Sign In | Register

ANALYSIS
Malware detection in 9 easy steps
Hey Windows users: Here's how to get the incredible power of
67 antivirus engines with no performance impact on your
computer

By Roger A. Grimes
Columnist, CSO
OCT 25, 2017 9:06 AM PT

Hardly a week goes by when Im not cleaning up someones computer and

detecting and eradicating malware. Its not uncommon for me to find dozens of
infections, each doing its best to pester the user into installing multiple bogus
antivirus programs or, worse, getting ready to lock up data in a ransomware attack.

All these users justifiably complain that their antivirus (AV) program is inaccurate
and misses obvious malware that pops up in front of their eyes. Its especially
annoying when this software clobbers performance in exchange for "protecting"
the user.

[ Learn how to identify, block and remove malware from Windows PCs. | Get the
latest from CSO by signing up for our newsletters. ]

(Note that while "antivirus" isn't exactly a misnomer, it's also not the most precise
term for this type of software since computer viruses make up a very small
percentage of detections these days. "Antimalware" is more accurate and is my
preferred term, but since the world knows it as "antivirus", that's the term I'll be
using here.)
All antivirus software misses a significant percentage of malware. This is because
Sign In | Register
professional malware writers design their malware and botnet ecosystems to self-
update whenever they start getting detected. While antivirus engines eventually
sniff out millions of malware variants, they're always one generation behind, failing
to spot the stuff that has been self-modified to avoid discovery.

Overall accuracy rates go up and down all the time, though some products score
better than others ... for some period of time. But again, no AV product is 100
percent accurate. No product is going to be super-accurate over the course of an
entire year.

Maximum malware detection for all

Here's what you should do: Install an antivirus product that does a decent job, has
a long history of stability and decent success, and doesnt slow down your system
(unless you don't mind a little sluggishness). Then use Windows Sysinternals
Process Explorer or Autoruns to test currently running executables
against VirusTotals 67 antivirus engines, which offers the best accuracy you can
ever get (with a small percentage of false positives).

Step by step, do this now for all Windows computers:

1. Make sure your computer has an active connection to the internet.

2. Go to Sysinternals.com. Its a Microsoft site.

3. Download Process Explorer and Autoruns. Both are free, as is everything on

the site.

4. Unzip these programs. If using Process Explorer, use procexp.exe. If using

Autoruns, use autoruns.exe (autorunsc.exe is the command-line version).

5. Right-click and run the program executable as Administrator, so its running in

the Administrators security context.
 6. Run Process Explorer first (I'll explain Autoruns later). Select the Options
Sign In | Register
menu at the top of the screen.

7. Choose VirusTotals.com and Check VirusTotals.com.

8. This will submit all running executables to the VirusTotal website, which is run
and maintained by Google. Youll get a message to accept the license;
answer Yes. You can close the VirusTotal website that comes up and go
back to Process Explorer.

9. In Process Explorer, you'll see a column labeled Virus Total. It will either say
Hash Submitted (during the first few seconds) or give you a ratio, something
like 0/67, 1/67/ 14/66, and so on.

Roger Grimes/IDG

Example of Process Explorer and VirusTotal

Ratios

As you've probably guessed, the displayed VirusTotal ratio indicates how many
antivirus engines at VirusTotal reported the submitted executable (hash) as
malicious. Currently, the list of antivirus engines is 67, but it goes up and down all
the time. Im not sure why some executables are inspected by all of the antivirus
engines and not others, but regardless of the denominator (lower number), if the
numerator (above the line) is greater than zero you could have malware.
If it says 1/57 or 2/57, however, it probably isnt malware, but a false
Sign In | Register
positive instead. On the other hand, I've seen at least one real malware program
that was detected by only one of the engines, so double-check to see if the name
and vendor who created the program looks familiar. If not, it could be malicious.
But in general, if the numerator is 1, I usually relax. If its 2, I investigate a little bit
more. But even most of the 2s end up being false-positives. The next screenshot
shows examples of two false-positives, both related to the legitimate vendor,
Winzip Computing.

Roger Grimes/IDG

Example of VirusTotal False-Positives

If you are not sure, simply click on the reported ratio, and it will take you to the
VirusTotal page showing which AV engines did and didnt report it as malware.
VirusTotal also displays two symbols at the top of the page, one a red devil and the
other a green smiley face wearing a halo. If the arrow is pointing to the green
smiley face, which it usually is in these instances, that means VirusTotals
experience leads them to classify the file as non-malicious. In the example
screenshot below, even though the one rogue AV program (in this case,
eGambit) itself claims to have 99 percent confidence that the file is malicious, none
of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the
selected green smiley face) doesnt agree.
 Sign In | Register

Roger Grimes/IDG

Example Screenshot of VirusTotal Detailed

Results

So why would I recommend a program that often has false-positives? First, its an
inherent problem with VirusTotal and not Process Explorer. Usually the false-
positives are cleared up in hours as the AV vendor does its research and clean-up.
And if you can overlook the possible minor false-positives that are easy to rule out,
there is no single antivirus engine that is anywhere near as accurate as VirusTotal.
It may make some minor mistakes erring on the side of caution, but it more than
makes up for it in detecting the stuff that many other AV misses. It uses the power
of 67 different AV engines against malware writers. Your antivirus product may
miss something, but VirusTotal doesnt.

Most malware programs are caught at a ratio with a numerator of 3 or higher (ex.
13/67). In fact, Ive never had a false-positive when the numerator is 3 or higher.
When I see anything at that numerator or higher, I right-click it in Process Explorer,
note the file location path, and kill the process if I dont absolutely recognize and
trust the program file.

Then I manually delete the files associated with the executable but proceed at
your own risk! Be forewarned: This is always a chance you might accidentally
delete something you need for some application or driver to run. If youre worried,
rename the file instead. Thats enough to stop the malware program from re-
launching using that same file. I will usually rename it to something with a file
Sign In | Register
extension ending in thisismalware so that Ill remember what I did if I see it again.
Usually if Im not sure if the file I want to delete is malicious, Ill rename the file, wait
a week and then delete the file when Im more sure that I didnt impact anything
legitimate.

Occasionally, malware will fight with you and not let you kill the process. If so,
repeat the process above, but go with Autoruns instead. Use Autoruns to unselect
the program so that it won't load at startup. Reboot and run Process Explorer
again. Usually, the malware program will not be running and you can delete it. If
using Autoruns doesnt work and the file is still fighting you, youll have to boot into
Safe Mode, find the executable and then delete or rename it. I havent run into an
executable in years that fought me beyond this step, but its possible. If this
happens, use VirusTotal to identify what antivirus products detect the target file as
malicious, download it, and then run on your computer to get rid of the file. Heck,
you might want this to be your first eradication step if you arent comfortable with
manually killing and deleting files.

Put a shortcut to Process Explorer on your desktop. Always Run as Administrator.

I usually right-click the executable (not the desktop shortcut), choose Properties,
then the Compatibility tab, select Change Settings for All Users, and then choose
Run this program as an administrator. Make sure to run the 64-bit version if you
run a 64-bit version of Windows. That is very common these days. I recommend
that everyone download and run Process Explorer or Autoruns at least once a
week. If that's too much, at least be sure to run it if your computer
exhibits suspicious behavior.
Caveat emptor: No malware detection Sign
worksIn | Register
every time
To be clear, even this detection method is not perfect. Certain malware can
escape this sort of detection, although for now, it's rare. Of course, in the future,
malware writers could go out of their way to escape the clutches of Process
Explorer or Autoruns. Thats not true yet, so the above method is one of the best
protection methods you can use.

The best long-term advice to avoid infection in the first place will sound familiar if
you read my blog regularly: Keep your software fully patched especially browser
and browser add-in software. Most of all, dont be fooled into installing something
you shouldnt. Finally, dont share passwords between different sites or use two-
factor authentication and youll become a top security defender. Those three
pieces of advice trump any antimalware advice that you'll ever get.

If your computer is connected to the internet, no defense is perfect, and you owe it
to yourself to apply the best detection regimen available. Feel free to pass my
detection recipe along to every friend and co-worker. Its hard to beat 67 antivirus
programs for accuracy.

More on Windows security

The 10 Windows group policy settings you need to get right

6 new and noteworthy security features in Windows 10 Fall Creators

Update

The paranoid users guide to Windows 10 privacy

How Windows 10 data collection trades privacy for security

Microsoft adds another layer to the Windows 10 patching onion