Winter Soldier

Level 25
I know that no antimalware solution guarantees 100% protection so is it realistically impossible to know whether your computer is 100% malware free?

Also, can a manual analysis, such as the check of execution processes, ensuring that absolutely no malware is running on your system ?

Thank you.
 

WinXPert

Level 24
Verified
Trusted
Malware Hunter
It's not just the running processes, because some may hide using legit programs like ramnit (running under your default browser, will provide screenshots later). We can use enumerators like FRST, OTL, Runscanner, ESET's SysInspector, etc for analysis. Even the aged HJT can be used for oldskul low risk viruses.

Another thing is taking a snapshot of your system and do a comparison and note the following changes:
  • New StartUp items
  • Changes in the registry
  • Changes in policies
  • New files created
Ramnit asking for Firewall Exception

Ramnit running under Firefox.
 
Last edited:

SHvFl

Level 35
Verified
Trusted
Content Creator
I know that no antimalware solution guarantees 100% protection so is it realistically impossible to know whether your computer is 100% malware free?

Also, can a manual analysis, such as the check of execution processes, ensuring that absolutely no malware is running on your system ?

Thank you.
  1. Clean install your OS of choice
  2. Install everything you need and trust on it
  3. Keep your personal files on the cloud
  4. Take a full system image
  5. Every time you think you messed up reset to that image
  6. Profit?
 
W

Wave

I know that no antimalware solution guarantees 100% protection so is it realistically impossible to know whether your computer is 100% malware free?
There is absolutely nothing you can do to make sure that your system is entirely clean, unless you also had experience with firmware (e.g. flashing of the BIOS) and hardware (e.g. changing hardware components). You see, stepping aside from malware infections which can be obtained through your computer usage, malware can be pre-installed on the system... It's been seen in the past and been linked to government agencies, Kaspersky identified such things awhile back. There are also similar cases where adware has been packaged with systems from manufacturer companies.

As a user though, and since I do know you weren't referring to the points above (or I assume so), the best thing you can do is format your system and then reinstall the Operating System (and if you use an ISO image then make sure it's a clean one). The reason you'll want to format first as opposed to just reinstall the OS through recovery (e.g. on Windows 10 you have that option) is simply due to more advanced malware being able to stay on a software-level and return back after an OS re-installation (without the need to have any firmware-infection components) - that being said, such an incident is extremely rare and I never experienced it before myself, even when I was getting daily infections for several years back at the peak years of rootkits, bootkits, and other similar dangerous threats.

I also recommend using the advice from @SHvFl since keeping a full system image back-up is one of the best safety measures you can take; if you get infected then revert back using the backup. Backups are especially useful in the case of a virus or ransomware situation, where the only ways to retrieve your files back would be to disinfect or decrypt your files, which is highly unlikely to be a successful procedure (although it does depend on multiple factors).

Also, can a manual analysis, such as the check of execution processes, ensuring that absolutely no malware is running on your system ?
Malware analysis can help identify malicious software being installed on the system, but it certainly cannot ensure that no malware is running on the system - malware can work with a device driver and then terminate it's user-mode processes for conceal purposes, or even hide it's user-mode processes through the use of API hooking (either kernel-mode or user-mode) or DKOM (Direct Kernel Object Manipulation - x86 OS only due to PatchGuard/Kernel Patch Protection). Alongside this, malicious software can compromise other running processes through the use of code injection (allocate memory into another process, then write to the newly allocated memory and finish things off by creating a remote thread within the address space of that process to get it's code executing - even better, it can work with dynamic forking).

Malware is constantly evolving, I expect to see malware in the wild which will work the hyper-visor to perform full system-wide virtualization, allowing a rootkit component to literally control everything, even on x64 systems regardless of PatchGuard/Kernel Patch Protection within the next 4-5 years. If we are all learning and security vendor engineers are all learning, nothing is stopping the malware authors from learning as-well.

IMO using tools for such things is simply unreliable, just format and re-install the OS.

Stay safe,
Wave. ;)
 

Winter Soldier

Level 25
There is absolutely nothing you can do to make sure that your system is entirely clean, unless you also had experience with firmware (e.g. flashing of the BIOS) and hardware (e.g. changing hardware components). You see, stepping aside from malware infections which can be obtained through your computer usage, malware can be pre-installed on the system... It's been seen in the past and been linked to government agencies, Kaspersky identified such things awhile back. There are also similar cases where adware has been packaged with systems from manufacturer companies.

As a user though, and since I do know you weren't referring to the points above (or I assume so), the best thing you can do is format your system and then reinstall the Operating System (and if you use an ISO image then make sure it's a clean one). The reason you'll want to format first as opposed to just reinstall the OS through recovery (e.g. on Windows 10 you have that option) is simply due to more advanced malware being able to stay on a software-level and return back after an OS re-installation (without the need to have any firmware-infection components) - that being said, such an incident is extremely rare and I never experienced it before myself, even when I was getting daily infections for several years back at the peak years of rootkits, bootkits, and other similar dangerous threats.

I also recommend using the advice from @SHvFl since keeping a full system image back-up is one of the best safety measures you can take; if you get infected then revert back using the backup. Backups are especially useful in the case of a virus or ransomware situation, where the only ways to retrieve your files back would be to disinfect or decrypt your files, which is highly unlikely to be a successful procedure (although it does depend on multiple factors).


Malware analysis can help identify malicious software being installed on the system, but it certainly cannot ensure that no malware is running on the system - malware can work with a device driver and then terminate it's user-mode processes for conceal purposes, or even hide it's user-mode processes through the use of API hooking (either kernel-mode or user-mode) or DKOM (Direct Kernel Object Manipulation - x86 OS only due to PatchGuard/Kernel Patch Protection). Alongside this, malicious software can compromise other running processes through the use of code injection (allocate memory into another process, then write to the newly allocated memory and finish things off by creating a remote thread within the address space of that process to get it's code executing - even better, it can work with dynamic forking).

Malware is constantly evolving, I expect to see malware in the wild which will work the hyper-visor to perform full system-wide virtualization, allowing a rootkit component to literally control everything, even on x64 systems regardless of PatchGuard/Kernel Patch Protection within the next 4-5 years. If we are all learning and security vendor engineers are all learning, nothing is stopping the malware authors from learning as-well.

IMO using tools for such things is simply unreliable, just format and re-install the OS.

Stay safe,
Wave. ;)
Disturbing scenario, but I've to agree with you ;)
 
D

Deleted member 178

I know that no antimalware solution guarantees 100% protection so is it realistically impossible to know whether your computer is 100% malware free?
There is the Umbra "jason-bourne-IMF-CSI-cybercrime-unit-SHIELD-Hydra" method , totally inconvenient but 100% safe.

- one computer for online tasks and usbs sharing running Linux Qubes.
- one Windows (if you use MS products) computer totally offline (with Rollback RX, Shadow Defender, and a VM ), no external devices sharing. I guess you won't be targeted by an Airgap attack.

Then on the offline machine, install a VM , use that VM inside Shadow defender inside rollback RX, and do your sensitive work only on that VM, from that VM upload/download only to the a specific cloud accountn only this machine for this cloud account.

You need transferring from the online machine to the offline machine? scan every files with VT or similar, check hashes manually, then transfer to a second VM and retest them.

The VM with your works should never allow anything from outside.

Inconvenient? totally
Safe? surely

:D
 
W

Wave

There is the Umbra "jason-bourne-IMF-CSI-cybercrime-unit-SHIELD-Hydra" method , totally inconvenient but 100% safe.

- one computer for online tasks and usbs sharing running Linux Qubes.
- one Windows (if you use MS products) computer totally offline (with Rollback RX, Shadow Defender, and a VM ), no external devices sharing. I guess you won't be targeted by an Airgap attack.

Then on the offline machine, install a VM , use that VM inside Shadow defender inside rollback RX, and do your sensitive work only on that VM, from that VM upload/download only to the a specific cloud accountn only this machine for this cloud account.

You need transferring from the online machine to the offline machine? scan every files with VT or similar, check hashes manually, then transfer to a second VM and retest them.

The VM with your works should never allow anything from outside.

Inconvenient? totally
Safe? surely

:D
Hahahaha you gotta password protect the BIOS and use a different password to protect booting into the VM as well :D :D :D
 

DracusNarcrym

Level 19
Verified
Setting aside firmware infections (e.g. BIOS malware), the "system image" golden rule applies, as other members described above.

If you have a known clean system image, you can use it to restore your system to its exact state, as it was when you created that system image (granted that upon restoring your system, the system partition is wiped, and not "incrementally restored" or similar).
 

Handsome Recluse

Level 20
Verified
- one Windows (if you use MS products) computer totally offline (with Rollback RX, Shadow Defender, and a VM ), no external devices sharing. I guess you won't be targeted by an Airgap attack.

Then on the offline machine, install a VM , use that VM inside Shadow defender inside rollback RX, and do your sensitive work only on that VM, from that VM upload/download only to the a specific cloud accountn only this machine for this cloud account.
:D
Triple virtualization. Heh. Not enough. You also need Comodo Firewall also for the firewall and more default-deny. Alternatively, turn off the computer and watch 'till it rots (or whatever computers do during that time) to make sure it's not stolen away. Prepare everything inside your room like where you pee like you're in a zombie apocalypse. You'd also need infrared cameras to detect ghosts or in case when you're experiencing illusions and someone snatches the computer during that time.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
  • New StartUp items
  • Changes in the registry
  • Changes in policies
  • New files created
WinXPert, sums it up nicely, this is why I go the extra mile and remove a lot of stuff myself from the registry, and system.
I want to know whats there and know my system and OS so that it is easier to spot an anomaly.
Scanners work, but it never hurts to know your system and where things are, and whats on it. In the event a scanner
misses something, you may be able to spot it.
Learning your system, it's registry, and locations is a daunting task but over time it's not that hard, and it affords
you a leg up in protecting yourself and your family. ;)