Fighting malware and spam

Malware removal - beyond content and context scanning

Tom Brosch, Maik Morgenstern AV-Test.org

Detecting threats is only one of the things anti-malware software needs to be capable of today. Removing malware, often several hundred linked registry keys and files, has now become an equally important task. And this is where the trouble begins, because content and context scanning is just not enough to cope with it.

In this paper we'll discuss briefly the problems of the usual approaches in removing malware as well as adware and spyware, why and where the programs fail. They may be missing files, registry keys and values or delete, alter and change settings done by the user to an unwanted default state. Or even worse, they will just ignore everything but the detected EXE file, simply because no analysis has been carried out by the vendor yet, hence no dedicated removal routines are known, let alone generic removal routines. To support these points, extensive testing results of different technologies will be presented. And nearly all of them will face serious problems. We will then look into other approaches which might help solving the problem. Supervising the system and bugging the user 100 times per hour is only one of the possible 'solutions'. A sandbox analysis of the malware might be an interesting other way, to get an idea of what the malware did and what should be removed or changed back. A comparison of the different techniques will then close the paper.