How to detect malware infection in 9 easy steps

malware keyboard skull and crossbones

Hey Windows users: Here's now to get the incredible power of 57 antimalware engines with no performance impact on your computer

Hardly a week goes by when I’m not cleaning up someone’s computer and detecting and eradicating malware. It’s not uncommon for me to find dozens of infections, each doing its best to pester the user into installing multiple bogus antivirus programs -- or worse, getting ready to lock up data in a ransomware attack.

All these users justifiably complain that their antimalware program is inaccurate and misses obvious malware that pops up in front of their eyes. It’s especially annoying when antimalware software clobbers performance in exchange for "protecting" the user.

All antimalware software misses a significant percentage of malware. This is because professional malware writers design their malware and botnet ecosystems to self-update whenever they start getting detected. While antimalware engines eventually sniff out millions of malware variants, they're always one generation behind, failing to spot the stuff that has been self-modified to avoid discovery.

Overall accuracy rates go up and down all the time, though some products score better than others ... for some period of time. But again, no AV product is 100 percent accurate. No product is going to be superaccurate over the course of an entire year.

Maximum malware detection for all

Here's what you should do: Install an antimalware product that does a decent job, has a long history of stability and decent success, and doesn’t slow down your system (unless you don't mind a little sluggishness). Then use Windows Sysinternals Process Explorer or Autoruns to test currently running executables against VirusTotal’s 57 antivirus engines, which offers the best accuracy you can ever get (with a small percentage of false positives).

Step by step, do this now for all Windows computers:

  1. Make sure your computer has an active connection to the Internet.
  2. Go to Sysinternals.com. It’s a Microsoft site.
  3. Download Process Explorer and Autoruns. Both are free, as is everything on the site.
  4. Unzip these programs. If using Process Explorer, use procexp.exe. If using Autoruns, use autoruns.exe (autorunsc.exe is the command-line version).
  5. Right-click and run the program executable as Administrator, so it’s running in the Administrator’s security context.
  6. Run Process Explorer first (I'll explain Autoruns later). Select the Options menu at the top of the screen.
  7. Choose VirusTotals.com and Check VirusTotals.com.
  8. This will submit all running executables to the VirusTotal website, which is run and maintained by Google. You’ll get a message to accept the license; answer Yes. You can close the VirusTotal website that comes up and go back to Process Explorer.
  9. In Process Explorer, you'll see a column labeled Virus Total. It will either say Hash Submitted (during the first few seconds) or give you a ratio, something like 0/57, 1/57/ 14/54, and so on.

As you've guessed, the ratio indicates how many antivirus engines at VirusTotal flagged the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 57, but it goes up and down all the time. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but if the ratio is greater than 0/57, you could have malware.

If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. On the other hand, I've seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious.

Most malware programs are caught at a ratio of 3/57 or higher. When I see anything at that ratio or higher, I right-click it in Process Explorer, note the file location path, and kill the process if I don’t absolutely recognize and trust the program file.

Then I manually delete the files associated with the executable -- but proceed at your own risk! Be forewarned: You might accidentally delete something you need for some application or driver to run.

Occasionally, malware will “fight” with you and not let you kill the process. If so, repeat the process above, but go with Autoruns instead. Use Autoruns to unselect the program so that it won't load at startup. Reboot and run Process Explorer again. Usually, the malware program will not be running and you can delete it.

Put a shortcut to Process Explorer on your desktop. I recommend that everyone download and run Process Explorer or Autoruns at least once a week. If that's too much, at least be sure to run it if your computer exhibits suspicious behavior.

Caveat emptor: No malware detection works every time

To be clear, even this detection method is not perfect. Certain malware can escape this sort of detection, although for now, it's rare. Of course, in the future, malware writers could go out of their way to escape the clutches of Process Explorer or Autoruns. That’s not true yet, so the above method is one of the best protection methods you can use.

The best long-term advice to avoid infection in the first place will sound familiar if you read my blog regularly: Keep your software fully patched -- especially Java, which you should uninstall if not needed -- as well as any third-party browser products (I'm looking at you, Adobe). Most of all, don’t be fooled into installing something you shouldn’t. Finally, don’t share passwords between different sites -- or use two-factor authentication -- and you’ll become a top security defender. Those three pieces of advice trump any antimalware advice that you'll ever get. 

If your computer is connected to the Internet, no defense is perfect, and you owe it to yourself to apply the best detection regimen available. Feel free to pass my detection recipe along to every friend and co-worker. It’s hard to beat 57 antivirus programs for accuracy.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies