# SEC-6: Malware Removal Process Status: not started Domain: - 2.0 Security Objective alignment: - 2.6 Malware removal process ## What You Need To Know The exam expects the malware removal process in order. Do not just know the steps individually; know what comes next. Important idea: - Full wipe/reimage from known-good media is the cleanest answer for severe malware. - Remediation is sometimes done to recover data or restore enough function to continue business. ## Memory Trick Use **I-Q-D-R-U-S-R-S-E-E**: 1. **I**nvestigate and verify symptoms 2. **Q**uarantine infected systems 3. **D**isable System Restore/System Protection 4. **R**emediate infected systems 5. **U**pdate anti-virus/anti-malware 6. **S**can and remove 7. **R**eimage/reinstall if needed 8. **S**chedule scans and run updates 9. **E**nable System Protection and create restore point 10. **E**ducate the end user Short phrase: - **Investigate, Quarantine, Disable, Remediate, Update, Scan, Reimage, Schedule, Enable, Educate.** ## Step 1: Investigate and Verify Symptoms Look for: - Odd error messages - Fake security alerts - Application failures - Slow boot - Slow applications - Browser redirects - Files encrypted/renamed/missing - Unknown processes Goal: - Confirm there is a real problem before changing anything. ## Step 2: Quarantine Infected Systems Actions: - Disconnect from network. - Disable Wi-Fi/Bluetooth if needed. - Isolate removable media. - Prevent file transfer from the infected system. Goal: - Stop spread. ## Step 3: Disable System Restore/System Protection Why: - Malware can hide in restore points. - Restoring later could bring the infection back. Exam clue: - Disable before remediation, re-enable after cleanup. ## Step 4: Remediate Infected Systems Actions: - Remove/quarantine malicious files. - Remove malicious startup entries. - Remove suspicious apps/extensions. - Repair changed settings. Goal: - Remove the infection or reduce damage. ## Step 5: Update Anti-Virus/Anti-Malware Actions: - Update signatures/definitions. - Update scanning engine. - If malware blocks updates, use a trusted clean system or offline media. Goal: - Make sure tools recognize current threats. ## Step 6: Scan and Remove Techniques: - Normal scan - Safe Mode scan - Offline/preinstallation environment scan - Bootable rescue media Goal: - Detect and remove malware using updated tools. ## Step 7: Reimage/Reinstall If Needed When: - Rootkit/persistent infection. - Cleanup fails. - System integrity is not trusted. - Time-sensitive business recovery needs a known-good image. Goal: - Return to a clean known-good state. ## Step 8: Schedule Scans and Run Updates Actions: - Enable scheduled scans. - Enable automatic definition updates. - Run OS updates. - Run application updates. Goal: - Reduce reinfection risk. ## Step 9: Enable System Protection Actions: - Re-enable System Protection/System Restore. - Create a clean restore point. Goal: - Restore recovery capability after the system is clean. ## Step 10: Educate The End User Topics: - Avoid suspicious links. - Avoid unknown downloads. - Report symptoms early. - Validate pop-ups and security alerts. - Use approved software sources. Goal: - Reduce repeat infection. ## Commands To Enter Windows inspection commands: ```powershell windowsdefender: ``` What it does: - Opens Windows Security. ```powershell taskmgr ``` What it does: - Opens Task Manager for process/resource review. ```powershell resmon ``` What it does: - Opens Resource Monitor for detailed activity. ```powershell rstrui.exe ``` What it does: - Opens System Restore. - For this lab, view only. Do not restore. ```powershell SystemPropertiesProtection ``` What it does: - Opens System Protection settings. - For this lab, view only. Do not disable protection unless working a real guided incident. ```powershell shutdown /r /o /t 0 ``` What it does: - Restarts into Advanced Startup options. - This is how you can reach recovery tools. - Do not run unless you are ready to reboot. Linux/macOS comparison: ```bash top ps aux ``` What it does: - Shows running processes and resource usage. ## Mini Lab Goal: - Practice the process order and safe inspection. Windows: 1. Open Windows Security with `windowsdefender:`. 2. Open Task Manager with `taskmgr`. 3. Open Resource Monitor with `resmon`. 4. Open System Protection with `SystemPropertiesProtection`. 5. Do not disable System Protection during practice. 6. Record: - Defender status: - Highest CPU process: - System Protection state: - Where Advanced Startup is located: Tabletop: For each scenario, write the next step: 1. User reports fake antivirus pop-ups and slow performance. 2. You confirm malware symptoms. 3. The system is disconnected from the network. 4. System Restore is disabled. 5. Malicious files are removed. 6. Anti-malware signatures are updated. 7. Scan fails to remove a suspected rootkit. 8. Clean image is restored. 9. Updates and scheduled scans are configured. 10. Clean restore point is created. ## Quick Check Before Quiz You are ready for the SEC-6 quiz when you can answer these without looking: - What is step 1? - What comes after verifying symptoms? - When do you disable System Restore? - When do you re-enable System Protection? - Why educate the user? - When should you reimage/reinstall?