How to detect malware infection in 9 easy steps
Hey Windows users: Here's how to get the incredible power of 67 antivirus engines with no performance impact on your computer
Hardly a week goes by when I’m not cleaning up someone’s computer and detecting and eradicating malware. It’s not uncommon for me to find dozens of infections, each doing its best to pester the user into installing multiple bogus antivirus programs or, worse, getting ready to lock up data in a ransomware attack.
All these users justifiably complain that their antivirus (AV) program is inaccurate and misses obvious malware that pops up in front of their eyes. It’s especially annoying when this software clobbers performance in exchange for "protecting" the user.
(Note that while "antivirus" isn't exactly a misnomer, it's also not the most precise term for this type of software since computer viruses make up a very small percentage of detections these days. "Antimalware" is more accurate and is my preferred term, but since the world knows it as "antivirus", that's the term I'll be using here.)
All antivirus software misses a significant percentage of malware. This is because professional malware writers design their malware and botnet ecosystems to self-update whenever they start getting detected. While antivirus engines eventually sniff out millions of malware variants, they're always one generation behind, failing to spot the stuff that has been self-modified to avoid discovery.
Overall accuracy rates go up and down all the time, though some products score better than others ... for some period of time. But again, no AV product is 100 percent accurate. No product is going to be super-accurate over the course of an entire year.
Maximum malware detection for all
Here's what you should do: Install an antivirus product that does a decent job, has a long history of stability and decent success, and doesn’t slow down your system (unless you don't mind a little sluggishness). Then use Windows Sysinternals Process Explorer or Autoruns to test currently running executables against VirusTotal’s 67 antivirus engines, which offers the best accuracy you can ever get (with a small percentage of false positives).
Step by step, do this now for all Windows computers:
- Make sure your computer has an active connection to the internet.
- Go to Sysinternals.com. It’s a Microsoft site.
- Download Process Explorer and Autoruns. Both are free, as is everything on the site.
- Unzip these programs. If using Process Explorer, use procexp.exe. If using Autoruns, use autoruns.exe (autorunsc.exe is the command-line version).
- Right-click and run the program executable as Administrator, so it’s running in the Administrator’s security context.
- Run Process Explorer first (I'll explain Autoruns later). Select the Options menu at the top of the screen.
- Choose VirusTotals.com and Check VirusTotals.com.
- This will submit all running executables to the VirusTotal website, which is run and maintained by Google. You’ll get a message to accept the license; answer Yes. You can close the VirusTotal website that comes up and go back to Process Explorer.
- In Process Explorer, you'll see a column labeled Virus Total. It will either say Hash Submitted (during the first few seconds) or give you a ratio, something like 0/67, 1/67/ 14/66, and so on.
Example of Process Explorer and VirusTotal Ratios
As you've probably guessed, the displayed VirusTotal ratio indicates how many antivirus engines at VirusTotal reported the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 67, but it goes up and down all the time. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but regardless of the denominator (lower number), if the numerator (above the line) is greater than zero you could have malware.
If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. On the other hand, I've seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious. But in general, if the numerator is 1, I usually relax. If it’s 2, I investigate a little bit more. But even most of the 2s end up being false-positives. The next screenshot shows examples of two false-positives, both related to the legitimate vendor, Winzip Computing.
Example of VirusTotal False-Positives
If you are not sure, simply click on the reported ratio, and it will take you to the VirusTotal page showing which AV engines did and didn’t report it as malware. VirusTotal also displays two symbols at the top of the page, one a red devil and the other a green smiley face wearing a halo. If the arrow is pointing to the green smiley face, which it usually is in these instances, that means VirusTotal’s experience leads them to classify the file as non-malicious. In the example screenshot below, even though the one “rogue” AV program (in this case, eGambit) itself claims to have 99 percent confidence that the file is malicious, none of the other 65 AV programs agree, and VirusTotal itself (as evidenced by the selected green smiley face) doesn’t agree.
Example Screenshot of VirusTotal Detailed Results
So why would I recommend a program that often has false-positives? First, it’s an inherent problem with VirusTotal and not Process Explorer. Usually the false-positives are cleared up in hours as the AV vendor does its research and clean-up. And if you can overlook the possible minor false-positives that are easy to rule out, there is no single antivirus engine that is anywhere near as accurate as VirusTotal. It may make some minor mistakes erring on the side of caution, but it more than makes up for it in detecting the stuff that many other AV misses. It uses the power of 67 different AV engines against malware writers. Your antivirus product may miss something, but VirusTotal doesn’t.
Most malware programs are caught at a ratio with a numerator of 3 or higher (ex. 13/67). In fact, I’ve never had a false-positive when the numerator is 3 or higher. When I see anything at that numerator or higher, I right-click it in Process Explorer, note the file location path, and kill the process if I don’t absolutely recognize and trust the program file.
Then I manually delete the files associated with the executable — but proceed at your own risk! Be forewarned: This is always a chance you might accidentally delete something you need for some application or driver to run. If you’re worried, rename the file instead. That’s enough to stop the malware program from re-launching using that same file. I will usually rename it to something with a file extension ending in “thisismalware” so that I’ll remember what I did if I see it again. Usually if I’m not sure if the file I want to delete is malicious, I’ll rename the file, wait a week and then delete the file when I’m more sure that I didn’t impact anything legitimate.
Occasionally, malware will “fight” with you and not let you kill the process. If so, repeat the process above, but go with Autoruns instead. Use Autoruns to unselect the program so that it won't load at startup. Reboot and run Process Explorer again. Usually, the malware program will not be running and you can delete it. If using Autoruns doesn’t work and the file is still fighting you, you’ll have to boot into Safe Mode, find the executable and then delete or rename it. I haven’t run into an executable in years that fought me beyond this step, but it’s possible. If this happens, use VirusTotal to identify what antivirus products detect the target file as malicious, download it, and then run on your computer to get rid of the file. Heck, you might want this to be your first eradication step if you aren’t comfortable with manually killing and deleting files.
Put a shortcut to Process Explorer on your desktop. Always “Run as Administrator. I usually right-click the executable (not the desktop shortcut), choose Properties, then the Compatibility tab, select Change Settings for All Users, and then choose Run this program as an administrator. Make sure to run the 64-bit version if you run a 64-bit version of Windows. That is very common these days. I recommend that everyone download and run Process Explorer or Autoruns at least once a week. If that's too much, at least be sure to run it if your computer exhibits suspicious behavior.
Caveat emptor: No malware detection works every time
To be clear, even this detection method is not perfect. Certain malware can escape this sort of detection, although for now, it's rare. Of course, in the future, malware writers could go out of their way to escape the clutches of Process Explorer or Autoruns. That’s not true yet, so the above method is one of the best protection methods you can use.
The best long-term advice to avoid infection in the first place will sound familiar if you read my blog regularly: Keep your software fully patched — especially browser and browser add-in software. Most of all, don’t be fooled into installing something you shouldn’t. Finally, don’t share passwords between different sites — or use two-factor authentication — and you’ll become a top security defender. Those three pieces of advice trump any antimalware advice that you'll ever get.
If your computer is connected to the internet, no defense is perfect, and you owe it to yourself to apply the best detection regimen available. Feel free to pass my detection recipe along to every friend and co-worker. It’s hard to beat 67 antivirus programs for accuracy.