- slide 1 of 2
Roger Grimes caused a bit of a stir when he said, "Starting from scratch is the only malware cure. If you discover malware on your system, don't mess around. Back up your data, format your hard drive, and begin again." One reader replied, "This is the worst article I've ever read. Malware and viruses might be very bad these days, but it doesn't mean you have to format and reinstall. This guy is a joke! I don't recommend only doing a virus scan, but as I do this for a living, there ARE ways to clean a computer 100% without the need to format. It's called 2 hours in a repair shop." Another said, "I hereby award Roger A. Grimes the tinfoil anti-radiation hat award for outstanding excess while trying to crack a nut with a sledgehammer."
So, is Roger right or is he a nitwit in a tinfoil hat? Should you wipe your computer as soon as you suspect it's been hit by spyware? Or as soon as your anti-virus product pops up with a warning that your system has been compromised? In my opinion (and we all know what opinions are like, right?) the answer depends on a number of factors.
Let's start by saying that a malware infection should be considered to be an extremely serious matter. Yesteryear, viruses were the work of attention-seeking, pimple-faced script kiddies working from bedrooms in their parents homes and their malicious programs were intended to simply cause inconvenience and disruption. But that's all changed. Today's malware is created by IT pros in the employ of organized criminals and it's created with a single, very specific objective: to enable the criminals to steal your money. Accordingly, the stakes are now much higher and it would be a mistake to take unnecessary risks.
When a system has been compromised, it can be exceptionally difficult to ascertain the extent to which it has been compromised. You cannot rely on an anti-malware scanner to detect and remove everything that may have been installed. Security products are not perfect. They rely on updates (definitions) and so may not be able to detect new forms of malware for which an update has yet to be released. Furthermore, scanners rely on information provided to them by the operating system and some malware has the ability to modify that information in order to conceal its presence. Should your system have been compromised due to a vulnerability, you really have no way of knowing what else may have been installed via that vulnerability. You cannot trust your event logs as they may have been modified, and you cannot trust your backups/images unless you can pinpoint the exact time that the computer was compromised.
So, yup, Roger is basically right. The best way to deal with a compromised system is to wipe it and reload the operating system and applications. But there are a couple of possible exceptions to this. It's probably OK to trust your anti-malware product to clean your system or to use a manual removal method if either:
- You know that the computer became infected because of user action (an oh-no moment when opening an email attachment, say) rather than because of a vulnerability and you know that whatever has infected the computer does not open a backdoor (some research will tell you this). In such cases, you can be reasonably sure that the only malware on the system is that which your antivirus scanner has detected.
- The computer is not used to store or transmit either personal or financial information - a PC that the kids use only to play games and IM, for example. In such cases, reloading everything may be considered to be an unnecessarily onerous process given that no sensitive data is at risk.
The real moral of the story is that prevention is better than cure. In fact, it's much, much better. Keep your security products updated, stay current with patches, surf sensibly and you should be able to avoid having to deal with problematic malware infections in the first place.
- slide 2 of 2
What's Your Opinion?
Do you think a clean install is overkill? Is automatic cleaning or a trip to the repaid shop a better option? Feel free to discuss and debate in the Security Forum!