Analecta Cyber Company Blog: Don’t Ignore Antivirus Software Warnings

2018-09-25

Don’t Ignore Antivirus Software Warnings

Virus Detected - Don't Ignore Antivirus Software Warnings - Analecta LLC Graphic Don’t Ignore Antivirus Software Warnings - Analecta LLC Graphic When it comes to computer viruses, just like the common cold, prevention is always the best cure. Stay vigilant and minimize your company’s risk of infection by understanding how malicious code functions, the most common ways it spreads between systems and how you can detect and stop it.

Despite best practices, which may include software patching, employee anti-spam training and limiting USB-device usage, there is a high probability that a computer virus may land on your network. Perhaps it has happened already - you get a phone call, text message or app notification on your computer: your antivirus (AV) program has detected malicious software, A.K.A. malware. What does this mean for your organization and what are your next steps?

Stay calm and remove the malicious code


Depending on the number of machines infected with the malicious code, this is a relatively straightforward step. Antivirus software, also called anti-malware software, is designed with clean-up in mind, as well as detection. You may be given the choice to clean the file, quarantine the infected file or delete the file outright. These options sound the same, but there are some important differences.

  • Clean: The AV software removes the infection from the file, and the file remains intact in its original location. If you are unsure what the malicious code does, start with trying to clean the file.
  • Quarantine: If your AV can’t clean the file, use the quarantine option. The AV software moves the entire infected file to a safe location that it manages, but it does not delete the file.
  • Delete: The AV software removes the entire file from the computer. If the AV identifies the code as a worm or trojan, deleting the file will be your best option. You cannot clean a worm or trojan since the entire file is the worm or trojan. If you are sure that the file is completely useless and not a legitimate file, or if the other two options do not work - delete the file. 
Virus Detected - Don't Ignore Antivirus Software Warnings - Analecta LLC Graphic
There is merit in knowing what your AV “Virus Detected” warnings look like. Many times, users will click on a bogus warning to remove infected files and actually download malware.

Scan for additional threats


If it is easy to deduce where the malware entered a machine, like a socially engineered spam email or a downloaded link, you want to isolate that machine from the network to be sure the malware has not propagated to other machines. Depending on the number of network computers that contain the malicious code, you need to weigh whether or not to take an entire network offline.

While independently dealing with infected computers, which will all need similar care to eradicate the malware, scan the remaining computers with updated virus definitions. New malicious code is discovered daily, so it is important to ensure your AV is kept up-to-date. NIST supplemental guidance points out that your systems should be configured to perform periodic scans of files already on the computer as well as real-time scans of recently downloaded files from external sources.

Recovering damaged files


If you elected to delete or quarantine the infected file, you may have removed a file required for one or more of your applications. It’s even possible that you may have deleted an important system file required to run your OS properly. Your best option is to recover from regularly scheduled backups. If you know when the malicious code was downloaded, pick a restore point prior to that date/time, but still run the AV to verify that the malicious code is gone.

You may need to reinstall a program from scratch if you do not have a clean system restore point. For applications other than the operating system, you might want to do this anyway if you have the install media available.

False Positives


Antivirus software is not perfect, and in the name of security, some will report code as malicious even if it is not. Virus definitions are written based on signatures, or bits of code that identify a piece of software. Since many developers like to reuse code that they know works, they may include code in their software that inadvertently fits an overly broad virus signature.

If you think the AV-flagged file is legitimate, check VirusTotal for some additional information. VirusTotal is a free service that aggregates information from over 70 antivirus scanners and domain blacklisting services and will give you a picture of what other AV software thinks about your file. If you see a trend that many AVs recognize that file as malicious, it probably is. If only a few AVs report it as potentially harmful, you may have a false positive. Evaluate the download’s source and consider if they are trustworthy. Check a malware database to see more information about the type of malware the AV claims your file to be. When in doubt, trust the AV and allow it to clean or quarantine the file.

Analecta is here to help


Having an antivirus scanner and knowing what to do with it are just two pieces in the cybersecurity puzzle. Our team of experts is willing to impart skills and expertise in keeping your business protected from cyber threats. Visit our Cyber Security website or email us at info@analecta-llc.com for more information.

Frequently asked questions about antivirus software


Q: What about files on thumb drives and DVDs?
Always run an antivirus scan against files on a thumb drive or other removable media as soon as it is inserted into the computer. Most operating systems are set up to do this automatically, and the AV will usually ask during installation if you want this as an option. It’s very easy to accidentally copy malicious files from an infected machine to a clean one, so scan away.

Q: My AV software identified a number of files it could not scan. What next?
AV software may be unable to scan certain types of file: password protected files, zip files or other archive formats, and files currently in use by the operating system. The first rule of thumb is to never open a password protected file or zip file from an unknown source. If you trust the source, extract the files from the archive and scan again or upload the file to an online scanner like MetaDefender Cloud or VirusTotal.

Q: Are there any files I wouldn’t want scanned?
Some software developers have problems with antivirus software flagging their projects as a virus if some of the code fits a virus signature. If your employees are developing custom software, have them store their code in a shared central folder and exclude that from your scan.

Q: What if I really need the data and do not want to delete the file?
Backups are key. Recover from your backups and set your network to its known good baseline. If you can’t clean the file with the AV, it is still best to delete it. See this Analecta blog article for more information about recovery plans.

Q: Do machines talk to each other on the system and do the IT people receive notification about malware?
In short, yes. The IT department receives notifications whenever any network traffic pattern does not fit the organization’s baseline. They also receive notifications from AV software; as mentioned before, it can be configured to allow the user/admin to choose what action to take with discovered malware.

Have other questions? Place them in the comments section and we will respond.

Further Resources