Support in other languages: 
Showing results for 
Search instead for 
Do you mean 
Reply
Lenovo Staff
Remlab
Posts: 32
Registered: ‎04-01-2011
Location: North Carolina
0
Accepted Solution

Lenovo customer who suspects virus. What is the best course of action?

Running virus detction locally, from the cloud, booting a standalone solution....there are several choices available.  I'd like to get some feedback on what you think the best way might be, understanding there are different types / viruses that behave differently etc.

 

Thanks.

Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY

Re: Lenovo customer who suspects virus. What is the best course of action?

Hi, Balmer.

 

I would suggest that the customer start with an updated full system scan of their onboard antivirus software.  I would follow that with a shutdown/restart and then scan with a second scan, which could be either or both an online or cloud scan.

 

In the event of a serious infection, a boot scan is advisable, however, a system with a rootkit or backdoor trojan is best off with a clean install.  In such situations, there is no guarantee that the system can be trusted.

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Lenovo Technology Partner
PCBruiser
Posts: 12
Registered: ‎11-27-2011
Location: Pennsylvania, US

Re: Lenovo customer who suspects virus. What is the best course of action?

[ Edited ]

Hi,

 

I'd like to comment on the current state of cloud based antivirus solutions.  I think they are a very bad idea, or at least one that is ill conceived at the moment.  Why, you ask?  Particularly since that form of antivirus can rapidly respond to new threats?  My response is simple.  What do you do if the malware destroys your ability to connect to the Internet?  Or, if it is a DNS redirector which prevents you from reaching the IP of the cloud?  Basically, you are out of luck and will have to seek another solution for removing the malware.  That may not be very easy in either of those two situations.

 

Or, another example, the malware redirects you to a cloned, malware provided, duplicate of the cloud that detects everything but cannot detect their specific malware and responds with a false negative?  Do you go away happy because you think your, to that point, dependable cloud antivirus solution has protected you and that your system is clean?

 

No, at this point in time a cloud solution that sounds like "gee wiz Star Trek" technology wonderful, without having an onboard scanner and current definition set, is not a good idea.  That's not to say that the future doesn't hold a solution to these situations; but, today, no, it isn't recommended in my book.  It's flashy, it's appealing, it uses the current magic word "cloud", but there are too many holes in the logic for my tastes.

 

Now, as to your original question, seek competent help.  Today's generations of malware are not easy to deal with.  If your security can't deal with it, you need help to find and remove the malware.;  Don't try to do it yourself, you will likely fail and simply make the job tougher for one of us who spends full time volunteering at a recognized site removing malware and training new volunteers.

 

 

 

Don't Read? Can't Learn!
Administrator, SpywareHammer.com
Lenovo Technology Partner
PieterV
Posts: 4
Registered: ‎11-23-2011
Location: United States

Re: Lenovo customer who suspects virus. What is the best course of action?

Hi PCBruiser

 

Cloud based scanning is not just a fad, it has become a practical necessity. With the explosive growth of definitions, and the use of file reputation and whitelisting instead of classic blacklisting, it is unfeasible and impractical to have all the definitions required to detect malware on the local machine; it takes too much disk space, uses too much memory, and consumes too much bandwidth.

 

That said, you are right, an internet connection is required, and there is the risk of a broken internet connection, or a man-in-the-middle type attack against the network traffic. The tools you use for cloud scanning must be able to restore network connectivity, be resilient to network connectivity problems, and network traffic interception attacks.

 

In certain infection cases, specifically with rootkit infections, it is not possible to run the scanning tool on the host OS, and you need to boot from a clean OS such as WinPE.  WinPE may give you a clean OS, but it also has drawbacks as it does not support WiFi, and you may have to add the drivers required for your hardware.

 

Regards

Pieter

Lenovo Technology Partner
CyrusR
Posts: 10
Registered: ‎11-29-2011
Location: PH

Re: Lenovo customer who suspects virus. What is the best course of action?

[ Edited ]

Hello Balmer,

 

If your customer's antivirus program is not detecting anytyhing but the symptoms of a malware infection is still present on his computer, you can use an online scanner (given that his computer can still access the Internet without problems) so that to get a "second opinion". 

 

There's an available online scanner that is called Housecall.  You can try to use that one first. :smileywink:

 

Regarding the conversation about what security protection to use (cloud-based, pattern-based, etc.) my suggestion is to install a local security software that can do the following (but not limited to):

 

  • download definitions/updates for their program's pattern files  to catch up to the latest threats
  • has the capability to automatically block connections to malicious sites (website filtering)
  • can detect malicious files (pattern-based detection)
  • can prevent malicious files to execute based on their behaviors (pattern-less detection)

Traditional antivirus programs are not enough to protect your computers nowadays.  You need to have a complete package since threats are becoming more intelligent as well.

 

Hope these help. :smileyhappy:

 

Regards,
Cyrus 

Lenovo Staff
Remlab
Posts: 32
Registered: ‎04-01-2011
Location: North Carolina
0

Re: Lenovo customer who suspects virus. What is the best course of action?

Thanks everyone.  I appreciate your insight and discussion.

 

Cheers.

goretsky
Posts: 1,976
Topics: 19
Kudos: 352
Solutions: 138
Registered: ‎12-01-2007
Location: California, USA

Re: Lenovo customer who suspects virus. What is the best course of action?

Hello,


Just to add to 's excellent reply, these days, pretty much all anti-malware programs resort to using some sort of technology hosted in the cloud, whether its looking up sites to see if they are malicious before allowing a connection, checking the "reputation" of downloaded software by its age and prevalance, and so forth. 

 

Symantec had a great presentation at VB2009 called "Using the wisdom of crowds toadress the malware long tail" which explains hows a reputation system works, with a follow-up on its effectiveness presented at VB2010.  This year at VB2011, there was a very interesting presentation from Trend Micro called "File-fraction reputation based on digest of high granularity" that showed how a cloud-based system could be used to used to detect recurring segments of malicious code to detect newer malware.

 

That said, I think it's important to use a mixture of techniques for detection of malicious code, both online and offline.  As noted, if your Internet connection is unavailable or, even worse, compromised, then you cannot rely on a service based solely on having a "known good clean and working" Internet connection.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
S230u (3347-4HU)X220 (4286-CTO)W510 (4318-CTO)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)T61p (6459-CTO)T43p (2678-H7U)T42 (2378-R4U)T23 (2648-LU7)
de.gif  Deutsche Community es.gif  Comunidad en Español ru.gif Русскоязычное Сообщество
Lenovo Technology Partner
PCBruiser
Posts: 12
Registered: ‎11-27-2011
Location: Pennsylvania, US

Re: Lenovo customer who suspects virus. What is the best course of action?

Just to reiterate my concerns, virtually all malware we see these days includes some type of  DNS redirector, and/or blocks access to the most common security solutions and tools; and, from time to time, HIPS-like whitelisting and blacklisting of specific processes.  Until such time as cloud security solutions are immune, or at least resistant, to that kind of interference, my concerns for that solution stand.  Is it a bad solution?  No, not by any means.  Is it a vulnerable one?  Yes, and that's the issue.  As I said earlier in another topic - it is up to the user to become educated to the plusses and minuses of various security solutions, and make their choices whether any particular solution meets their needs or not.

 

 

Don't Read? Can't Learn!
Administrator, SpywareHammer.com
Bugbatter
Posts: 727
Registered: ‎05-01-2010
Location: USA

Re: Lenovo customer who suspects virus. What is the best course of action?


PCBruiser wrote:

 As I said earlier in another topic - it is up to the user to become educated to the plusses and minuses of various security solutions, and make their choices whether any particular solution meets their needs or not.

 

 


Agreed. There is no one-size-fits-all.

In helping folks understand, I often compare computers to people, and remind them that a medical treatment that may work for one person, will not necessarily work in the same way for another. There are many variables to consider and no two systems are the same. Beginning with a comprehensive diagnosis, just as a doctor does, we can then work from there.


If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.

Microsoft MVP - Consumer Security

SpywareHammer