methods
• Cryptojacking Overtakes Ransomware, Malware-as-a-Service on the Rise
• Attack tools and techniques used by major ransomware families
• How ransomware spreads: 9 most common infection methods
• How ransomware attackers evade your organization’s security solutions

Threat Bulletin: Ransomware 2020 - State of Play

During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).

2023 State of Ransomware report

If more groups start adopting CL0P’s zero-day exploitation techniques, the ransomware landscape could tilt from service-oriented attacks to a more aggressive, vulnerability-focused model—a move that could skyrocket the number of victims.

Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.

• Vulnerabilities And Exploits On Synology & QNAP NAS
• Synology: Security Vulnerabilities
• Ransomware uses brute-force SSH attacks to infect Linux-based NAS servers

For more detailed information, please refer to How Malware Spreads - How your system gets infected.
 
 
What to do when you discover your computer is infected with ransomware:
 
When you discover that your computer or network (if applicable) is being infected with ransomware you should immediately shut it down to prevent it from encrypting any more files. Shutting down the computer should stop any encryption to other drives that were connected at the time of infection as explained here by Lawrence Abrams, site owner of Bleeping Computer.

After detecting a ransomware attack, the first step a company should do is shut down their network and the computers running on it. These actions prevent the continued encryption of data and deny access to the system for the attackers. Once this is done, a third-party cybersecurity company should be brought in to perform a full investigation of the attack and audit of all internal and public-facing devices. This audit includes analyzing the corporate devices for persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by the ransomware operators.

Disconnecting the infected computer from the Internet does not stop the encryption process locally.
 
The infected computer should be isolated from other devices and if possible you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is ever discovered in the future. The encrypted files and ransom note text files do not contain malicious code so they are safe. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive and a fresh install of Windows.
 
Even if a decryption tool is available, there is no guarantee it will work properly (it may be fake, defective, or malfunction) or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files (or the original infected hard drive) and related information is a good practice.

• How To Safely Store Ransomware Encrypted Files
• I’ve been infected with ransomware! What should I do?
• What to Do If You're Infected by Ransomware

IMPORTANT!!! The window for finding attackers on your network before ransomware is deployed is getting much smaller.
 

Removing Ransomware From An Infected Computer:

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed but there are some exceptions. The malware developers usually do this to make it more difficult for security researchers to find and analyze their malicious payload. That also explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, many victims don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware which could still be present on the infected computer.

Some crypto malware (i.e. STOP/Djvu Ransomware) are known to leave behind malicious components that will encrypt any new files saved and re-encrypt any files victims previously managed to decrypt. Other ransomware (i.e. Phobos Ransomware) are very aggressive and do not end on a single run...they will run multiple times ensuring repeated infection. There are a few ransomwares that will store a victim's master key in the registry and if removed, the next time the computer is restarted, the ransomware could create a new master key and begin encrypting files again. That means encrypted data by two different keys.

Therefore it is recommended to isolate the infected computer from other devices and thoroughly check the system to ensure no such malicious components have been left behind. IT folks and advanced users who are ransomware victims can use Farbar Recovery Scan Tool (FRST), an advanced specialized tool designed to investigate for the presence of malicious and suspicious files. FRST logs provide detailed information about your system, registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, partition specifications and will also list system files that could be patched by malware.

There are a few ransomware variants that will add an entry to Run and RunOnce Registry Keys so the malicious executable or ransom screen always displays itself on each restart of the computer. In such cases, victims should look for a related entry under the Startup tab in Windows System Configuration Utility (msconfig) or use a tool such as Autoruns to search for and remove any malicious entries.
 
When dealing with ransomware removal it is best to quarantine malicious files rather than delete them until you know or confirm what infection you're dealing with. In some cases, samples of the malware itself are needed for further analysis in order to identify it properly or investigate for flaws which could lead to the creation of a decryption tool so your data can be recovered. Quarantine is just an added safety measure which allows one to view and investigate the files while keeping them from harming your computer. If using security scanning disinfection tools, system optimization and/or cleanup software on some ransomware before backing up, there is a chance they could remove related registry keys and malicious files which may be required to recover your data.
 
Important Note: Some ransomware have been known to install password stealing Trojans on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more. It is imperative that you change all passwords for your computer to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Emsisoft Emergency Kit, Malwarebytes, Zemana AntiMalware or RogueKiller Anti-malware.

• How to Perform Manual Ransomware Removal
• How to remove ransomware the right way: A step-by-step guide
• The Basics of Manual Malware Identification and Removal
• Emsisoft: How do I remove the ransomware?
• How To Safely Store Ransomware Encrypted Files

If the computer was shut down to prevent it from encrypting any more files as explained here, then you can use Kaspersky RescueDisk or similar LiveCD/Rescue utilities to assist with malware removal without having to boot into Windows. Offline scanning is a method to disinfect malware from outside an infected Windows system environment by using an anti-malware program that runs outside of the traditional operating system. Offline scanners are usually self-contained, do not require a network or Internet connection and are typically loaded onto a flash drive or CD/DVD and set to boot prior to the operating system. The advantage of offline scanning tools is that they can be used when the malware is not running and interfering with the clean-up process.

• Why And When You Might Need an Offline Malware Scanner

Note: Disinfection will not help with decryption of any files affected by the ransomware.
 
Before doing anything, if possible it is recommended to backup or create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a decryption solution is ever discovered. The encrypted files and ransom note text files do not contain malicious code so they are safe. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive.

Of course you can always choose to reinstall/refresh/reset Windows, perform a factory reset or reformat instead which will remove ransomware related malicious files...it also will erase all the data on your computer to include your encrypted files, ransom notes, any programs you installed and the settings on your computer so backup your important data first even if it is encrypted. Reinstalling will essentially return the computer to the same state it was when you first purchased and set it up to include any preinstalled and trial software provided by the vendor. However, there are boot sector viruses (bootkits) which can alter the Master Boot Record (MBR) as explained here and in those cases, you should also rewrite the MBR to ensure all malicious code has been removed.
 
If you have an older operating system you may need to reformat the hard drive.

• What Does Format Mean?
• What does it mean to reformat a hard drive?
• How to Erase and Format a Hard Drive

It never hurts to try a manual clean-up first with trustworthy security scanning tools if that is something you want to consider. However, it is still recommended to create a copy or image of the entire hard drive before doing anything for the same reasons noted above.
 
If you need individual assistance only with removing the malware infection, there are advanced tools which can be used to investigate and clean your system. Please follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.
 

Ransomware victims should ignore all Internet web searches which provide numerous links to bogus and untrustworthy ransomware removal guides, including Facebook and YouTube videos, many of which falsely claim to have decryption solutions. After expert researchers write about new ransomware variants, junk articles with misinformation are quickly written in order to scare, goad or trick desperate victims into using or purchasing mostly sham removal and decryption software. Victims may be directed to download a multitude of unnecessary and useless tools. In some cases, unsuspecting victims may actually be downloading a malicous file or fake decryptor resulting in double (multiple) encryptions that makes the situation even worst. Further, your personal and financial information are also at risk when dealing with scammers. Only use trusted sources when searching for information.

• Report inappropriate videos, channels, and other content on YouTube

 
Updated: 02/04/24

Preventing Ransomware

Most security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place.

...there’s just no good way to decrypt files encrypted by ransomware Prevention before the fact is the only guaranteed peace of mind on this one.

• How do I decrypt files encrypted by ransomware?
• How to beat ransomware: prevent, don’t react
• Want to Survive Ransomware? Here’s How to Protect Your PC

Kaspersky labs reports RDP Bruteforce attacks are on the rise. Everyone should be aware that Remote Desktop Protocol is a very common brute force attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside. Attackers will use remote port scanning tools to scan enterprise computer systems, searching for RDP-enabled endpoints commonly used to login from outside the workplace. When the attacker finds a vulnerable RDP-enabled endpoint they use a barrage of login attempts by guessing or brute force attacking the password. Attackers can also use phishing of a company employee to gain access and control of their machine, then use that access to brute-force RDP access from inside the network.

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything. The attacker can use remote access tools to introduce and execute crypto malware, generate the encryption keys, encrypt data files and upload files back to the them via the terminal services client. The attacker can also steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here.

• Ransomware spreads through weak remote desktop credentials

In addition to searching for devices with exposed RDP or weak passwords that can be exploited by brute-force attacks, criminals are also using that access to routinely search for and destroy backups or simply delete your backups.

IT admins and other folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to only allow RDP from local traffic, whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, setup a VPN to the firewall, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges. Those using a server may even want to consider using a host-based intrusion prevention system (HIPS) like RdpGuard for Windows Server to protect from brute-force attacks.

• Experience an RDP attack? Its your fault, not Microsofts
• Ransomwares Favorite Access Point - Remote Desktop Protocol (RDP)
• Brute force RDP attacks depend on your mistakes
• RDP Attacks: What You Need to Know and How to Protect Yourself
• RDP brute force attacks: 5 tips to keep your business safe
• Securing Remote Desktop (RDP) for System Administrator

Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to show known file types

Ransomware Prevention Tips:

• US-CERT: How to protect your network from ransomware
• How to Protect and Harden a Computer against Ransomware
• How To Lock Down So Ransomware Doesn't Lock You Out
• SANS Enterprise Survival Guide for Ransomware Attacks
• Ransomware: Best Practices for Prevention and Response
• Ransomware: 7 Defensive Strategies
• How to Strengthen Enterprise Defenses against Ransomware
• Best practices for securing your environment against ransomware
• Ransomware Do's and Dont's: Protecting Critical Data
• How Businesses Can Best Defend Against Ransomware Attacks
• 11 things home users can do to protect against ransomware
• 22 Ransomware Prevention Tips for the home user
• Why Everyone Should disable (rename) VSSAdmin.exe Now!

You should use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software. Some anti-virus and anti-malware programs include built-in anti-exploitation protection.
 

Note: Microsoft Defender Exploit Guard (introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Exploit protection consists of exploit mitigations which can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected. Controlled folder access protects common system folders and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders. Attack Surface Reduction (ASR) is comprised of a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats. Network protection protects against web-based threats by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing Windows Defender SmartScreen. Windows Defender EG is intended to replace Microsofts EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here.

Ransomware Prevention Tools:

• AppCheck Anti-Ransomware
• Check Point ZoneAlarm Anti-Ransomware
• Acronis Cyber Protect
• Malwarebytes with Anti-Exploit & Anti-Ransomware
• Malwarebytes Anti-Exploit standalone
• Kaspersky Anti-Ransomware Tool for Business (Free) - How Kaspersky Anti-Ransomware works
• RdpGuard HIPS for Windows Server to protect from brute-force attacks
• CryptoPrevent - CryptoPrevent FAQs
• NoVirusThanks OSArmor
• Cybereason Ransomfree <- discontinued 12/08/18, see [i]here
• CyberSight RansomStopper
• McAfee Ransomware Interceptor - How to Use Interceptor, FAQs
• TEMASOFT Ranstop - Ranstop FAQs, Support, System Requirements
• CryptoDrop
• GS Anti-Ransomware
• CryptoLocker Tripwire for file servers
• HitmanPro.Alert with CryptoGuard
• Ransomware Simulator
• MBRFilter - Using MBRFilter against Ransomware that modifiy the Master Boot Record
• Bitdefender Anti-Ransomware
• Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
• Symantec's NoScript or AnalogX Script Defender
• List of Anti-Ransomware Software & Comparison

Other Malware Prevention Tools:

Updated: 01/20/24