Antimalware Software
-
blackbird71 last edited by
There are a number of factors influencing what malware can and cannot do on a computer. In general and unless otherwise blocked, malware can insert its own payload files among the various legitimate files collected on drives or within folders - though which drives or folders are more easily accessible for infection is greatly affected by the access compartmenting that occurs when employing the OS's limited user accounts or group-policies for files and folders. In some cases, some legitimate files can even be replaced by similarly-named malicious file versions. However, malware is usually not able to directly and effectively alter the contents of existing complex files without causing corruption that renders the infected file unusable - thus the risk of infection in that manner is considered minimal.
If one is archiving files using an imaging program like TrueImage, Paragon, or similar to create an archive backup file of a drive or a folder of files, malware will only ever appear within that archive if it was already present on the system at the time the archive was created. The malware can't normally infect such an existing archive after it's created. But it can independently infect the drive on which the archive is stored, as noted below. If one is archiving files by directly copying them to a backup drive or flash-stick, then again, the backups should be clean of malware if the original source folders were clean - except in that case where malware independently infects the drive on which the archive is stored.
When one is archiving files to another drive, either via an image file or directly copying the data files over, existing malware on a system can, in principle, infect that other drive the moment it's connected to the computer. In this regard, a lot depends on how the specific malware is designed; not all malware has the capability, but some does. The deeper the malware hooks into the kernel code of the operating system, the more readily it can replicate itself onto other drives or flash-sticks. If one is storing backups (or even an image file) to another drive, some malware has the capability of infecting that drive directly before the archive file(s) are ever copied onto it. If a persisting stub file from the malware is then somehow able to point back to that instance of itself on the backup drive, it can re-infect the main system as soon as that backup drive is accessed. In the case of malware that infects a disk's MBR, unless that infected drive is deep-reformatted, that malware will survive a mere light-formatting process and potentially call out to its stored instance on the backup drive to reinfect the supposedly-cleaned system all over again as soon as that drive is connected.
However, the most common cause of reinfection for most malware victims is that they discover malware on their system, go to great lengths to clean it all up, then later have other problems requiring a system restore or restoration from a backup set, whereupon the earlier-removed malware suddenly reappears from within the file collection of the archive. This is one of the major reasons it's important to try to figure out how and when any infection has occurred, and to delete any archives or system restore points that occurred between the infection time-point and the point of cleanup. Otherwise, reinfection from the backup set(s) will occur. Obviously, the more backups routinely made and the more careful the system observations by the user, the more quickly he will recognize an infection and be able to minimize the look-back period that has to be discarded before restoring.
Most antimalware allows 'whitelisting' of both files and folders which skips them when scanning. Ordinarily, it's wise to avoid whitelising a folder unless you really, really have to since it gives a sanctuary for malware to hide. In cases where a folder has to be whitelisted, one should use access controls to govern very tightly which user accounts can alter the folder's contents.
-
A Former User last edited by
I was talking about archived files, Professor - like
zip
s,rar
s and such.Some such files the system or a programs creates itself in its folder(s), some such files may be downloaded by the user, some such files can be created by the user from files already on the system.
The last case is in question - can some malware insert itself into such an existing file? Can it replace such a file seamlessly with a similarly looking one of the same format?
Can malware mess with archived files created by the system and/or other legitimate software on the system?
I'm ruling freshly downloaded such files out - assuming the regular antimalware program manages it prompted by the user. -
blackbird71 last edited by
It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation. Nevertheless, malware usually only starts by inserting its files directly into a system's file structures along side what's already there, though sometimes with names that mimic legitimate file names. The worst problems arise when the malware executes and starts running. At that point, what malware can and cannot do depends on the depth of its infection. Rootkits that deeply hook the OS kernel code can mask all sorts of illicit activities they carry out, they can redirect user inquiries about files and names, hide entire folders, and do all sorts of other things. Conversely, 'mild' adware may only append a few bits of URL code to a browser shortcut command. Arrayed in between those extremes are all the various other kinds of malware.
A complex, sophisticated malware program could likely do many, if not all, the things you describe - think in terms of Stuxnet-grade malware. But generally speaking, most 'normal' malware doesn't mess with altering existing files on a system - or at least, generally doesn't succeed if it tries. While some malware can delete a non-'system' legitimate file and replace it with a same-named version supporting or containing parts of the malware, usually the route taken is to sprinkle reasonable-sounding or randomly-structured filenames in various places on a system and then call up those files as needed from a central, running malware process.
Put another way, worrying about malware altering contents of an existing file is essentially worrying about the 0.1% segment of all the malware that's out there. The one exception is where the malware might take control of an app like a browser and use it to write things of its choosing into the browser files, but those are extremely specialized data files that usually affect nothing else.
-
A Former User last edited by
It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation.
That's right, I had that in mind.
-
blackbird71 last edited by
It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation.
That's right, I had that in mind.
This is why 'layered' security is so important - multiple security techniques like using a decent antivirus, keeping a system full patched from a security standpoint, using limited user accounts (to limit the penetration depth of malware), a good firewall that applies outgoing filtering, and consistency in applying 'safe hex' (extreme care in what is downloaded, not clicking on pop-ups or opening eMailed links, care in what sites are visited, etc). The more layers present, the harder for new malware to find or exploit an opening.