Time
5 hours 33 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Troubleshooting Security Issues Part 2 Other security issues that may develop involve files. There may be new or renamed files noticed on the system, or there may be system files that are noticeably missing, this is the work of Malware. There may be files or folders that can no longer be accessed directly, or whose permissions have changed or have new owner, or directories that you can no longer take ownership of, this is also Malware. So we discuss how Malware can move around making changing the dynamics of files and folders in an attempt to preventing corrective actions and we discuss a number of tools such as antivirus software and Windows resources such as the Recovery Console and System Restore that can be used to correct his.

Video Transcription

00:04
In addition to our previous hints that we may have malware on our system, we may notice renamed system files. We may have some files for that are used for our operating system that have been changed and the names are now different. Or we may notice that we have some new and unknown files.
00:20
These may be some files these maybe some systems changes that are the malware is implementing.
00:25
If we didn't change that file, if we didn't modify that name it maybe malware that's infecting our system and trying to change our files and folders.
00:33
We may have files that are disappearing. We may have certain system files that are being hidden. It's the malware, tries to infect those files, change settings and then hide the folders or hide the files so that we can follow up and then clean them later. We may have deleted or corrupted files as the Mauer's moving around, trying to make certain changes
00:51
trying to hide in certain files or folders
00:54
and thus is is causing those files to look as if they're deleted or may even corrupt those files so that we can use them as they're supposed to be used
01:04
file permission changes as well as access. Denied messages are other good hints that we may have malware issues on our computer. We may notice that we have certain files and folders that we can't open, and it looks like the permissions have been changed. Old sudden. The file may have a new owner. The file may have been. We may have noticed
01:23
that the file has been taken ownership from our user account, too.
01:26
Maybe the system, our administrator account. We never changed that ownership. We always run this file as user. There may be some issues going on there with malware that's infected on the administrator level. Has taken ownership of that file or folder to try to make changes.
01:41
We may have a sui said access to nine messages. We may try to access certain files and directories that we
01:49
are have our permission is denied to them, or we may not even be able to take ownership of those files and folders to try to access them. Because our malware has written itself. It's changed the way that our file on folders permissions are. It's changed the way that some of our registry settings and made those files or folders on inaccessible to us,
02:07
so we can't modify them. And we can't fix the problems that it's introduced into our systems.
02:12
Now that we've identified our malware on our system, now that we have a good hunch that there may be ah virus or there may be adware malware infecting our system, what are some of the tools that we can use in order to remove this? Well, one of our first and most obvious tools is going to be our anti virus anti malware, anti spyware.
02:29
This is software that especially designed in order to help remove these from our system.
02:32
Now our anti virus, anti malware, anti spyware, maybe signature or heuristics based signature based means it's going to have a list of files. Ah, list of different
02:44
executed bols and elicit different list of registry settings and changes that may occur on our computer that this setting this file this executable equals bad. It used it has a special algorithm that it performs on these files on these folders that even if the name has been changed, the file that
03:02
actual data inside excusable the data inside the file will look the same on what's called a hash
03:09
eso. These signatures, whether it's hash based signature or whether it's a signature based on the actual code inside the file, is going to match a signature that the anti virus or the anti malware says is bad. There's also heuristics based here. Sticks mean more room based, which means our anti virus, anti malware anti spyware
03:29
is going to say
03:30
this program is trying to do this. It's trying to talk to this location. It's trying to perform this change on our computer.
03:38
This doesn't seem right. This program shouldn't be doing this. It shouldn't be trying to access this part of the computer or run is an administrator or run through the firewall on this port. So I'm gonna block it. I'm gonna mark this as a suspicious, executed Well, I'm gonna stop this process, and I'm gonna put it for review all. So that's our difference between
03:57
signature or heuristics
03:58
signatures or more cut and dry. Here, sticks are rules. Their rules of thumb that this meat, this action, this, this file type or this this way that this file looks seems bad.
04:13
So are anti virus. We may have installed on our computer, or we may also have bootable scanners. These are gonna be scanners that we have on USB drives or disk that we can carry around with us. And if we have a very heavily infected system that we can't even get on the system to install an anti virus or we do have an anti virus and the and the malware installed on the computer
04:32
has disabled it,
04:33
disabled it from finding it. We can use these bootable scanners as an in depth way of checking our disc without actually starting the disc. The disc will only spin because our USB or our bootable,
04:47
our bootable DVD that we put in our optical drive is referencing. Our hard drive is searching through all the files and the folders on our hard drive and is looking for this malware
04:57
so it makes it easier to find, say, root kits or other type of malware that may hide itself and may hide certain files and folders from a scanner that runs as an installed program from our operating system.
05:09
So if we have
05:11
the ability to, we may want to have multiple different brands, multiple different companies of malware anti virus scanners. We don't just wanna stick with one that we trust for everything we may have wanna have one installed on our computer, but if we have our tool bag, we may wanna have a bootable scanner with multiple different anti virus discs.
05:30
This allows us to have
05:31
coverage that other companies may not have. So if we may wanna have a Windows Defender bootable disk, we may wanna have an A B G on a disk. We may wanna have malware bites and using all of these different tools, we can
05:45
have a more reliable results weaken more reliably say that a system is clean. Then, if we just use one single tool,
05:54
these tools will be ableto search again for anti virus or malware. Spyware will be able to search for root kits, especially our bootable scanners will search better than our onboard installed programs. And these anti viruses may also offer file Web, execute herbal protection,
06:13
which means that if we have a certain file that we're navigating through or if we have a website that we're trying to go to or we haven't executed well, that's trying to run
06:20
our anti virus or malware may include additional features that not only stop malware after it's infected our system but may provide preventive measures like blocking certain websites or blocking certain executed balls from running that may try to infect our computer.
06:36
Next, we have the recovery. Consul. We talked a little bit about the recovery Consul in our operating system Troubleshooting section and a Recovery Consul is a program that allows us to restore some system files back to their original state or restore some registry settings, registry settings that may have become corrupt or changed by malware.
06:54
So we convert in total recovery, Consul, and we may want to restore some system files
06:58
or a source of registry settings back to their defaults because malware may have changed it when they also be able to use our command. Prompt using our recovery console so we can navigate through our file directories. We can run some commands and run some applications to try to clean up the malware to try to remove it off of our system.
07:15
Now we have our system restore. Now, our system restore allows us to restore back toe to restore point, which can say which contains certain system registry and file settings. Now system restore does not change all of our files and documents. Now this is good and bad.
07:30
It's good because we can change our resource system back to certain settings. Certain registry. A certain point in our registry
07:38
where we may have not had the malware. This may clean up some of the malware. This may clean up some of the infection, but viruses and Mao work and also hide in some of the files and folders. That system restored is not effect. It doesn't touch these because these are personal files or personal folders, and it doesn't want to try to harm them. So
07:56
the male workers still be in there, and it could just jump right back into action.
08:00
Our system restore may. Also, the restore points may become infected by malware. Over store point is created. While we have the malware infection that restore point may have settings on it that would reintroduce them. Our into our system. We'll talk about how to effectively remove malware and a little bit, but we do want to just go ahead and say that our system restore.
08:20
When we noticed we have a malware infection, we want to go ahead and disable the system restore.
08:24
This will delete all of the previous system restore points that may have had malware inside of them. And then once we clean up our malware and we're good to go again, then we can re enable our system restore.
08:33
Lastly, we have our pre installation environment as well as our event viewer. Are pre installation environment is going to be our wind? P E. Environments that allow us to boot and access files without actually booting are operating system. This will typically be on a disk or a USB that we plug into and boot from our computer, and we can run commands here. We can run recovery. Consul's here,
08:54
and we may actually even be able to run certain anti virus features, such as a Windows defender
08:58
that is installed on our wind p e environment. So we can boot this from a disk. We can run the windows, the defender installation. We could run the Windows Defender program and scan for malware from the disk, rather than having to scan from the operating system again. Certain viruses and malware can compromise an anti virus.
09:16
It can compromise where an anti virus is allowed to look and how an anti virus works
09:20
or even disabled the anti virus completely. So it's best to have a program to have anti virus tools that we can run without having to run them from the operating system. So we have a more comprehensive in depth scan,
09:33
and then lastly, we have our event viewer. Our event viewer allows us to review events that have happened on our computer, depending on what we have set in our security settings, depending on what we have set toe audit in our viewer, Arbit viewer can check for things like file on permission changes. We can see when certain files have been changed.
09:50
We can see when certain permissions have been changed and see who changed those files and change those permissions.
09:56
This can help us to narrow down and say, OK,
09:58
these this file has new permissions that were that I never changed. How did they change? It looked like system changed them. It looked like this certain user account change them. And I know this person hasn't been logged in during that time frame, so it made me main mean that Mauer has affected infected that account.
10:15
It should can show us authentications that can show us when you just have law been or when users have attempted to log in from a remote location
10:22
or can show is different errors. When we've tried to access files and gotten access to nine messages, or when we've tried to access files and noticed that there's been corruption, our event viewer can show. It's a lot of this and even more so. It's a great tool to be able to review events that have happened and use event viewer to try to track down what are what malware has been doing
10:41
and where it may have spread.

Up Next

Troubleshoot Critical Systems

Diagnosing system malfunctions and finding a solution is an important skill for help desk professionals to develop. Expand your knowledge of the troubleshooting theory in less than an hour.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor