Can We Rely on the Antivirus’ Ability to Disinfect a System?

Antivirus/antimalware tools play an important role as part of an overall security architecture. One of the many capabilities built into these products is the ability to remove malicious programs discovered on the system during a scan. After all, despite all the technology and caution, malware can find its way onto any system. What happens next?

A Host Infected in the Organization

Let’s say an administrator charged with overseeing corporate antivirus notices an alert indicating that malware was found on a workstation or server. A similar situation arises when an administrator runs an ad hoc scan and encounters a malware warning. The person examines the alert and determines that malware had already executed the on the system prior to being discovered. If the antivirus tool provides the option to automatically disinfect the system, it’s tempting to click “Remove” and move on to fighting other fires.

Antivirus vendors invest significant R&D efforts into creating robust malware removal capabilities, especially for malicious programs most commonly encountered by their users. Yet, in a corporate setting, I am concerned about organizations considering that the security incident has been fully resolved once the antivirus tool removed malware.

The Discovered Specimen Could Be Just a Start

If one malware specimen was encountered on the system, there’s a reasonable chance that there is other malware there that may be still undetected. Moreover, it is possible that an attacker already took advantage of the now-removed malicious program to further compromise the system or other IT resources in the organization. To know for sure, deeper forensic analysis of the incident may be required.

When encountering an infected host in the corporate environment, be weary of relying solely on the antivirus tool’s ability to disinfect the host. If you can, take the time to look for other indicators of compromise to assess the scope and severity of the incident. Investigate further if there are reasons to be concerned. Once you’re ready to eradicate malware, strongly consider reimaging the system or restoring it from backup, instead of automatically disinfecting it and assuming that the situation has been resolved.

Hand-picked related posts:

Lenny Zeltser

Updated August 19, 2011
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more