# Lab SEC-6: Malware Removal Process Tabletop

Domain:
- 2.0 Security

Works on:
- Windows
- Tabletop/scenario practice

## Goal

Practice the malware removal order without working on live malware.

## Safe Windows Inspection

Run or open:

```powershell
windowsdefender:
taskmgr
resmon
SystemPropertiesProtection
```

Optional reboot command to know, but do not run unless you are ready to restart:

```powershell
shutdown /r /o /t 0
```

Record:
- Defender status:
- Highest CPU process:
- System Protection enabled:
- Where you would find Advanced Startup:

## Process Drill

Write the 10 steps from memory:

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

## Next-Step Scenarios

Identify the next correct step.

1. User reports browser redirects and fake security alerts.
2. You verify symptoms and identify likely malware.
3. The infected system is still on the network.
4. The system is quarantined.
5. System Restore is disabled.
6. Remediation is complete.
7. Anti-malware is updated.
8. Scan/removal fails and system trust is low.
9. Known-good image is restored.
10. Scheduled scans and updates are enabled.
11. System Protection is re-enabled.

## What You Should Learn

- Quarantine comes early.
- Disable System Restore before remediation.
- Update anti-malware before scanning/removal.
- Reimage/reinstall when cleanup cannot be trusted.
- Re-enable System Protection only after cleanup.
- User education is part of the process.