Chapter 37. Troubleshooting PC Security Issues and Malware Removal
This chapter covers the following A+ 220-1002 exam objectives:
• 3.3 – Given a scenario, use best practice procedures for malware removal.
• 3.2 – Given a scenario, troubleshoot and resolve PC security issues.
In Chapter 32, “Wireless Security, Malware, and Social Engineering”, we discussed the types of malicious software you should know for the exam. Now that we’ve covered a lot more security, and some Windows troubleshooting methods, let’s get into how to resolve malware-based security issues and discuss proper malware removal.
For this chapter I’ve combined both objectives together because as they are closely related. We’ll be covering 3.3 first so that we can discuss the malware removal process. Keep one thing in mind while going through this chapter: some organizations don’t want to troubleshoot malware at all. They will simply wipe the system, and re-image it, restoring the data afterward. That method has its place in the IT field, but in this chapter for the most part, we will be concentrating on the resolution of malware issues by way of removal. You might hear the terms “antivirus software”, or “anti-malware program”, or “endpoint protection platform”, and other similar terms. They are all essentially the same thing, and I will for the most part refer to this as anti-malware.
We’ll also discuss some closely related security issues that may or may not be malware related. Sometimes, a security issue may appear to be malware-related, but really it is something different, or something that was designed to look like malware. So be ready to troubleshoot with an open mind (as always), and look for alternative causes for the problems you will face.
3.3 – Given a scenario, use best practice procedures for malware removal.
ExamAlert
Objective 3.3 concentrates on the steps involved with identifying, quarantining, and remediating malware, including end user education.
3.2 – Given a scenario, troubleshoot and resolve PC security issues.
ExamAlert
Objective 3.2 focuses on common symptoms of malware including: pop-ups, browser redirection, security alerts, slow performance, Internet connectivity issues, PC/OS lockup, application crash, OS updates failures, rogue antivirus, spam, renamed system files, disappearing files, file permission changes, hijacked email, responses from users regarding email, automated replies from unknown sent email, access denied, invalid certificate (trusted root CA), and system/application log errors.
The CompTIA A+ 7-step Malware Removal Procedure
As much as we try to protect computers from malware, it will eventually affect—or infect—one or more systems on your network. At that point, it is important to think logically and methodically. CompTIA offers up some best practices when it comes to malware removal. Now, if you do encounter what you believe to be malware, or an anti-malware platform informs you of an infection, then that system or systems should be taken off the network, and isolated right away.
Here is the CompTIA recommended procedure for the removal of malware:
1. Identify and research malware symptoms.
2. Quarantine the infected systems.
3. Disable System Restore (in Windows).
4. Remediate infected systems.
a. Update the anti-malware software.
b. Scan and use removal techniques (Safe Mode and preinstallation environment).
5. Schedule scans and run updates.
6. Enable System Restore and create a restore point (in Windows).
7. Educate the end user(s).
ExamAlert
Know the CompTIA malware removal procedure.
Malware Removal Scenario
Let’s give an example using the step-by-step process. In this scenario, a user in the marketing department contacts you and says he thinks his computer is infected. You initiate a trouble ticket, and then walk over to the person’s computer to investigate. Now, while you are implementing the best practices for removing malware, remember to also incorporate the 6-step troubleshooting process detailed in Chapter 17, “Computer Troubleshooting 101.” To start, that means gathering information: analyzing the computer and talking to the user. Let’s go through the steps now.
1. Identify and research malware symptoms
When you arrive at the user’s computer, the user tells you that since this morning the system boots, and runs, much more slowly than usual. Also, you witness that he cannot open a couple of important applications that are stored locally. Based on this information, you decide that there is a chance that the computer is infected with a virus, as these are common symptoms of viruses.
Note
Before making any changes, make sure you backup any critical data!
2. Quarantine the infected systems
At this point, the computer should be quarantined—logically, and possibly physically. The system should be taken off the network. If it is wired to the network, disconnect it. If it is wireless, enter airplane mode, or disable the wireless adapter in the Device Manager. In some cases, you will work on the computer where it is located, but if possible, shut it down, and physically isolate it by bringing it to the computer bench, or other lab environment where it can be worked on further.
Note
An organization might have a policy that states the system should be isolated immediately at the slightest mention of a virus or malware. So, depending on the situation, you might have remotely shut down the system, taken it off the network, or otherwise quarantined it, before you even started this malware removal process.
3. Disable System Restore (in Windows)
System Restore can get in the way of proper analysis of a system, so it is recommended that you disable it before doing anything else. Do this by accessing the System Protection tab of the System Properties dialog box (Run > systempropertiesprotection.exe). Highlight any drives that have protection turned on (one at a time) and then click the Configure button. That opens the System Protection dialog box for that particular volume as shown in Figure 37.1. Click the Disable system protection radio button. Do this for each volume that has system protection enabled.
Figure 37.1 System Properties and System Protection dialog boxes
Other systems such as macOS and Linux should have similar restoration programs disabled (if any). The idea is to disable any programs that might interfere with your upcoming scans.
4. Remediate infected systems
First, check and update the anti-malware software. Is it running properly? Can it update. Verify that the update brings it to the latest version. Next, it’s time to scan the system. This is best done from Safe Mode in Windows, or from a pre-installation environment such as WinRE (see Chapter 36, “Troubleshooting Microsoft Windows,” for details on how to access those), or from a bootable USB flash drive with its own OS or repair/recovery environment. These modes and environments reduce the chance that the virus (or other malware) will be able to interfere with your scans and remediation techniques.
Note
At this point, you might encounter problems performing the tasks required. Tougher malware is designed to stop a person from disabling System Restore, or from updating (or even using) the anti-malware program. The toughest malware slows down Safe Mode to a crawl, or makes it difficult otherwise to use the system. If this happens, you should seriously consider re-imaging the system.
Once the anti-malware program has been updated, initiate a full scan of each volume systematically. These can be time consuming, so be prepared to multi-task. (Don’t we always?) You might also opt to scan the system from a separate OS running on a USB flash drive or on another system altogether (you might have removed and isolated the target hard drive). This can be a powerful way to resolve problems, as you are working from an external system, and is a common practice. Either way, scan each volume individually, and log the results.
Chances are that you will find one or more pieces of malware. If that is the case, quarantine, remove, and/or delete them based on the anti-malware program (or programs) that you are using, and according to organizational policy.
Scan the system again to verify that all malware is taken care of. Then boot the system and make sure that it does not have the same symptoms as before. The system should boot at the appropriate speed, and the programs that were mentioned should now run properly. If not, then additional measures will have to be taken, and once again, you should consider re-imaging.
ExamAlert
Remember that the remediate step for removing malware includes using scanning and removal techniques in Safe Mode or from a pre-installation environment such as WinRE.
In less common scenarios you might need to remove registry entries that were added by malware. In the case of a boot sector virus, you’ll have to boot the system to external media, or slave off the hard drive to your testing computer for full analysis.
5. Schedule scans and run updates
If the system has been given the thumbs up and it is now certified for use, then access the anti-malware program again and schedule periodic scans of the system. Also make sure that scheduled updates are turn on, and are defined based on company policy. Many organizations use corporate-level, centrally managed antivirus solutions—known as endpoint protection platforms. These can push out updates to all the computers on the network at once. Create a profile for all the computers within a group that should be affected by these updates.
This is all part of the preventative maintenance stage, and there are lots of other things we can do to make a PC stronger. For example, we can enable Secure Boot in the UEFI/BIOS. We can enable No-eXecute (NX) bit technology in the BIOS (for compliant CPUs) which can help stop viruses from infecting code. Update the OS, and so on. Be ready to harden the computer system as described elsewhere in this book.
6. Enable System Restore and create a restore point (in Windows)
Turn System Restore back on for all drives that require it. Then, create a restore point. Look at Figure 37.1. In the System Properties dialog box, you would do this by clicking the Create button toward the bottom of the window. This way, if a problem does occur in the future, we can go back in time so to speak to the point where the malware was removed and the system was functioning normally.
7. Educate the end user(s)
At this point, the computer is ready for use. Reconnect the system to the network, and advise the end user as to what you performed and why. Explain what happened to the system. In this particular scenario, there wasn’t much that the user could do to prevent the problem. However, sometimes end users will click unknown links, or attempt to install untrusted software. Explain in an amicable way how this is not good for the computer. Educate the end user on how to safely operate the system.
Note
Educate users to watch out for rogue antivirus programs. These are actually malicious programs that appear to be antivirus programs, using similar names and logos as the real thing. Keep a sharp eye out for programs masquerading as other programs!
Symptoms of Viruses
The previous scenario gave a couple typical symptoms of viruses, but there are more. If a computer is infected by a virus, you want to know what to look for so that you can “cure” the computer. Here are some additional typical symptoms of viruses:
• Slow performance: the computer runs slower than usual
• Computer/PC operating system locks up frequently or stops responding altogether
• Computer restarts on its own or crashes frequently
• Hard drives and applications are not accessible or don’t work properly
• Applications crash (this could also be a sign of a Trojan that has exhausted the resources needed to run the application.)
• Windows Update fails
• Permission to specific files and folders is denied, access denied errors.
• Blocked Internet access or redirects
• Strange sounds occur
• You receive unusual error messages or security alerts (which are most likely false)
• Display or print distortion occurs
• New icons appear or old icons (and applications) disappear
• There is a “double extension” on a file attached to an e-mail that was opened (for example, .txt.vbs or .txt.exe). These are designed to trick a user into thinking the file attachment is a text file, when in reality it is a potentially dangerous script or executable.
• Antivirus programs will not run, can’t be installed, or can’t be updated
• Files disappear, have been renamed or corrupted, or folders are created automatically
Symptoms of Spyware
Spyware is another bane of computers. It is designed to spy on the user and attempt to gain confidential information. Be on the lookout for it. Here are some common symptoms of spyware:
• The web browser’s default home page has been modified. This is a type of browser redirection.
• A particular website comes up every time you perform a search.
• Excessive pop-up windows appear. Rogue antivirus applications and security alerts seem to appear out of nowhere, supposedly scanning the system.
• The network adapter’s activity LED blinks frequently when the computer shouldn’t be transmitting data.
• The firewall and antivirus programs turn off automatically.
• New programs, icons, and favorites appear.
• Odd problems occur within Windows (the system is slow, applications behave strangely, and so on).
• The Java console appears randomly.
Preventing and Troubleshooting Spam
We’ve all heard of spam. Spam is the abuse of electronic messaging systems such as e-mail, broadcast media, and instant messaging. The key is to block as much spam as possible, report those who do it, and train your users. Here are several ways that spam can be reduced:
• Use a strong password: E-mail accounts can be hijacked if they have weak passwords. This is especially common with web-based e-mail accounts, such as Gmail. After obtaining access, the hijacker sends spam to everyone on the user’s contact list. Use a complex password and change it often to prevent e-mail hijacking.
• Use a spam filter: This can be purchased for the server-side as software or as an appliance. These appliances monitor spam activity and create and update whitelists and blacklists, all of which can be downloaded to the appliances automatically. On the client side, you can configure Outlook and other mail programs to a higher level of security against spam; this is usually in the Junk E-mail Options area. Many popular anti-malware suites have built-in spam filtering. Make sure it is enabled!
• Use whitelists and blacklists: Whitelists are lists of e-mail addresses or entire e-mail domains that are trusted, whereas blacklists are not trusted. These can be set up on e-mail servers, e-mail appliances, and within mail client programs such as Outlook.
• Train your users: Instruct users to create and use free e-mail addresses whenever they post to forums and newsgroups; they should not use their company e-mail addresses for anything except company-related purposes. Make sure that they screen their e-mail carefully; this is also known as e-mail vetting. E-mail with attachments should be considered volatile unless the user knows exactly who sent the email. Train your users and customers never to make a purchase from an unsolicited e-mail.
Hijacked E-mail
Going beyond spam, sometimes an e-mail account is hijacked. The user might be sharing access with the hijacker or lose access altogether. This could have been caused by a virus, a Trojan, the user clicking on a malicious script, or a malicious insider. One way to tell that this is happening is when other users on the network respond to the hijacked user’s alleged e-mails—which are actually coming from the hijacker. You can also watch for automated replies from unknown sent e-mails and look at the e-mail trail and the e-mail headers. The original hacked e-mails will often look “spammy” or otherwise suspicious.
The headers of the e-mail can be very telling when it comes to the source of the e-mail and the way it was delivered. You can find out the mail servers used and IP addresses, protocols and encryption used and so on. For example, to see the headers of an e-mail within Outlook, you could double-click the e-mail in question so that it opens in its own window. Then, click File > Properties. This brings up a Properties window for the e-mail which supplies a lot of information, but I am most interested in the Internet headers section. Here’s an example snippet of an Internet header:
Envelope-to: webmaster@dpro42.com Delivery-date: Wed, 13 Mar 2019 06:36:06 -0700 Received: from maile-da.domainname.com ([8.174.6.201]:51959) by server.domainname.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
Here we can see who the recipient is (Envelope-to) as well as the server name and IP address of the mail server that the e-mail was received from, plus the outgoing port that was used. (Domain names and IPs were changed to protect the innocent.) If hijacking is going on, this can be some key information. We can block those IPs and domains as we see fit. From the header information we also see that TLSv1.2 and AES256 is being used in GCM mode with an SHA cryptographic hash applied. And there is a lot more we can find out by scrolling down. Plus, there are a variety of other methods for viewing headers on the client and the server side.
To resolve a hijacked e-mail account issue, the first thing the admin should do is change the user password, and then make sure that the user’s account is affected by a policy which requires complex and lengthy passwords that are changed periodically. If necessary, backup the e-mail from the account, delete (or disable) the account, and create a new one for the user. Then, reset any other passwords for other accounts on the network that the user might have—chances are that the person uses the same password. Caution the user that his or her password has been compromised, and to never use it again… anywhere… ever. Consider MFA for e-mail, adding a layer of security such as biometrics or a smart card in addition to a password. This is one of those times when SSO MFA can really be beneficial. When you have separate individual systems, the chance of a weak password is greater than an SSO scenario. Plus, if an SSO account is compromised, it is only one account that has to be fixed. But the MFA side of things will reduce the risk of account compromise.
More Symptoms of PC Security Issues and Potential Solutions
There are some symptoms within objective 3.2 that we have not covered yet. Let’s list those symptoms and some potential solutions to them in Table 37.1
Table 37.1 PC Security Symptoms and Solutions
ExamAlert
Know the common symptoms of malware and how to troubleshoot and resolve them.
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. Which of the following are symptoms of viruses? (Select the three best answers.)
A. A computer runs slowly.
B. A computer locks up.
C. Excessive pop-up windows appear.
D. A strange website is displayed whenever a search is done.
E. Unusual error messages are displayed.
2. Which of the following is the best mode to use when scanning for viruses?
A. Safe Mode
B. Reset this PC
C. Command Prompt only
D. Boot into Windows normally
3. You have been tasked with repairing a computer that is exhibiting the following symptoms:
• Excessive pop-up windows appear.
• A particular website comes up every time the user searches.
What is the most likely cause?
A. Spam
B. Virus
C. Social Engineering
D. Trojan
E. Spyware
4. A co-worker technician is using certmgr.msc to analyze a problem with a computer. Which of the following issues is the technician most likely troubleshooting?
A. Trusted root CA
B. Hijacked e-mail
C. Spam
D. Browser redirection
5. Several computers were infected with malware because the end-users clicked on unknown links embedded in e-mails. You have successfully applied the first 6-steps of the best practice procedures for malware removal. What should you do next?
A. Schedule scans and run updates
B. Enable System Restore and create restore points
C. Document findings, actions, and outcomes.
D. Educate the corporate users
Cram Quiz Answers
1. A, B, and E. Some symptoms of viruses are a computer running slowly, a computer locking up, and unusual errors. Excessive pop-ups and strange websites displaying after searches are symptoms of spyware.
2. A. Safe Mode should be used (if your anti-malware software supports it) when scanning for viruses. Safe Mode is found in the Startup Settings or the Advanced Boot Options menu. Other options found there include: Command Prompt only, which offers command-line access only; and the option to boot into Windows normally. Reset this PC is a WinRE option that will re-install Windows: in Windows 8 it will delete the user data; in Windows 10 it can delete the data or keep it during the re-install.
3. E. The computer is most likely suffering from spyware. Spam is the abuse of e-mail or other messaging system. A virus will infect a system and have symptoms that might include slow performance, application crashes, and computer lock ups. Social engineering is a group of attacks done on a social level, for example shoulder surfing, dumpster diving, tailgating and so on. A Trojan is malware that is often used to gain access to remotely control a system, or acts as a container for the actual malware payload.
4. A. The technician is most likely investigating a certificate issue—that’s why the tech is using the Certificate Manager (certmgr.msc). The Trusted Root CA (Certificate Authority) section within the Certificate Manager contains all of the certificates that were issues to the computer by third-party companies, as well as certificates that were created on the computer itself. When double-clicked, each certificate will display the issuer and the validation dates. Make sure they are still valid! If not, delete them, and notify the appropriate companies or personnel.
5. D. You should educate the corporate users next. This is step 7 (the final step) of the CompTIA best practice procedures for malware removal. In this scenario, the end-users clicked on unknown links. Explain to them why this is a bad idea and what the result was—downtime and loss of productivity. Then consider proposing written policies, security controls, and training programs to prevent the issue from happening again. “Schedule scans and run updates” is step 5. “Enable System Restore and create restore points” is step 6. “Documenting findings, actions, and outcomes” is a great idea! However, that is step 6 (final step) of a separate process—the CompTIA troubleshooting methodology, as detailed in Chapter 17.