Can We Rely on the Antivirus’ Ability to Disinfect a System?

Antivirus/antimalware tools play an important role as part of an overall security architecture. One of the many capabilities built into these products is the ability to remove malicious programs discovered on the system during a scan. After all, despite all the technology and caution, malware can find its way onto any system. What happens next?

A Host Infected in the Organization

Let’s say an administrator charged with overseeing corporate antivirus notices an alert indicating that malware was found on a workstation or server. A similar situation arises when an administrator runs an ad hoc scan and encounters a malware warning. The person examines the alert and determines that malware had already executed the on the system prior to being discovered. If the antivirus tool provides the option to automatically disinfect the system, it’s tempting to click “Remove” and move on to fighting other fires.

Antivirus vendors invest significant R&D efforts into creating robust malware removal capabilities, especially for malicious programs most commonly encountered by their users. Yet, in a corporate setting, I am concerned about organizations considering that the security incident has been fully resolved once the antivirus tool removed malware.

The Discovered Specimen Could Be Just a Start

If one malware specimen was encountered on the system, there’s a reasonable chance that there is other malware there that may be still undetected. Moreover, it is possible that an attacker already took advantage of the now-removed malicious program to further compromise the system or other IT resources in the organization. To know for sure, deeper forensic analysis of the incident may be required.

When encountering an infected host in the corporate environment, be weary of relying solely on the antivirus tool’s ability to disinfect the host. If you can, take the time to look for other indicators of compromise to assess the scope and severity of the incident. Investigate further if there are reasons to be concerned. Once you’re ready to eradicate malware, strongly consider reimaging the system or restoring it from backup, instead of automatically disinfecting it and assuming that the situation has been resolved.

Hand-picked related posts:

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more