Soussan DAS Computer Consultants

Our Team
Cool Stuff
KeyholeKeyboardLaptop ComputerComputer Chip

Recovering a system infected with malware, spyware, viruses, scareware, and other issues

Which is better and more cost effective for the client - cleaning up a virus / malware infection or wiping out the system and rebuilding it from scratch? If you follow any of the current computer industry news, you've no doubt read about all kinds of nasty software (viruses, Trojans, keyloggers, scareware, PUPs, …) which I'll collectively refer to as "Malware" for Malicious Software. When faced with infections, often times people resort to online cleaning services, their own malware protection vendor of choice, a local computer guru, their computer store of choice, … and say 'Fix my PC!' Malware has become so pervasive and alters so many parts of the system and hides itself in so many places, often times it is more cost effective to completely wipe the system and reinstall everything from scratch. Sure, you can run automated programs that try to get rid of all of it. However ...

When cleaning, the biggest problem is not ever being able to 100% guarantee that there aren't remnants of the malware still present and waiting to re-infect the system. It doesn't matter how good or how updated your Anti Virus / Anti Spyware / Anti Malware program is, or how updated the definitions are -- it is obsolete. I've said that before, but now I'm going to PROVE it!

Click Here for Press Release

Proof that Antivirus isn't enough defense against malware

Really! Follow this logic for a minute.

To help prove the point, I'm going to create a fictions anti-malware product and we're going to say that whatever you use is that good. Soussan's AntiMal 3000 (SAM3K) is its name, and it has sensors planted all over the internet such that no malware in any form can exist for more than 2 minutes without my new product detecting, categorizing, and creating signatures for it. Theses new signatures are distributed to every system that runs SAM3K every hour, so that on average your definitions are at most 30 minutes old.


Malware signature follow the "Faberge Organics Shampoo" distribution model -- your system gets and update, and tells two nearby systems of the updates, and they tell to systems, and so on and so on. This distributes the update load and prevents the Soussan Antimalware Servers from bogging down updating all those nicely protected clients and servers all over the world. These updates are encrypted with such a world class algorithm that no malware can possibly break into its encryptions.

Pretty cool product, isn't it!

As good as this is, in the average 30 minute old scenario there are 120 newly created programs that can infect your system and not be detected by SAM3K. In fact, since you started reading this article 4 new malicious programs are now on the net and infecting computers.

Read that again and think about it for a minute: 4 new malicious programs every minute. At the end I'll go through the math to substantiate that number.

How about some good news?

Yes it is bad. But the good news is that much of today's malware, once installed, attempts to install other bits of malware as well. So while the initial "grappling hook" that got into your PC might not be detected, chances are that some of that malware's buddies that he is downloading and installing is detected. If you are sitting there doing nothing special and getting alerts from your anti-malware software that says it blocked an infection, chances are pretty good you are infected with something that your anti-malware can't see but you are watching it catch other bits of malware that are in its database.

I'm infected - now what?

I'm going to throw a thought out there which I expect will stir up some controversy - it is no longer cost effective to attempt to clean a system from malware. The best path for a system that is infected that you need to use reliably is to take your data off, wipe the hard drive completely clean, and reinstall the operating system and all your programs from known good media. Then put your data back on.

Take your typical ½ terabyte drive. Fill it to 1/3, so 500/3 = 166 GB of data. On a Core2 Duo I've watched scanners take more than an hour to check every file. Lets say the scan found some malware and cleaned it. What are the chances, given the 4 new bits of malware created every minute, that some other malware is still on the system? And even if it was completely and truly cleaned, what about any latent damage that wasn't fixed when the malware was removed? Your end result might very well be a system that is clean but exhibits other issues that you'll never be able to explain or fix. Or worse, you think it is clean but a lurking in the shadows keystroke logger is running and sending your bank login to a bad person.

Remember, no matter how good a cleaning product you have, there is lots of malware that it won't detect and more of it every minute. Even if you clean your system with multiple cleaning products and they all say your system is fine, are you willing to trust logging into your bank account, paypal account, or credit card company's on-line account and feel safe that you haven't just handed your account information over to someone in China, Romania, or some other country?

So after the hour of automated scanning and cleaning, you still can't totally trust your system.

If you think I'm exaggerating, read this article where I walk you through cleaning a system that came into my lab. And while I'm not a full time malware cleaning person, I'll put my capabilities well above average in this area, and the only times I actually try to clean systems anymore are when it is a personal challenge. Even then, cleaning is still often the long way to a usable system.

So what is your best defense?

Teach your users -- family, friends, employees -- how to be safe online. How to recognize a fake message from a real one. How to ignore greeting cards, notices from your bank saying you need to log in and change your password, pop-ups from fake applications saying you are infected and we'll clean you for free, and stay off the porn sites!

What is your best, most cost effective recovery strategy?

Start with a known good system setup the way you like it, then get yourself a good image based backup. External terabyte sized USB drives are $100, store your image and another copy of some important files there. Got malware? Sigh - copy your data off, restore the image, and put your data back on.

That or be prepared to reinstall everything. An operating system can be 1/2 hour if it is a single CD image from a manufacturer or a multiple-hour thing -- I'm holding a 10 CD restore set of discs for an HP Pavilion a32n that took 2.5 hours to feed in all the disks.

Then you've got all the security packs, patches, and other system updates. Another half hour or more depending on your internet speed.

Then all the driver updates for hardware installed since then.

Then all your application software. Do you even have it all? Do you know where it is? Do you have any install codes you might need? Are you going to have to call the manufacturer to get your license / install count reset on any of these?

Then you have to reconfigure your system -- how do you connect to email? If to a server and you use Outlook, do you know your settings? Your password? What server to connect to? What is your user name?

Do you have a palm? Or some other PDA that syncs with your contact information? You'll have to setup that for synchronization as well.

Which is easier -- doing all that, or restoring from an image?

Even with the image based backup you'll have to both save off and then restore your data. Plus, any security updates, patches, drivers, etc. that were done since the image was taken will also need to be downloaded and re-applied. But I'll bet that is a whole lot easier and straightforward than all the steps listed for when you don't have an image backup.



If you found this helpful (or not), please send me a brief email -- one line will more than do. If I see people need, want, and / or use this kind of information that will encourage me to keep creating this kind of content. Whereas if I never hear from anyone, then why bother?

I can be reached at:
das (at-sign) dascomputerconsultants (dot) com


David Soussan

(C) 2009 DAS Computer Consultants, LTD.  All Rights Reserved.


Reference information for the proof of the theory ...

01/02/2009 EMSI Software's AV signature count: 2522473, Kaspersky: 1537714
03/12/2009 EMSI Software's AV signature count: 2955818, Kaspersky: 1880889
EMSI signature count delta: 433,345 Kaspersky: 343,175, 388,260 average pattern count growth over that period
Time between samples: 68 days

388,260 malware signatures / 68 days = 5709 new malware signatures per day
5709 / 24 hours = 237 new malware signatures per hour
237 / 60 minutes = 3.96, rounded up to 4 new malware signatures PER MINUTE.

Raw data gathered from:, 1/8/2009, PCSL Total Protection Testing 2009 NO.1 Summary Testing Report January 8, 2009. & PCSL Total Protection Testing 2009 NO.3 Summary Testing Report March 31, 2009


The following items below this line are for search engines to assist them in indexing this content.