My computer has a virus - what now?

If you run a Windows operating system, you almost always are also running some sort of virus and malware software to protect your system.

What do you do when that protection fails? That is, some sort of problem got by your defenses and your anti-virus software is unable to remove it?

What most people do is go looking for another anti-virus tool. If that doesn't work, they hire some professional to root out the problem manually.

If you are a roll up your sleeves kind of person, you might even learn how to do that manual malware removal yourself.

All is then well and you can return to your happy computing.

Or can you?

Microsoft Says Recovery from Malware Becoming Impossible. That article is six years old, so you might think that more recent anti-virus software has gotten better at removing threats. It certainly has, but the bad guys have also improved their skills.

It's a war

This is a war between very smart computer programmers and the battle ground is your computer. The bad guys try to infect your system, the good guys try to stop them. Your computer could be spending a good part of its day running their programs rather than yours.

As I was coming down the stair, I met a man who wasn't there.

He wasn't there again today. I wish that man would go away!

A virus can be the "man who wasn't there". That's what Microsoft's warning is about: an infection so well hidden that neither you nor any anti-virus tools you own have any knowledge of it. An infection like that is sometimes referred to as a "root kit".

That comes from the Unix world, where "root" is the user who has total control of the system. By extension, a "rooted" system is one where some piece of cleverly hidden software has taken control.

A recent study had fairly good news for those who have upgraded their operating system. Out of 630,000 root kits studied, only 12% came from Windows 7 machines. That's because Windows 7 is much harder to attack, but we see from that 12% figure that it is not at all impossible.

These root kits are incredibly sneaky. Ask for a directory listing and they intervene, making sure that you don't see the files they installed. Ask for a list of processes running and none of theirs will appear.

You might suspect infection because your machine is sluggish or crashes suspiciously. You might have also learned that something is wrong by watching network traffic from outside that computer. If it is making connections to places it should not be, something is amiss, whether it is known to your anti-virus tools or not.

One way to look for that kind of "man who isn't there" is to boot from a CD that can scan your computer without the possibly infected operating system running. Microsoft has such a CD you can download. Even with that, the software running from the CD has to know what it is looking for. If the infection isn't something it has seen before or at least very similar to something it already knows about, it can't necessarily fix the problem. It might know something is wrong, but it may not know what to do.

Suppose it does know what to do? Suppose further that the folks who infected the system deliberately left false clues for tools like that to find? When they start up again, they see that their bait has been cleaned up, so they lay low for a few weeks or perhaps cut back on their usual activities a little so that you aren't so likely to notice anything wrong.

As I said, it's a war.

Virtualization

Virtual machines may be a palliative solution: for example, right now you can download a secure VMware browser. Anything that happens in that virtual machine shouldn't be able to affect the rest of your system. You could do the same for email, and effectively isolate the at risk activities from the rest of your system. One small caveat: it's common to configure VM's so that they have network connectivity to the host OS, but that convenience could be an inviting path for some malware to use to infect that OS also.

One other advantage of virtual machines is that reinstallation is easy - you just have a safe image tucked away and copy it back.

Sandboxing

Sandboxing is another way to approach the problem. This requires application to register with the operating system concerning what resources it will need and what directories it will access. If the application becomes infected, any attempt to stray beyond the predefined conditions will not be allowed.

Starting in March of 2012, Apple is going to require applications to be sandboxed and Microsoft seems to be going in the same direction with Windows 8.

Reinstall?

One way to be sure you've gotten rid of malware is to reinstall.

Realistically, the advice to "rebuild from scratch" has always been valid unless you are absolutely confident that you precisely know what has been affected and how.

If you lack perfect knowledge of what a given piece of malware does, anything you do to "fix it" leaves you with a suspect and potentially dangerous system. Frankly, with the amount of malware and viruses today, and their growing sophistication, I'm not sure you can really trust any automated removal/repair tool. Did they really dissect the code completely and are certain they know what it does under all conditions? Maybe..

Reinstallation is so drastic, though and even that may be suspect. You'll have to bring back all your files - could they be the source of infection? Nagging questions, of course.

Why so many problems?

One of the reasons malware has become so intractable is because both operating systems and applications are large, complicated and confusing. Nobody understands how these things work overall. It's all become far too complicated.

To combat this, we may envision a return to simple, single purpose applications designed to run in virtual machines. For example, an operating system that is going to run a browser for me doesn't necessarily need to be multitasking: if I want more than one instance of the browser, I'll start up another virtual machine. Wasteful? Sure, but it could be much more secure.

That applies to the host operating system too. VMware's ESX server is exactly that: a stripped down, very small system configured to securely run other operating systems as virtual machine's. Why have a general purpose operating system for that function? Keep it lean and mean, and start carrying the same concept forward to the guests. Sure, it's wasteful of disk space, but so what? Disk space and even memory is cheap enough today, The upside is increased security through simplification, and a greater trend toward modularization.

Windows Vista had 50 million lines of code and Windows 7 is probably about the same. VMware's ESX server is said to be around 65 thousand lines. Which is easier to understand, debug, maintain?

Eventually, multipurpose operating systems like Windows, Mac OS X and even Linux as we now know it may be quaint relics of the "bad old days". Until then (and perhaps even after), the war continues.