Antivirus

Introduction

We use three main antivirus programs on our campus: Malwarebytes Antimalware Enterprise (MBAM) , System Center Endpoint Protection (SCEP) or Windows Defender, and Sophos Antivirus (SAV). The first two are installed on all Windows computers, and the third on Mac computers.

Malware Definitions

Malware

A general term combining the words “malicious” and “software” to refer to any kind program designed to cause damage to a computer. Below are a few of the more commonly named types.

Adware

A program designed to display ads in various forms on a computer. It can present itself as a popup when hovering over text in a web browser, randomly pop up a window on the computer screen while working in another program, display in the system tray, change the default search engine in a web browser, or display as a toolbar. Adware can automatically download while browsing any website.

Ransomware

A program that prevents or limits users from accessing their system. It forces the user to pay the ransom in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker), sometimes even files on network shares that the user has mapped to.

Scareware

Programs designed to trick a user into buying and downloading unnecessary and potentially dangerous software, such as fake antivirus protection.

Spyware

A program designed to collect information about users and their computer or browsing habits, including keystrokes (like usernames, passwords, credit card information, etc.) and send it to a remote user. It also can download other malicious programs install it on the computer. Spyware works like adware but is usually a separate program that is installed unknowingly when installing another freeware type program or application.

Tracking cookies

A cookie is a plain text file that is stored on your computer containing data about your browsing session. Cookies are used by many websites to track visitor information or maintain a logged in session. A tracking cookie is a cookie which gathers all browsing information (like bank account details, credit card information, user accounts, etc.), and often used or sold by a remote user.

Trojan

A program that looks like a genuine application. It does not replicate itself. It can open a backdoor entry to a computer which gives malicious users or programs access to the system and any confidential or personal information.

Virus

A program written to damage or alter files or data. The program can replicate itself. Viruses can enter a computer as an email attachment of images, greeting, or audio / video files; through internet downloads; or hidden in a free or trial software.

Worm

A malicious program that makes copies of itself again and again on the local drive, network shares, etc. It does not need to attach itself to an existing program. Worms spread by exploiting vulnerabilities in operating systems.

Initial Troubleshooting

  1. Have the person leave the suspicious message or window open. Take a screenshot.
  2. Determine whether it is a browser popup or an actual infection.
    • Sometimes a legitimate website is hacked, and their web server is used to house malicious popups.
    • Is there a URL? Does it look like the warning message was open in a web browser (but missing an address bar)?
    • If the user has already closed the popup and you suspect it was a popup, you can review the recent browser history.
  3. Is the browser “hijacked”?
    • Change the homepage back to “www.pugetsound.edu”.
    • Change the default search engine back to Google.
    • Uninstall/reinstall the browser. When uninstalling, select the option, if available, to delete all profile settings. (Be sure to export bookmarks, too!)
    • Delete the browser profile (see TICK:44136 for how to do this in Chrome).
  4. Check to make sure that the antivirus software is running and has run a scan recently.
  5. Review quarantined items to determine how long the computer has been infected, then clear out the quarantined items.
  6. Review installed programs.
    • If there are several suspicious programs that were installed on the same date, this is likely when the infection occurred.
    • Uninstall all of the suspicious software.
  7. Run a scan and remove the detected items.
  8. If you can determine an infection date, do a System Restore to a date previous to it.
    • Be sure to run antivirus scans again after restoring to a previous restore point.
  9. Check all installed browsers to see if the default search engine and/or home page have been altered.
  10. Check Startup to see if any suspicious software is listed there.
    • Sometimes a program is not installed, but instead set to launch at system startup. They are not always caught by antivirus scans. Often times the “Command” column will indicate the location of that executable file and other related files that should be permanently deleted. Reviewing the value of the registry item listed can also point to the file’s location or any additional files that should be removed.

On Site Troubleshooting