Answers to common security questions - Best Practices

Answers to common security questions - Best Practices

by Russ Stamm (quietman7)

Best Practices for Safe Computing - Prevention of Malware Infection

Common sense, good security habits, safe surfing, understanding security and safe computing are essential to protecting yourself from malware infection. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice these principles and stay informed. Knowledge and the ability to use it is the best defensive tool anyone could have. This includes educating yourself as to the most common ways malware is contracted and spread as well as prevention.

• Simple and easy ways to keep your computer safe and secure on the Internet
• Tips to help protect from infection

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. This means an anti-virus solution alone is not adequate protection since many types of malware and ransomwares will evade, circumvent and deactivate (disable) your anti-virus and security measures by design. Modern ransomware often involves targeted attacks which makes it less detectable to antivirus and other security software since these threats avoid the usual detection methods. Ransomware developers can evade an antivirus by changing the code, encrypting it or modifying the signature string. Cybercriminals can also use other (multiple) techniques which an antivirus may not protect may not protect against.

• For more details about the limits of an anti-virus, see my comments in this topic (Post #4).

Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• Importance of Layered Security in Cyber Defense
• The Importance Of Layered Network Security
• Seven Layers of IT security
• The 7 Layers Of Cybersecurity
• What are the 7 Layers of Security? Understanding the Fundamentals

For example...Mitigating Ransomware attacks requires a multi-layered approach.

Since there's no way to completely protect your organization against malware infection, you should adopt a 'defense-in-depth' approach. This means using layers of defense with several mitigations at each layer...

Mitigating LOLBin-based (Living Off the Land Binaries) attacks requires a multi-layered approach.

LOLBins are native system executables found within operating systems (Windows, macOS, Linux) that can be leveraged for malicious purposes...they typically are used for administrative tasks, system diagnostics, or software installations...Since they are already present on the system and trusted by the operating system, they can often bypass traditional security measures such as antivirus software.

Fact: It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.

• Are Humans the Weakest Link in Cyber Security?
• Humans and Cybersecurity— The Weakest Link or the Best Defense
• Why Are Humans The Weakest Link In Cybersecurity?
• Studies prove once again that users are the weakest link in the security chain

Therefore, security begins with personal responsibility which means you need to stay informed of mitigation tactics to protect yourself and/or your organization and keep vigilant of Indicators of Compromise (IOC)...pieces of forensic data, clues or evidence of a compromise and data breach. Since YOU are the first and last line of defense that also means following "best practices" for safe computing.

Tips to protect yourself against malware infection:

Keep Windows updated with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. Using an outdated and unsupported Windows Operating System poses a significant security risk not only for you but for everyone if you still intend on being connected to the Internet.

Unpatched and outdated computers are prone to attack from hackers, botnets, zombie computers and malware infection which can spread to other computers. The majority of computers with outdated operating systems are infected as a result of exploits of one or multiple software vulnerabilities. Cyber-criminals use ransomware, web exploits and exploit kits to spread malware and/or facilitate criminal activity for monetary gain through ransom demands.

• The Dangers of Using Windows 10 After its End of Support Date
• Risks of Using Outdated Operating System
• The Curse of Old Equipment: Why Your Outdated Tech Could Be a Gateway for Cyber Villains
• 5 Cyber Risks Associated with Outdated Software

"One of the most concerning aspects of running an unsupported operating system is the rise of no-click, drive-by attacks. In these attacks, you don’t even need to interact with anything on a website or in an email to become infected."

• What is a Zero-Click Attack?
• What is a Drive by Download Attack?

Keep your Web Browser updated as well. Regardless of which browser you use, vendor's routinely release updates which include fixes for exploits and vulnerabilities. Internet Explorer will no longer be supported after June 15th, 2022...it is being retired in favor of Microsoft Edge. Going forward, folks should avoid using Internet Explorer if it is still on your operating system...consider it a security risk.

Avoid keygens, cracked software, warez and any pirated software. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, ransomware, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not always possible and the only option is to wipe your drive, reformat and reinstall the OS.

• For a more detailed explanation, see my comments in Keygens, Cracks, Warez, Pirated Software are a Security Risk (Post #11).

 Avoid peer-to-peer (P2P) file sharing programs (e.g. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk (unsafe practice) which can make your computer susceptible to malware infections. File sharing networks are thoroughly infested with malware according to security firm Norman ASA and many are unsafe to visit or use. Malicious worms, backdoor Trojans, IRCBots, Botnets, and rootkits spread across P2P file sharing networks, gaming, and underground sites. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads (malvertising) that install viruses, Trojans, and other malware.

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. If you must use file sharing, scan your downloads with anti-virus software before opening them and ensure Windows is configured to show file known extensions.

• For a more detailed explanation, see my comments in Torrents and File Sharing (P2P) are a Security Risk (Post #11).

 Avoid Bundled software and the use of Registry Cleaners.. Many toolbars, add-ons/plug-ins, browser extensions, screensavers and useless or junk programs like registry cleaners, optimizers, download managers come bundled with other software (often without the knowledge or consent of the user). Bundled software, toolbars and browser extensions and can be the source of various issues to include Adware, pop-up ads and browser hijacking which may change your home page/search engine, and cause user profile corruption. As such, bundled software may be detected and removed by security scanners as a Potentially Unwanted Program (PUP), a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic.

Since the downloading of bundled software sometimes occurs without your knowledge, folks are often left asking themselves "how did this get on my computer." Even if advised of a toolbar or Add-on, many folks do not know that it may be optional and not necessary to install in order to operate the program. If you install bundled software too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. The best practice is to take your time during installation of any program and read everything before clicking that "Install" or "Next" button. Even then, in some cases, this opting out does not always work as intended.

• For a more detailed explanation, see my comments in Why you should not use Registry Cleaners and Optimization Tools (Post #7).

 Beware of Rogue Security software and Crypto malware (ransomware) as they are some of the most common sources of malware infection. They spread malware via a variety of attack vectors...through social engineering (trickery) and user interaction, opening a malicious or spam email attachment, executing a malicious file, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads, downloading software cracks, pirated software, fake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs) and RDP bruteforce attacks, a common attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside as explained here.

• Spotlight on Ransomware: Common infection methods
• Spotlight on Ransomware: How ransomware works

For more detailed information about ransomware and the most effective strategy to protect yourself from ransomware (crypto malware) infection, see my comments in Post #14 and Post #15 which also includes links to the Latest Ransomware Threat Updates.

• See my comments in a Brief History of Ransomware - Types of Operating systems affected (Post #19) for detailed information on how ransomware has evolved.

 Keeping Autorun enabled on flash drives is a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention.

• Don't Plug It In! How to Prevent a USB Attack
• 29 Different Types of USB Attacks
• USB drive malware attacks spiking again in first half of 2023

Always update vulnerable software like browsers, Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these and several other popular programs have vulnerabilities that malicious sites can use to exploit and infect your system.

• Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
• The Continuing Threat of Unpatched Security Vulnerabilities
• Adobe warns of critical Acrobat and Reader zero-day exploited in attacks
• Kaspersky Lab report: Java under attack — the evolution of exploits
• Microsoft: Unprecedented Wave of Java Exploitation
• Why Browser Vulnerabilities Are a Serious Threat

To help prevent this, you may want to install and use a Software Updater to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.

 Use strong secure passwords and change them anytime you encounter a malware infection or have been hacked especially if the computer was used for online banking, paying bills, has credit card information or other sensitive data on it. This would include any used for taxes, email, eBay, paypal and other online activities. You should consider them to be compromised and change all passwords immediately as a precaution in case an attacker was able to steal your information. According to Schneier on Security

The efficiency of password cracking depends on two largely independent things: power and efficiency.
- Power is simply computing power. As computers have become faster, they’re able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on many machines simultaneously. For a high-profile police case, they might run for months.
- Efficiency is the ability to guess passwords cleverly. It doesn’t make sense to run through every eight-letter combination from “aaaaaaaa” to “zzzzzzzz” in order. That’s 200 billion possible passwords, most of them very unlikely. Password crackers try the most common passwords first.

Most security experts would say that a mixture of random uppercase, lowercase letters, numbers and special characters...combined with length (a password’s resilience increases exponentially with its length) is the most secure against a hacker's attempt to crack. If that's too much effort, just use a Random Password Generator which is mathematically more secure anyway. If a web site or APP offers Multi-factor authentication (MFA) or two-factor authentication (2FA) you should seriously consider using it as an extra layer of security.

• Password Security Best Practices: An In-Depth Guide
• How to Create a Strong Password (and Remember It)
• Four Methods to Create a Secure Password You'll Actually Remember
• How to Implement a Strong Password Policy. Best Practices and Mistakes to avoid

Many of the newer types of malware are designed to steal passwords and logins to banks, credit cards, board forums and similar other sensitive web sites before encrypting data. Attackers can use ransomware to download a password-stealer component to harvests all usable usernames and passwords from an infected system and send that information to its Command and Control (C&C) server. The Qilin ransomware group uses a tactic that deploys a custom stealer to steal account credentials stored in Google Chrome browser. FTCODE Ransomware has the ability to steal passwords from popular browsers such as Firefox, Chrome, Explorer and Microsoft Outlook.

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything including the ability to reset the passwords of other administrators'.

• Account Manipulation and Access Token Theft Attacks
• What is Privilege Escalation?
• How do attackers use privilege escalation to escalate their access from a user to an admin?
• Privilege Escalation Tactics and Techniques

Always use a different password for each web site you log in to. Never use the same password on different sites and change your password if you think it may have been compromised. 

• When Should You Change Your Password?
• How Often Should You Change My Password?
• Pasword Monster: How Secure Is My Password?
• Security.org: How Secure Is My Password?

You should not allow your browsers to remember passwords. Why?...they are tied to browser security and not as secure as dedicated password managers.

• Is It Safe to Let Your Browser Remember Passwords?
• Why You Shouldn’t Use Your Web Browser’s Password Manager
• Don’t Use Your Browser’s Password Manager—Here’s Why

If you’re going to use your browser’s password vault, the best practice is use a master password on it.

Passkeys are a replacement for passwords which allow you to can sign into your Microsoft personal account or work/school account much faster using your face, fingerprint or PIN. Since passkeys are unique to each website or application you don't have to worry about someone else using your passkey to access them. Passkeys are also resistant to and helps protect against phishing attacks, making them a much more secure option. Microsoft has long been a proponent of passwordless authentication (passkeys) for years and other industries are moving in that direction too.

• Microsoft introduces passkeys for consumer account
• Passkeys overview
• Passkeys FAQs
• WebAuthn APIs for passwordless authentication on Windows
• Creating and Signing in with a passkey

Strong passwords, passkeys, multi-factor authentication (MFA) and two-factor authentication (2FA) are the new norm in today's world due to the number of data breaches where large amounts of personal information (including usernames and passwords) is stolen by criminals and published for sale on the Internet. We as users of this technology must take steps to minimize the risk of all sorts of threats (account compromise, identity theft), not just Microsoft sign-in attempts. You can also create a new alias (nickname or moniker) to disguise yourself with a new identify while using your primary account which can further minimize the risk against hackers.

 Know how to recognize Phony Email/Phishing Scams and do not open unsolicited email attachments as they can be dangerous and result in serious malware infection. For example, Zbot/Z-bot (Zeus) is typically installed through opening disguised malicious email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers. 

• Using Caution with Email Attachments
• How to Avoid Getting a Virus Through Email
• Safety tips for handling email attachments

Learn about Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware". Learn about Ranscam (fake ransomware scamming) where criminals use various scare tactics and threats to coerce victims into to paying a ransom demand. Learn how to recognize Extortion/Sextortion Scamming, a tactic involving phishing emails / email spoofing sent to unsuspecting victims where criminals make various threats with demands for money in exchange to keep sensitive information they allegedly claim to have collected about you from being published or sent to family, friends, coworkers, social media contacts.

• For more specific information about these types of scams, please read this topic (Post #13)

 Allow Windows to show file extensions. Malware can disguise itself by hiding the file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows so they appear normal.  

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to “show known file types”

Even if you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible. 

 One Final Very Import Tip !!! Always back up your important data and files on a regular basis...keeping a separate, offline (isolated) backup to a device that is not always connected to the network or home computer. Backing up data is an essential part of building a strong cybersecurity strategy with layered protection against malware infection. If your system becomes compromised or infected, some malware may render your computer unbootable during or before the disinfection process. Ransomware can encrypt or destroy all your important data, especially when dealing with Wiper/Eraser Ransomware...see Section 4 in Post #14 for more information about Wipers.

The only reliable way to effectively protect your data and limit the loss with this type of infection is to have an effective backup plan. 

• The smartest way to stay unaffected by ransomware? Backup!
• 3-2-1 Backup Strategy
• The Backup Rule of Three

Even if you're computer is not infected, backing up is also part of best practices in the event of hardware or system failure related to other causes. Backing up data and disk imaging are among the most important prevention tasks users should perform on a regular basis, yet it's one of the most neglected areas.

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups (offline) to a device that is not always connected to the network or home computer so they are unreachable. If not, you risk not only malware infection but ransomware encrypting your backups and any backups of the backups when it strikes. In addition to encrypting data, many ransomware developers are now routinely searching for and destroying backups or simply deleting your backups.

• I explain in more detail the importance of a backup strategy as it relates to rapid response and recovery from ransomware in Section 4 of the Most Effective Strategy Against Ransomware - Preventing Ransomware (Post #14).

For the average home user, it is simpler to just buy an external hard drive, copy your critical data to it, disconnect the device and store it in a safe/secure location rather than try to monitor and maintain a complex backup system. Program like SoftByte Labs Comparator make doing backups easy for home users as well as professionals before creating an image.

It is a good practice to make a disk image with an imaging tool (e.g. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.). Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistant to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made.

Some imaging/backup software (e.g. Macrium Image Guardian, Acronis Active Protection/Acronis True Image) automatically restore and/or prevent targeted backup files from being encrypted by ransomware but you must pay for this protection.

Backing up Data & System Imaging Resources:

• What’s the Best Way to Back Up My Computer?
• How to Protect Your Backups From Ransomware
• Backup and Restore in Windows 10/11
• How to Back Up and Restore Your Files in Windows 11 using External Drive
• How to Restore Backup Files from External Hard Drive
• How to Make System Image Backups on Windows 11

How to use File History in Windows:

• How to Set Up and Use File History Backup on Windows 11
• How to use File History in Windows 10 and 11
• How to Perform a Backup Using File History in Windows 11 or Windows 10

Other topics discussed in this thread:

• All about PINs, Passkeys & Security Keys and Microsoft Authenticator Mobile APP
• Choosing an Anti-Virus Program
• Why should you use Antivirus software? - Safe Steps for Replacing your Anti-virus
• Do I need antivirus software on my smartphone - Smart Phone Best Practices
• Supplementing your Anti-Virus Program with Anti-Malware Tools
• Microsoft Defender Antivirus/Offline Scan Stops (freezes, hangs)...fails to complete
• Microsoft Security products indicates detected files during scan but does not show anything after completion
• Choosing a Firewall
• Understanding virus names and Naming Standards - Malware Naming Conventions
• Glossary of Malware Related Terms
• Why you should not use Registry Cleaners and Optimization Tools
• I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud
• What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?
• About those Toolbars and Add-ons which change your browser settings
• Push Notifications: A Growing Threat to Browsers & Mobile Devices
• Keygens, Cracks, Warez, Pirated Software, Torrents and File Sharing (P2P) are a Security Risk
• What are Cookies and are they dangerous?
• Beware of Phony Emails, Phone Calls, Tech Support Scams, Ranscams & Extortion/Sextortion Scams
• Reporting Fraud, Phishing, Extortion, Phone and Tech Support Scams <- scroll down
• There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?

Ransomware Related Topics:

• Most Effective Strategy Against Ransomware - Prevention (Mitigation)
• Ransomware: How it Works - Stages of Encryption
• Ransomware Encryption: The math, time and energy to brute-force an encryption key
• Decryption vs Data Recovery of Ransomware
• Should you pay the ransom? - Reporting Ransomware & Scams
• Submitting Ransomware/Malware Samples
• Brief History of Ransomware - Types of Operating systems affected
• Release History of Master Keys / Decryptors for some major ransomwares

Section 2 in How Malware & Ransomware Spreads explains the most common methods malware and ransomware is typically delivered and spread.

Another topic to read if you are having problems with computer slowness, unresponsiveness, unwanted software, startup and browser or extension issues is Slow Computer/Browser? Check here first; it may not be malware.

In case you are asking for assistance, please read Who is helping me with Ransomware/Malware Infection? (Post #3).

Scammers have become so prolific that the site owner of Bleeping Computer has had to make this public announcement.

• Important notice: Forum spam offering ransomware decryption services

Authors Note: Some of the information in these topics is redundant but folks just viewing a single topic or two may not have read any of the others so I don't want them to miss out. The redundancy also reinforces the importance of the information provided in certain topics. I take advantage of using hyperlinks whenever possible as it allows me to keep what I have written more concise since the hyperlink in most cases provides much more detailed information. The hyperlinks also serve as source materials since the information they contain is written by other experts in the field of security.

Updated: 12/15/25

Edited by quietman7, 15 December 2025 - 05:09 PM.

Choosing an Anti-Virus Program

Choosing an anti-virus is a matter of personal preference, your needs, your technical ability and experience, features offered, user friendliness, ease of updating (and upgrading to new program release), ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include detection rates and methods, scanning engine effectiveness, how often virus definitions are updated, the amount of resources the program utilizes, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone and there is no single best anti-virus.

• Consumer Reports: Antivirus Software Buying Guide
• SANS Institute Choosing Your Anti-virus Software

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-virus vendors before they can add a new threat to database definitions. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Malware writers have the advantage since no matter how hard security vendors attempt to stay on top of new threats, there is always a short time-frame in which a new malicious file goes undetected and can infect a computer without detection. Just because one anti-virus or anti-malware scanner detected threats that another missed, does not mean its more effective.

Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. Scanning engines may use Heuristic Analysis, Behavior-based Analysis, Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes.

• Behavior-based security vs. signature-based security
• What is the role of behaviour-based detection in antivirus?
• Behavior-Based Detection vs Signature-Based Detection
• Advanced Malware Detection - Signatures vs. Behavior Analysis
• How Does Heuristic Analysis Work?
• Understanding Heuristic-based Scanning vs. Sandboxing

Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

• For a more detailed explanation, see Understanding virus names and Naming Standards (Post #6).

Security is all about layers and not depending on any one solution, technology or approach to detect and prevent the latest threats from cyber-criminals. The most important layer is you...the first and last line of defense.

• Importance of Layered Security in Cyber Defense
• The Importance Of Layered Network Security
• Seven Layers of IT security
• The 7 Layers Of Cybersecurity
• What are the 7 Layers of Security? Understanding the Fundamentals

Thus, a multi-layered defense using an anti-malware and anti-exploit solution to supplement your anti-virus combined with common sense and following Best Practices for Safe Computing provides the most complete protection.

• In regards to using multiple anti-exploit applications, see the IMPORTANT NOTE in this topic (Post #4).

Keep in mind that most anti-virus vendors who offer free products are bundling toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software.

• Beware: Free Antivirus Isn’t Really Free Anymore
• Has the antivirus industry gone mad?!

If pre-checked by default that means you need to uncheck that option during installation if you don't want it. This practice is now the most common revenue generator for free downloads by many legitimate vendors and is typically the reason for the pre-checked option. Also keep in mind that free anti-virus constantly "nag" you with pop-up prompts to upgrade to their paid product.

I no longer recommend avast as a free alternative anti-virus solution...I explain why in this topic.

I no longer recommend AVG as a free alternative anti-virus solution...I explain why in this topic.

 Microsoft Defender Antivirus (formerly Windows Defender) is included with Windows as it's free built-in (integrated) anti-virus and anti-malware solution which is just as good as any other antivirus and probably easier to use for most folks. Microsoft Defender Antivirus provides the same level of protection against malware than it's predecessor provided on older operating systems plus enhanced protection against rootkits and bootkits and protection against potentially unwanted programs if that feature is enabled.

• Microsoft Defender Antivirus full scan considerations and best practices
• Microsoft Defender Virus and threat protection in Windows 11
• Overview of threat protection by Microsoft Defender Antivirus
• Microsoft Defender Antivirus and antimalware software: FAQ

Windows 10 Anniversary update introduced Limited Periodic Scanning which allows you to also use a third party anti-virus program as your primary protection.

• How to Use limited periodic scanning in Microsoft Defender Antivirus
• Enable or Disable Periodic Scanning in Microsoft Defender Antivirus in Windows 11
• Microsoft Defender Antivirus compatibility with other security products

Starting with Windows 10 version 1703 Update, Windows Defender Antivirus was renamed Microsoft Defender Antivirus...it still consists of real-time protection, behavior monitoring and heuristics to identify and block malware based on known suspicious and malicious activity.

Microsoft has incorporated a number of significant improvements which make it competitive with other major anti-virus vendors including many paid for products.

• Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
• Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
• Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.

Microsoft Defender Antivirus offers some protection against ransomware.

• Microsoft defense against ransomware, extortion, and intrusion
• Microsoft Incident Response team ransomware approach and best practices
• Exploit Guard which has four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors.
• "Controlled Folder Access" Anti-Ransomware to protect files in certain folders from being encrypted by a ransomware infection.
• A dedicated Ransomware Protection section in Windows Security under the "Virus & threat protection" settings.

What's new in Windows 10 Spring Creators Update (version 1803)

• The Virus & threat protection area in the Windows Defender Security Center now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings.
• The Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.

Microsoft Defender Exploit Guard has four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Exploit protection consists of exploit mitigations which can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected. Controlled folder access protects common system folders and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders. Attack Surface Reduction (ASR) is comprised of a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats. Network protection protects against web-based threats by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing Windows Defender SmartScreen. 

Microsoft Defender Exploit Guard is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here. To further secure Windows against attack, Microsoft added new security features to include Core Isolation and Memory Integrity as part of Microsoft Defender Exploit Guard.

• Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
• How Windows Defenders Exploit Protection Works
• How to Create an Exploit Guard policy
• What Are Core Isolation and Memory Integrity in Windows 10?

Starting with Windows 10 Version 1809, Windows Defender Security Center was rebranded as Windows Security which allows management of all security needs including Microsoft Defender Antivirus (Windows Defender) and Windows Firewall.

• Windows Security and Settings
• The Windows Security app
• Stay Protected With the Windows Security App
• Microsoft Defender Antivirus in the Windows Security app
• Virus and Threat Protection in the Windows Security App

There are many advanced hidden features that allow you to customize how Microsoft Defender Antivirus works. To view and configure the complete list of these settings, users need to use the Get-MpPreference and Set-MpPreference PowerShell Commands as explained here by Lawrence Abrams.

Microsoft Defender Offline lets you boot and run a scan from outside the normal operating system (Windows kernel) so it can target malware that attempts to bypass the Windows shell. An offline scan can be run automatically or you can manually ask to perform an offline scan directly from the Microsoft Defender Antivirus interface. When Microsoft Defender Offline runs it automatically performs a Quick Scan by default which typically takes about 15 minutes and then the computer will restart normally.

• Run and review the results of a Microsoft Defender Offline scan
• Run a Microsoft Defender Offline Scan in Windows 11
• How to Run Microsoft Defender Offline Scan on Windows 11

Is Microsoft Defender Antivirus  Good Enough?  The results are mixed but more positive than negative.

• What's the Best Antivirus for Windows 10 and 11? (Is Microsoft Defender Good Enough?) - 2023
• Is Windows Defender good enough for my new laptop? - 2023
• Windows Security review: Basic but effective protection built into Windows - 2023
• Is Windows Defender good enough to use in 2023 (yes and no)
• Is Windows Defender Good Enough in 2021?
• Is Microsoft Defender good enough for your PC – or do you need a better free antivirus - 2021
• Is Windows Defender Good Enough to Protect Your PC by Itself? - 2020

Note: I found a few reviews which said Microsoft Defender Antivirus was not very good but those sites were pushing Norton and Total AV. In fact, while reading these reviews I encountered several advertising links and popups prompting me to purchase those products.

Since 2019 Microsoft Defender Antivirus has received very good test results for protection on a yearly basis from AV-TEST, an independent IT-Security Institute. Those results were surprising to securty experts who perform reviews and conduct their own testing.

• Still Think Microsoft Defender Is Bad? Think Again, Says AV-TEST
• Windows Defender Gets Perfect Scores in Antivirus Test
• Windows Defender Achieves 'Best Antivirus' Status
• Windows Defender ranked one of the best antivirus solutions according to AV-Test

If you are adamant about using a paid for product, I generally recommend ESET NOD32 Anti-Virus or Emsisoft Anti-Malware as they leave a small footprint...meaning they are not intrusive and do not utilize a lot of system resources. Malwarebytes Premium is an alternative which can be used as an antivirus replacement or as a supplement used alongside an existing anti-virus.

ESET Antivirus and Smart Security uses multiple layers of technologies which includes a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET's Exploit Blocker is designed to fortify applications that are often exploited (e.g. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes [script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

• ESET Antivirus Technology and Features
• Advanced Memory Scanner, Exploit Blocker. enhanced Botnet Protection module  to protect against ransomware
• What is HIPS (Host-based Intrusion Prevention System) in ESET Smart Home Products?

Emsisoft Anti-Malware is an antivirus platform that includes anti-malware protection and offers live cloud-verification for superior detection and removal of malware. Emsisoft uses two scanning engines, combining its technology with Bitdefender Anti-Virus and three security levels (or layers) of protection to prevent the installation of malware. These layers consist of surf protection, a dual-engine file guard, and advanced behavior blocking analysis which is extremely difficult to penetrate. Emsisoft’s Behavior Blocker continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. Emsisoft relies on the built-in Windows Firewall and their Firewall Fortification feature which blocks illegitimate manipulations of Windows Firewall rules to ensure its settings can’t be manipulated by malware from the inside. 

• An in-depth look at the Emsisoft scanner technology
• Emsisoft’s dual-engine scanner Behind the scenes
• Why is layered malware protection important? Surf Protection
• Emsisoft’s Behavior Blocker
• Emsisoft Anti-Ransomware Protection Layer
• Emsisoft and Windows Firewall: Your questions, answered

Both ESET Antivirus and Emsisoft Anti-Malware also have the added advantage of warning and detecting the installation of most Potentially Unwanted Programs (PUPs) (such as adware, spyware, unwanted toolbars, browser hijackers) if you enable that feature.

Malwarebytes Premium can be used as a replacement for an existing anti-virus, however, it is not an anti-virus and lacks some constructs that a traditional anti-virus application employs...see here. As such, it is still better served as an adjunct anti-malware solution to complement and strengthen your protection when utilizing a traditional anti-virus solution. The Development Team continues to provide support for those who choose to use a traditional third-party anti-virus solution together with Malwarebytes. The free version of Malwarebytes does not include real-time protection in its freeware mode...it is only an advanced on-demand scanner that detects and removes malware when you run a scan, therefore it cannot be used to block or prevent malware infection.

• How to run Malwarebytes and Windows Defender at the same time
• How to Run Malwarebytes Alongside Another Antivirus

There is no difference between the Free, Trial and Premium download files. The installer/setup for all three are the same. If you are installing for the first time during the install, it installs with the 14-day trial. After the trial you can choose to continue using Free or upgrade to paid Premium. If you only want the Free version, you have to go to the Account tab and choose End the Trial. .

• Deactivate Premium Trial in Malwarebytes for Windows

Virus Scanners for Linux

• Security Tools to Check for Viruses and Malware on Linux
• Best Tools to Scan Your Linux Server for Malware and Security Flaws

.
 

IMPORTANT NOTE: Using more than one anti-virus program with real-time protection simultaneously is not advisable. In addition to causing virus threat interception conflicts and false positive virus detection, it can slow down computer performance with excessive strain on system resources and other issues except for Limited Periodic Scanning in Windows 10 Anniversary Update and thereafter, Microsoft Defender Antivirus which is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. This feature allows you to run occasional scans with Microsoft Defender Antivirus without conflicting with a third-party anti-virus. When enabled, Windows 10 will use the Microsoft Defender Antivirus scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them. The Limited Periodic Scanning feature is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. Windows 10 will use the Microsoft Defender Antivirus scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them.

• Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection
• Windows 10 Limited Periodic Scanning explained

Even if one of the anti-virus programs is disabled for use as a stand-alone on demand scanner, it can still affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Microsoft and major Anti-virus vendors recommend that you install and run only one anti-virus program at a time.

This is what Microsoft has stated.

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

• Kaspersky: Is There a Problem Running More Than One Antivirus?
• Emsisoft: Why it isn’t a good idea to run multiple full antivirus products at the same time
• McAfee: Less Is More: Why One Antivirus Software Is All You Need
• Trend Micro: Should I Run More than One Antivirus Product?
• AV Comparatives: Why you should never have multiple antivirus programs on your computer

Updated: 06/22/25

Edited by quietman7, 22 June 2025 - 10:13 AM.

Why should you use Antivirus software?

Antivirus is crucial, like seat belts or airbags. If you never actually need them, that’s great. But when you do need them, there’s no warning, and they can be the thing that saves you.

Who doesn’t need antivirus?

• Why You Need Antivirus Software
• Do I Really Need Antivirus?
• Do I Need Antivirus Software?
• Antivirus Software and Why I Need It?
• 40 Reasons Why You DON’T Need An Antivirus

Using unprotected computers on the Internet is a security risk to everyone as they are prone to attack from hackers, Botnets, zombie computers and malware infection. Using anti-virus software will help minimize the risk and help to prevent the computer from being used to pass on infections to other machines. When infected and compromised, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more zombies are created to perpetuate the cycle.

How do folks who claim they do not use an anti-virus and never get infected know for certain that their computer is malware free? Many of today's attackers employ advanced techniques which involve sophisticated Botnets, backdoor Trojans, rootkits and ransomware to hide their presence on a computer. Without proper security tools including an anti-virus which can detect such malware, you can never be absolutely sure your computer has not been infected.

Do I need antivirus software on my smartphone? - Smart Phone Best Practices

Just like with computers, security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense. Humans are still the weakest link in any cyber security strategy. Therefore, using "Smart Phone Best Practices" is your strongest defense.
 
1. Apply Android/iOS security patches and software updates quickly.
2. Lock your phone.
3. Only install necessary Apps - Only use Apps from the Google Play Store for Android & Apple App Store for iOS.
4. Use Two-factor authentication (2FA).
5. Use strong password management.
6. Review & Manage App permissions.
7. Use device encryption.
8. Turn off your Wi-Fi (and Bluetooth) when it's not in use and do not use public networks.
9. Do not jailbreak or root your device
 
Security vendors who sell antivirus products will tell you smartphones need their software for complete protection but if you engage in "Smart Phone Best Practices", then I would say an antivirus is unnecessary. By design, mobile phone operating systems are to some extent more secure than laptops and desktops due to the architecture differences....they have a different built-in security model which means they have different vulnerabilities and risks.

Apple iPhones use the iOS operating system which incorporates certain restrictions which limit what the device can do and how much it can be modified by the user. As such, many users engage in the practice of jailbreaking which involves taking away those restrictions. This practice can make using the iPhone a security risk especially if installing dangerous apps which include those not approved by the official Apple App Store for iOS. The lack of security updates for a jailbroken iPhone makes the device more vulnerable to exploits used by hackers. This all means that potential security holes, bugs and unauthorized third-party apps could compromise your iPhone and put your data and identity at risk.

There are similar risks for Android phones when installing apps outside the official Google Play Store for Android and not following Smart Phone Best Practices. To avoid this risk never install apps outside of the Apple App or Google Play Store. 

Mobile malware is more accurately described as "any malicious software deployed against a consumer that has adverse effects on the device. Most of the known Android and iOS malware are usually installed at the back of suspicious and/or third-party applications. Usually when a smartphone is infected with malware there most likely will be obvious indications (signs of infection)  and malware symptoms that something is wrong. "

Smartphone security mostly depends on how you use the device, what kind of data you keep on it and what level of security you want in your device. There is no hard and fast rule that you should or should not use an antivirus on your smartphone.

• Does Your Android Phone Need an Antivirus App?
• Do I need antivirus software on my smartphone?
• Do I need antivirus software on my smartphone?
• Android Antivirus Apps Are Useless -- Here's What to Do Instead
• iPhone vs. Android: Which is Safer?

Samsug phones are embedded with Samsung Knox Security (Samsung Knox Platform Whitepaper).

Safe Steps for Replacing your Anti-virus
 

IMPORTANT: Before removing (or reinstalling) your existing anti-virus, you should download and save the setup file for the anti-virus you are going to replace it with. Also download any specialized removal tools available from the vendor for your current anti-virus in case you need them. If is not uncommon for some anti-virus programs to not completely uninstall itself using the usual method of Apps & features in Windows 10/11 or Program Features in Control Panel for older operating systems.

• How to uninstall programs and apps in Windows 11
• Uninstall or remove apps and programs in Windows 11
• How to uninstall programs and apps in Windows 10
• Uninstall or remove apps and programs in Windows 10
• How to uninstall a program in Windows Vista, Windows 7, and Windows 8 using Program Features in Control Panel

Note: Sometimes the uninstall works more effectively if you first stop and disable the program's service (and associated processes in Task Manager) or perform the removal in safe mode so there are less processes which can interfere with the uninstallation.

In rare cases when all else fails, you can try using a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo provides a listing of all installed software by installation date and when removing a program, Revo does a more comprehensive job of searching for and removing related registry entries, files and folders than many other similar tools. However, in most cases such third-party tools are not necessary.

• How To Use Revo Uninstaller Hunter Mode
• How To Trace a Program with Revo Uninstaller Pro

Note: If you already attempted to remove the program and failed, use Revo Uninstaller Pro (free for 30 days) which has an audit feature you can enable in order to track all changes made during the install.

In many cases anti-virus vendors also provide clean-up utilities or removal tools on their web sites to remove remnants left behind after uninstalling or for a failed uninstall so always check there first. It's best to download directly from the vendor's site to ensure you are using the most current version of the uninstall utility as it is not uncommon for third-party hosting sites to have outdated versions which may not work properly.
 

Comprehensive List of Uninstallers and Removal Tools for Antivirus Software

• ESET: List of Uninstallers (removal tools) for common antivirus software
• Bitdefender: Removal tools (uninstall tools) for common antivirus software
• Antivirus Removal Tool
• List of Antivirus Uninstaller Tools

Summary of steps to replace an existing anti-virus

• Before removing your old anti-virus, download and save the setup file for the anti-virus you are going to replace it with (unless you plan on activating and using Windows 8 Defender.
• Download any specialized removal tools available from the anti-virus vendor for your current anti-virus in case you need them.
• Disconnect from the Internet.
• Uninstall your current anti-virus following vendor's instructions - sometimes uninstalling in safe mode works better.
• Run the anti-virus vendor's specialized cleanup utility if needed.
• Reboot normally and install the replacement.
• Reboot again if prompted to ensure the anti-virus is working properly before reconnecting to the Internet.
• Connect to the Internet and immediately download the latest definition database updates.

Updated: 08/14/25

Edited by quietman7, 14 August 2025 - 05:35 PM.

Supplementing your Anti-Virus Program with Anti-Malware Tools

An anti-virus program alone does not provide comprehensive protection and cannot prevent, detect and remove all threats at any given time. Anti-virus software is inherently reactive...meaning it usually finds malware after a computer has been infected. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats.

In simplistic terms, Anti-virus programs use massive databases with different scanning engines and detection methods to scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.

Anti-malware programs use smaller databases and generally tend to focus more on adware, spyware, unwanted toolbars, add-ons/plug-ins, browser extensions, browser hijackers, potentially unwanted programs and potentially unsafe applications which are classified differently and do not fall into any of those categories...that is the primary reason some anti-virus programs do not detect or remove them.

Anti-virus and Anti-malware solutions with anti-exploit features protect against zero-day malware, drive-by downloads, exploits, exploit kits and ransomware.

An anti-virus solution alone is not adequate protection since many types of malware and ransomwares will evade, circumvent, and deactivate (disable) your anti-virus and security measures by design before encrypting data. Malware developers are very innovative. Modern ransomware often involves targeted attacks which makes it less detectable to antivirus and other security software since these threats avoid the usual detection methods. Ransomware developers can evade an antivirus by changing the code, encrypting it or modifying the signature string. Cybercriminals can also use other (multiple) techniques which an antivirus may not protect may not protect against such as phishing scams, fileless malware, ofuscated malware, polymorphic malware, malicious PowerShell script, DLL injection and even using a webcam to circumvent Endpoint Detection and Response (EDR}. Once infected by ransomware, an antivirus will not restore your encrypted files.

Some ransomware use partial (intermittent) encryption of large files, but will run the full process on smaller files...in normal encryption mode, the ransomware enumerates files and folders, encrypts the file contents and renames them or just appends an extension to the end of the file name. In stealth encryption mode, the ransomware decouples encryption from file renaming, which is less likely to trigger alarms because file I/O patterns mimic normal system behavior. Even if security software react at the start of the first phase, on the second pass, the entire targeted dataset will have been already encrypted as explained here.

• Why Antivirus Is Not Enough To Prevent Ransomware
• How Ransomware Can Evade Antivirus Software
• Can Antivirus Protect Against Ransomware?
• What Is Ransomware & Can an Antivirus Prevent It?
• Is Antivirus Enough To Prevent Ransomware?
• The Role of Antivirus Software in Fighting Ransomware Attacks

Therefore, you need both an anti-virus and an effective anti-malware solution with real-time protection for maximum protection. However, there can be some overlap in functionality and detection features depending on the program's scanning engine, how the vendor defines a specific threat and what Malware Naming Standards are used.

• The Difference Between Antivirus and Anti-Malware
• Malware Remover vs. Antivirus Software: What's the Difference?
• Antivirus and Antispyware Software: What's The Difference?
• What Is the Difference Between Antivirus & Antispyware?
• Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks

Since no single product is 100% foolproof, it is recommended to supplement your anti-virus by using other trustworthy security tools to perform second opinion scans.

Just like with anti-virus programs...There is no universal "one size fits all" solution that works for everyone and there is no single best anti-malware. Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. You may need to experiment and find the one most suitable for your needs.

Many security experts recommend Malwarebytes which can serve as an adjunct anti-malware solution to complement and strengthen your protection when utilizing a traditional anti-virus solution. Instructions for running a scan are listed near the bottom of this topic.

When scanning for malware, keep in mind that security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavior-based Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes.

• Behavior-based security vs. signature-based security
• What is the role of behaviour-based detection in antivirus?
• Behavior-Based Detection vs Signature-Based Detection
• Advanced Malware Detection - Signatures vs. Behavior Analysis
• How Does Heuristic Analysis Work?
• Understanding Heuristic-based Scanning vs. Sandboxing

Discrepancies in scanning outcomes can also lead to false positive detections.

• What Are ‘False Positives’ and How to Avoid Them?
• What Are Antivirus False Positives
• False positives – What are they?
• How To Tell If a Virus Is Actually a False Positive
• VirusTotal tackles the tricky false positives problem plaguing antivirus software

The consensus among most experts is that if 90%+ of the results of an online file analysis (e.g. VirusTotal, Jotti's virusscan, MetaDefender, Hybrid-Analysis) indicate a file submission is clean, then you can disregard the other detection(s) as a false positive...especially if the detection is more generic, suspicious, potentially unwanted (PUPs) and/or was made by any of the lesser known security vendors. This is typically due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware.

• VirusTotal Weekly and 24 hour False Positive statistics

Further, each vendor uses their own naming conventions to identify various types of ransomware / malware detections so it's sometimes difficult to determine exactly what has been detected or the nature of the threat/infection. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is...all of which can be renamed at any given time. Since there is no universal naming standards, all this leads to confusion by the end user and those attempting to provide assistance.

• See Understanding virus names and Naming Standards {Post #6) for more information.

NOTE: Using Multiple Anti-Malware products:

As a general rule, using more than one anti-malware program like Malwarebytes, SuperAntispyware, Emsisoft Emergency Kit, Zemana AntiMalware, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and the others as stand-alone on demand scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. Using different signature databases will aid in detection and removal of more threats when scanning your system for malware.
 

If using multiple anti-malware real-time resident shields together at the same time, there can be conflicts as a result of the overlap in protection. These conflicts are typical when similar applications try to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while anti-malware programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.

IMPORTANT NOTE: Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,

While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn't use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.

How-To Geek on Anti-exploit programs

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts.

Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsofts Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).

• The State of Return Oriented Programming in Contemporary Exploits
• Return-Oriented Programming (ROP) Chain
• Return Oriented Programming (ROP) attacks

As such, users need to know and understand the protection features of any anti-exploit/anti-ransomware program they are considering to use.

List of Free Scan & Disinfection Tools which can be used to supplement your anti-virus and anti-malware or get a second opinion:

• Emsisoft Emergency Kit
• Malwarebytes Free
• Sophos Scan & Clean
• AdwCleaner
• Microsoft Safety Scanner (MSERT)
• Dr.Web CureIt!
• Adlice Protect (RogueKiller)
• Crystal Security
• Panda Cloud Cleaner
• Comodo Cleaning Essentials
• Zemana AntiMalware
• SUPERAntiSypware Free - Portable <- not as effective as it use to be

Some of these tools are stand-alone applications contained within zipped files...meaning they require no installation so after extraction, they can be copied to and run from usb drives.

• How to run a scan and clean your computer with EEK
• How to Run Malwarebytes Alongside Another Antivirus
• How to use Sophos Scan & Clean Quick Guide 32-bit or 64-bit
• How to Scan with Adlice Protect (RogueKiller) 32-bit or 64-bit
• How to Scan and clean a device with AdwCleaner User Guide
• How to Use Microsoft Safety Scanner to Scan for Malware 32-bit or 64-bit

Microsoft Defender Offline is an option for those using Microsoft Defender Antivirus since it lets you run a scan from outside the normal operating system (Windows kernel) so it can target malware that attempts to bypass the Windows shell. Microsoft Defender Offline can be run automatically or you can manually ask to perform an offline scan with one click directly from Microsoft Defender Antivirus. This feature works identical to previous versions of Windows Defender Offline without having to download the stand-alone version.

• How to Start a scan for viruses or malware in Microsoft Defender
• Run a quick scan or malware scan manually with Microsoft Defender Antivirus
• How to Run and review the results of a Microsoft Defender Offline scan
• Run Microsoft Defender Offline Scan in Windows 11

You can always supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

• ESET Online Scanner <- one of the more effective online scanners
• F-Secure Online Scanner
• Trend Micro HouseCall

List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities

• The LiveCD List
• Comprehensive List of 26 Bootable Antivirus Rescue CDs for Offline Scanning

Updated: 07/06/25

Edited by quietman7, 06 July 2025 - 03:22 PM.

Choosing a Firewall: Is Windows Built in Good Enough

Choosing a firewall is a matter of personal preference, your needs, your technical ability/experience, features offered, user friendliness, ease of updating, ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include effectiveness, the amount of resources it utilizes, how it may affect system performance and what will work best for your system. A particular firewall that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone. You may need to experiment and find the one most suitable for your use and your system. For more specific information to consider, please read:

• Understanding and Using Firewalls
• HTG Explains: What Firewalls Actually Do
• What’s the point of having a firewall?

While some folks believe they need a separate, independent Firewall, there is always the option to just use Windows built-in Firewall. Most concerns you may have heard or read about the Windows Firewall were in the XP operating system so many users were advised to use third-party alternatives. Microsoft significantly improved the firewall to address these concerns in Vista and then added more improvements in Windows 7/8/10/11.

• 5 Reasons Why the Windows Firewall is One of the Best Firewalls
• Is Windows 11 Firewall Good Enough?
• Windows Firewall: Your System’s Best Defense
• Why You Don’t Need to Install a Third-Party Firewall (And When You Do)
• Using Windows Firewall with Advanced Security

Best practices for configuring Windows 10/11 Firewall
How to configure Windows Firewall in Windows 11/10
Adjust (Configure) Windows 10 Firewall Rules & Settings

In Windows 10, the Windows Firewall hasn’t changed very much since Vista. Overall, it’s pretty much the same. Inbound connections to programs are blocked unless they are on the allowed list. Outbound connections are not blocked if they do not match a rule. You also have a Public and Private network profile for the firewall and can control exactly which program can communicate on the private network as opposed to the Internet.

 
Quick History of Windows Firewall
 
Windows Vista Firewall offered two-way filtering for better security than it did in XP but it was still limited. The firewall is combined with IPsec, turned on by default and set to a basic configuration that works in tandem with the Windows Service Hardening feature. If the firewall detects activity that it considers prohibited behavior according to the Service Hardenings preset rules, the firewall will block the suspicious activity. Another feature in the Vista firewall is that it can set rules based on three different types of networks using the Rules Wizard so creating firewall rules is much simpler.

By default, most (not all) outbound filtering is turned off (outbound connections are allowed) and inbound filtering is turned on (inbound connections are blocked/not allowed). Why? This is what Microsoft has to say:

Matt Parretta, a former spokesperson for Microsoft's PR agency, Waggener Edstrom, offered this defense: "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. After they upgrade to Windows Vista or purchase a new PC with that OS, they will be prompted on the first launch of every application that touches the network: Instant Messaging, IE, e-mail, Windows Media, iTunes, every self-updating app such as Adobe, and so on. Unless they click 'allow', the app will be broken and won't function properly. The out of box experience would be poor, and they would soon be desensitized to the prompts."

Although most outbound filtering is disabled, Vista’s firewall does provide limited outbound filtering which users may not be aware of as it is essentially invisible.

Jason Leznek, Microsoft senior product manager, told Computerworld that outbound filtering rules "are enabled by default for core Windows services as part of Windows Service Hardening, which enables the firewall to understand specific behaviors Windows services should have, and block them if they are doing something unexpected (ie, via an exploited vulnerability). Windows Firewall also protects the computer by blocking certain outgoing messages to help prevent the computer against certain port scanning attacks."

Outbound filtering can be configured to provide an additional layer of security and it does provide corporate and business administrators control over applications (e.g. peer-to-peer file sharing) they may want to restrict. Any such applications that require outbound access must be added to the rules list by using the firewall with the Advanced Security Microsoft Management Console (MMC). Configuration may be confusing for some and there is no practical way to to configure outbound filtering to stop all unwanted outbound connections. Inbound filtering can be turned on or off and through various tabs and configuration settings.

For more specific information about configuration and security, please refer to these articles:

• Windows Vista Security and Data Protection Improvements
• Understanding Windows Firewall settings
• The Windows Vista Firewall explained
• How to Allow a program to communicate through Windows Firewall
• Netsh Commands for Windows Firewall with Advanced Security

Windows 7 Firewall was similar to Vista and also offers two-way filtering for inbound and outbound traffic. However, Windows 7 adds a few new features in the firewall and related network-safety areas such as separate configuration settings for private (Home or Work) and public networks. What's new in the Windows 7 Firewall? 

The Vista firewall was built on a new Windows Filtering Platform (WFP) and added the ability to filter outbound traffic via the Advanced Security MMC snap-in. With Windows 7, Microsoft has tweaked the firewall further and made it much more useable, especially on mobile computers, by adding support for multiple active firewall policies.

The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open. Many users, including some IT professionals, were unaware that you could filter outbound traffic, monitor and otherwise perform advanced configuration tasks for the Vista firewall, because none of that was apparent from the Firewall applet in Control Panel. With Windows 7, Microsoft has created a built-in host firewall that is much more functional than its predecessors and now poses a viable alternative to third party host firewall products.

As with Vista, the basic settings for the Windows 7 firewall are accessed via the Control Panel applet. Unlike Vista, you can also access the advanced settings (including configuration of filtering for outbound connections) through the Control Panel instead of having to create an empty MMC and add a snap-in...

The Vista firewall allows you to choose whether you are on a public or private network. With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks...With All-Network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately,...

 
Windows 8/10/11 also comes with a built-in Microsoft Windows Firewall that is similar to the one found in Windows 7 and includes even more advanced features.

• Using Windows Firewall with Advanced Security

Windows Firewall Tools which can be used to extend the default Windows firewall behavior and used for quick access to define rules and configure the most frequently used options.

• Windows Firewall Control for Windows
• Windows Firewall Notifier for Windows 10, 8, 7, Vista
• Windows 10 Firewall Control
• TinyWall for Windows 10, 8, 7
• Firewall 3.0

IMPORTANT NOTE: Using more than one software firewall on a single computer is not advisable. Why? Using two firewalls could cause issues with connectivity to the Internet or other unexpected behavior. Further, running multiple software firewalls can cause conflicts that are hard to identify and troubleshoot. Only one of the firewalls can receive the packets over the network and process them. Sometimes you may even have a conflict that causes neither firewall to protect your connection. However, you can use a hardware-based firewall (a router) and a software firewall (e.g. Kerio, ZoneAlarm, Comodo, etc) in conjunction.

• The Differences and Features of Hardware & Software Firewalls
• Choosing a Firewall: Hardware v. Software
• Are firewalls a waste of time? No. Here’s why

Updated: 03/01/25

Edited by quietman7, 01 March 2025 - 03:53 PM.

Understanding virus names and Naming Standards - Malware Naming Conventions
 

In 1991 the Computer Antivirus Research Organization (CARO) Malware Naming Convention made an attempt to streamline malware naming but it quickly became outdated as the threat landscape changed. The antivirus and security industry modified the CARO's naming convention to their own needs but the purpose of naming shifted from identification to detection.

As such, each security vendor uses their own naming conventions to identify various types of ransomware / malware detections so it's sometimes difficult to determine exactly what has been detected or the nature of the threat/infection. Names are created for in-the-wild malware which has been released to infect computers, non-wild ("Zoo" viruses and worms) created by labs and anti-virus vendors to test their ability to detect new threats, proof-of-concept viruses created by ethical groups, generic malware and zero-day malware...all of which can be renamed at any given time. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. Since there is no universal naming standards, all this leads to confusion by the end user and those attempting to provide assistance.

• Malware Naming Hell Part 1: Taming the mess of AV detection names
• Malware family naming hell is our own fault
• Malware’s Crazy Names: Where Do They Come From?
• New Threat Detection Naming Scheme in Trend Micro
• How Microsoft names Malware
• Current Status of the CARO Malware Naming Scheme

The term "malware" itself has become a general catch all category  (umbrella term) which encompasses many different types of malicious programs. Since there is no universal naming standard you will get a wide array of answers for the definition. Names with Generic or Patched are also a very broad category. For example, a Generic detection is a type of detection used by anti-virus and anti-malware programs to identify files with malicious characteristics...meaning they have features or behaviors similar to known malware or possible new malware. Thus, a generic detection does not necessarily always mean the file is malicious. 

Further, security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavior-based Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes.

• Behavior-based security vs. signature-based security
• What is the role of behaviour-based detection in antivirus?
• Behavior-Based Detection vs Signature-Based Detection
• Advanced Malware Detection - Signatures vs. Behavior Analysis
• How Does Heuristic Analysis Work?
• Understanding Heuristic-based Scanning vs. Sandboxing

. 

Glossary of Malware Related Terms

• What Is the Difference: Viruses, Worms, Trojans, and Bots?
• Malware 101: A beginner’s guide
• Malware 101: A Beginner’s Guide to Understanding Malware Terms
• What is Malware? And its Types
• What is malware?...Different Types of Malware
• Camouflage in Malware: from Encryption to Metamorphism

What is Malware?
What is Spyware?
What is Adware?
What is a Virus?
What is a File infecting virus?
What is a Boot sector virus?
What is a Polymorphic virus?
What is a Script (Macro) virus?
What is a Worm?
What is a Trojan Horse?
What is a Backdoor Trojan?
What is a Remote Access Trojan (RAT)?
What is a Banking Trojan
What Is A Rootkit?
What is Ransomware?
What is Rogue software?
What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?
What is a Drive-by download?
What is an Exploit kit?
What is a Spyware Dialer?
What is a Botnet?
What is an IRCBot?
What is a Clickbot

For information about malware attack vectors, please read:

• How Malware & Ransomware Spreads

.

Who Writes Malicious Programs and Why? Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

• Who is Making All This Malware — and Why?
• Motivations of Cyber Criminals
• What hackers do: their motivations and their malware
• Under the hoodie: why money, power, and ego drive hackers to cybercrime
• Who Writes Malicious Programs and Why?
• Why do People Create Computer Viruses?
• Who is behind ransomware attacks?
• The Psychology of Ransomware Attackers

Updated: 12/15/25

Edited by quietman7, 15 December 2025 - 05:10 PM.

Why you should not use Registry Cleaners and Optimization Tools

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product. I would not trust any results such programs detect as problematic or needing repair nor recommend using the options to fix them.

Comparatives "Rogueware library" of useless, misleading or fraudulent, malicious software (the link to this quote has been removed).

Some "classic clean-up software" such as "Ccleaner" are classified as "Useless" in this database because the Windows registry does not need any maintenance except if you are victim of a malware infection and because tweaking the windows registery does not speed up a computer at all. It does not mean that Cleaner and similar tools are not good for sweeping your harddrive and help to keep your privacy. Registry cleaners have been become social engineering products (e.g. Iobit Advanced System Care, CCleaner, Wise Registry Cleaner, etc.) and paying for this particular function is just a waste of money.

Further, these types of junk optimization programs are often bundled with other software you download and most are considered Potentially Unwanted Programs (PUPs) so they may be detected or even removed by some security scanners which specifically look for PUPs and adware.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Further, some vendors who offer registry cleaners use deceptive advertisements and claims which are borderline scams. They may alert you to finding thousands of registry errors which can only be fixed to improve performance if you use or buy their product.

Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Official Microsoft support policy for the use of registry cleaning utilities (KB2563254)

...Windows continually references the registry in the background and it is not designed to be accessed or edited. Some products such as registry cleaning utilities suggest that the registry needs regular maintenance or cleaning. However, serious issues can occur when you modify the registry incorrectly using these types of utilities. These issues might require users to reinstall the operating system due to instability. Microsoft cannot guarantee that these problems can be solved without a reinstallation of the Operating System as the extent of the changes made by registry cleaning utilities varies from application to application. A damaged Windows registry can exhibit a range of symptoms including excessive CPU utilization, longer startup and shutdown times, poor application functionality or random crashes or hangs.  These random crashes and hangs can ultimately lead to data loss due to the systems inability to save data back to the storage location during the occurrence.

• Microsoft does not support the use of registry cleaners...
• Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
• Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Unless you have a particular problem that requires a specific registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly is dangerous and could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great. The major source of orphaned registry entries is poorly uninstalled programs so using a good uninstaller program is a much better way to keep the registry clean.

• Ed Bott's Webog: Why I don’t use registry cleaners
• Are Registry Cleaners Safe to Use?
• Registry Cleaners are the Digital equivalent of Snake Oil!
• Registry Cleaners and System Tweaking Tools
• PC Cleaning Apps are a Scam: Here’s Why
• Why Using a Registry Cleaner Won’t Speed Up Your PC or Fix Crashes
• 10 Types of System Tools and Optimization Programs You Don’t Need on Windows

If you want to improve computer performance, please read: Slow Computer/Browser? Check here first; it may not be malware

Note: Driver Update utilities are just as bad as registry cleaners. Most are junk programs often bundled with other software you download from the Internet and many are classified/detected as potentially unwanted programs (PUPs) by security scanners.

• Driver Updaters: Digital Snake Oil, Part 2
• Never Download a Driver-Updating Utility; They’re Worse Than Useless
• HTG Explains: When Do You Need to Update Your Drivers?

Updated: 02/22/25

Edited by quietman7, 22 February 2025 - 08:10 AM.

I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud

Since your account was compromised and if hackers have your email and/or password, you could become a victim of identify theft and fraud. As such, you should read the following in order to take precautions to protect yourself.

• What to do if your email address is leaked (compromised)

A great deal of hacking is the result of attackers using stolen (compromised) passwords obtained from online data breaches. Potential victims can check if they have an account that has been part of an online data breach by using these websites,

If your system was hacked, you should disconnect the computer from the Internet and from any networked computers until it is checked and cleaned of possible malware. There are various secondary opinion scanners which can be used to supplement your existing antivirus.

• Supplementing your Anti-Virus Program with Anti-Malware Tools (Post #4) includes a List of Free Scan & Disinfection Tools to supplement your anti-virus or get a second opinion near the bottom of that topic.

If you need individual assistance with malware removal or possible hacking, you should follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.

Note: There are no guarantees or shortcuts when it comes to malware removal. In some cases or when dealing with a severe malware infection it may be best to just reformat and reinstall the operating system. See When should I reformat?.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised.

If using a router, you also need to reset it with a strong logon/password before connecting again. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:

• Router Password
• Default Password List
• Default Username and Password of Router

These are general instructions for how to reset a router:

• Unplug or turn off your DSL/cable modem.
• Locate the router's reset button.
• Press, and hold, the Reset button down for 30 seconds.
• Wait for the Power, WLAN and Internet light to turn on (On the router).
• Plug in or turn on your modem (if it is separate from the router).
• Open your web browser to see if you have an Internet connection.
• If you don't have an Internet connection you may need to restart your computer.

For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Banking and credit card institutions should be notified immediately of the possible security breach. You should file a report with the FBI and your local law enforcement agency which most likely will have a Cyber Unit specializing in tracking down hackers and prosecuting them. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

If you were the victim of Internet/Phone fraud or a scam, you should also file a report.

For more detailed instructions as to what you should do, please read:

• Identity Theft: What to Do if It Happens to You
• Internet Fraud Tips for Victims of ID Theft
• Warning Signs of Identity Theft
• What Should I Do If I've Become A Victim Of Identity Theft?
• Email and web scams: How to help protect yourself

Reporting Fraud, Phishing & Extortion Scams:

• USDOJ Reporting Consumer Fraud and Scams - USFTC How to Report Fraud and Scams
• USA.GOV: Where to Report Frauds and Scams
• ConsumerFraudReporting.org: How to Report a Fraud or Scam
• Report a phishing Page to Google - Avoid and report phishing emails to Google
• Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov
• Scambook.com: Submit complaint
• Scamguard.com: Submit complaint
• PissedConsumer.com: Submit complaint
• ComplaintsBoard.com: Submit complaint

Reporting Phone and Tech Support Scams:

• Reporting Phone Scams
• FTC ReportFraud Assistant
• WhyCallMe Complaint
• Report a technical support scam to Microsoft
• How to Report the Microsoft phone scam
• Action Fraud: UK’s national reporting centre for fraud and internet crime

Reporting Internet Fraud and Identity Theft:

• FBI Common Fraud Schemes - Internet Crime Complaint Center (IC3): Filing a Complaint
• FTC Identify Theft Site - FTC ReportFraud Assistant
• USFTC Identity Theft.gov: Report identity theft
• Reporting Computer Hacking, Fraud and Other Internet-Related Crime
• Find and file a report with your local FBI Office
• Report Internet Crime around the World
• Fraud.org File a Complaint: Online Incident Report
• USA.gov: Reporting Internet Fraud
• ConsumerFraudReporting.org: How to Report a Fraud or Scam

Note: Below are resources for determining if you have been hacked and how to identify the attacker. While these are suggestions you can try, it is strongly recommended to allow law enforcement authorities to conduct the investigation if the hacking is confirmed and you have been the vicitim of fraudulent financial transactions or stolen funds...they have the resources and expertise to identify hackers and prosecute them.

How to Tell if someone has accessed your computer:

• How to Detect a Remote Access to My Computer
• How to Know when Your Computer Was Last Used
• Has Someone Used Your PC? 3 Ways to Check
• Quickly Find Out Who's Connected To Your Computer

• How do I know if my computer has been hacked?
• How to detect computer & email monitoring or spying software

Investigating Hacking:

• Windows Forensics: Have I been Hacked?
• Tracing a hacker...Using TCPView and other tools
• How To Identify Unknown Network Connections In Windows with TCPView
• How to Track Hackers with netstat and tracert ip
• How to use the Tracert command-line
• Using Tracert - Example: How to Use the Traceroute Command

Note: If your computer was compromised also be sure to read: There are no guarantees or shortcuts when it comes to malware removal - When should I reformat? (Post #21)

Updated: 05/28/25

What is a Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA)?

Potentially Unwanted Program (PUP) and Potentially Unwanted Applications (PUA) are very broad threat categories which can encompass any number of different programs to include those which are benign as well as problematic. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually containing adware or bundled with other free third-party software as a common practice by legitimate vendors to include unwanted toolbars, add-ons/plug-ins, browser extensions, browser helper objects (BHOs), pop-up ads and browser hijackers. The term PUA can also refer to an application that has a poor reputation as assessed by Microsoft Defender Antivirus PUA protection due to certain kinds of undesirable behavior.

PUPs are considered unwanted because they can cause undesirable system performance or other problems. PUPs are sometimes bundled and installed without the user's consent since they are often included when downloading legitimate programs. Some, users intentionally install programs with PUP characteristics because they are willing to trade-off the undesirable effects for the benefits provided by using them.

 
When a vendor includes bundled software, they do so as a way to "pay per install" and recoup associated business costs. This practice is now the most common revenue generator for free downloads and is typically the reason for the pre-checked option. If pre-checked by default, that means you need to uncheck that option during installation if you don't want it. If you install too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. Since this sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer."
 
Some programs falling into the PUP category have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Since PUP detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further. If a particular program you recognize and want to keep is detected as a PUP by a security scanner, it usually can be restored from quarantine and added to the exclusion or ignore list.
 
PUPs may also be defined somewhat differently by various anti-virus and security vendors, and may or may not be detected/removed based on that definition. That fact adds to confusion and a lot of complaints from folks asking why a detection was made or not made on a particular program. Some anti-virus vendors are much more aggressive than others in their detection methodology in most cases to protect the end user who may not be too security-minded. For example, Malwarebytes has an aggressive PUP Policy and has even taken a tougher stance against PUPs...see here.

• Malwarebytes: What are potentially unwanted programs
• Sophos: Potentially unwanted applications
• Kapersky: What is a PUP (Potentially Unwanted Program)?
• Bitdefender: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• Eset: What is a potentially unwanted application or potentially unwanted content?
• Norton: What is a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program)?
• Avira: What are Potentially Unwanted Applications (PUAs)?
• How Microsoft identifies malware and potentially unwanted applications

A Potentially Unwanted Application (PUA) (like a potentially unwanted program (PUP)) is a broad category of software and many of these programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. PUAs do not fall into the same categories as viruses, Trojans, worms, rootkits and bots. That is the primary reason some anti-virus programs do not detect or remove them. Since PUA detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus/Anti-Malware scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. Usually, if you installed or recognize the program and it is not causing any issues, you can ignore the detection or add to it's exclusion list. If not or you downloaded it from an untrusted site, then you need to investigate further.
 
PUAs may also be defined somewhat differently by various anti-virus and security vendors, and may or may not be detected/removed based on that definition. Again, some anti-virus vendors are much more aggressive than others in their detection methodology in most cases to protect the end user who may not be too security-minded.

A Potentially Unwanted Modifcation (PUM) is a possible unwanted change made to a computer's registry or settings at the system level. PUMs are considered "potentially unwanted" (not necessarily malicious) because the security program making the detection cannot determine if the modification was set by the user, an administrator, a legitimate program or by malware. Potentially Unwanted Modification detections are not false positives or actual infections but rather settings which you may or may not have made. Some anti-virus and security tools will scan and flag certain registry key modifications (i.e. StartMenu, Desktop, SecurityCenter, HomePageControl, NewStartPanel, Internet Explorer HomePage/StartPage, SearchPage (SearchScopes), etc and various other Windows registry policies) but cannot determine if they were made intentionally and who or what made the changes. Since that is the case, the tool may flag these changes to ensure the user is aware of the modification(s). If you did not make the change, then most likely it was made by some type of potentially unwanted program. In most cases if you made the modification, recognize the PUM, you can ignore the detection. If you don't recognize the detection, then you may need to investigate further as to what or who made the modification(s).

You may also want to read Understanding virus names and Naming Standards - Malware Naming Conventions (Post #6).

Many programs, toolbars, add-ons/plug-ins, and browser extensions come bundled with other free third-party software you download from the Internet (often without the knowledge or consent of the user). In some cases, they may be included in Installers or Downloaders found at hosting sites such as CNET, Download.com, BrotherSoft, Softonic, FreewareFiles and Tucows. These bundled packages, installers and downloaders can often be the source of various issues and problems to include Adware, pop-up ads, browser hijacking which may change your home page and search engine, and cause user profile corruption. As such, they are typically classified as Potentially Unwanted Programs (PUPs).

When a vendor includes bundled software, they do so as a way to "pay per install" and recoup associated business costs. This practice is now the most common revenue generator for free downloads and is typically the reason for the pre-checked option. If pre-checked by default, that means you need to uncheck that option during installation if you don't want it. If you install too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. However, in some cases, this opting out does not always seem to work as intended..

Encountering the Wild PUP

Sometimes, PUPs will just naturally be bundled into pseudo-legitimate applications and you won’t even get the option to not install it.

Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. Since this sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer."

Regardless of where you go to download software, you always have to be careful with deceptive download links. Clicking on the incorrect link may redirect to another download site which uses heavy and confusing advertising with more download links. On almost every site, including safe software download sites, you may encounter an obtrusive green "Download Now" button as a type of advertisement. These buttons ads come from third party ad networks and work well because many users are capricious by nature. Clicking on one of these "Download Now buttons" (thinking its the one you want) often results in downloading a program the user did not intend to download.
 

Folks need to take some personal responsibility and educate themselves about the practice of bundling software.

• Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.
• How downloading one program can give you six (!) PUPs
• Here’s What Happens When You Install the Top 10 Download.com Apps
• How-To Geek: Why We Hate Recommending Software Downloads To Our Readers
• Potentially Unwanted Programs and how to avoid installing PUPs
• Even Microsoft bundles software
• Safe software download sites

Toolbars, add-ons and bundled software can install themselves in various areas of your operating system to include your browser and Windows Registry. Since some of their components and behavior are determined to be harmful, some anti-virus and anti-malware tools may detect them as Potentially Unwanted Programs (PUPs) and/or Potentially Unwanted Applications (PUAs) which do not fall in the same category as malicious files such as viruses, Trojans, worms, rootkits and bots.
 

Again keep in mind that not all toolbars and add-ons/plug-ins are bad. Many of them also come bundled with other free software as a common practice by legitimate vendors. Even Anti-virus and security vendors bundle toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software except Bitdefender Free...see Has the antivirus industry gone mad?!

Downloading TIPs - Best practices:
Always try to download software directly from the vendor's official home site. Look for and read the End User's License Agreement (EULA) carefully as well as any other related documentation.

 Sometimes looking at the name of the setup file before saving it to your hard drive, will give a clue to what you are actually downloading so you can cancel out of it. If the file name does not appear correctly, do not proceed. This is especially important when using third-party hosting sites which are known to use special installers which bundle other software. Some third-party hosting sites like CNET.com publish a Software bundling Policy which you should always read.

Take your time during the installation of any program and read everything on the screen before clicking that "Install" or "Next" button.

Turn on file extensions in windows so that you can see extensions. Ransomware disguises .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. A common tactic of malware writers is to disguise malicious files by hiding the file extension or by adding double file extensions and/or extra space(s) to the existing extension so be sure you look closely at the full file name.

If you must use CNET or similar sites, check the digital signature of the .exe file you download for validity and who actually signed it. Doing that will let you know if the file has been changed.

TIP: Open your browser, go to View > Toolbars and check the Status Bar box (Internet Explorer) or Add-on bar (Firefox). If you place your cursor over a link, the actual URL address will show up in the Status Bar or Add-on bar at the bottom of the browser window.

TIP: When searching for free software, visit the vendor's website and look for a "slim" or "zipped" version of the product as they generally are stand-alone applications in a zipped version that do not bundle or install anything else.

As more and more legitimate vendors are bundling software to recoup business expenses, folks need to take some personal responsibility and educate themselves about this practice.


TOOLBAR & ADD-ON REMOVAL TIPS:

Many toolbars and Add-ons can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Apps & features in Windows 10/11 or Program Features in Control Panel, so always check there first. With most adware/junkware it is strongly recommended to deal with it like a legitimate program and uninstall from Apps & features, Programs and Features or Add/Remove Programs in the Control Panel. In most cases, using the uninstaller of the adware not only removes it more effectively, but it also restores any changed configuration.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

In some cases you may need to reset or restore all browser settings.

Note: Resetting browser settings is not reversible. After a reset, all previous settings are lost and cannot be recovered. All add-ons and customizations are deleted, and you basically start with a fresh version of your browser.

Uninstalling and reinstalling your browser may not resolve all issues related to toolbars and add-ons. Why? Uninstalling does not completely remove all files and folders. User Profiles are generally not removed during a typical uninstall. Thus, reinstalling does not change the existing User Profile where some browser settings may have been modified so they are automatically restored after the reinstall. That means you may still have some symptoms of browser hijacking afterwards. Another solution is to just create a new user profile and delete the old one. 

After performing the above steps...you can you can run additional scans with programs like Malwarebytes Anti-Malware, Microsoft Defender Offline, Emsisoft Emergency Kit, Microsoft Safety Scanner (MSERT) and AdwCleaner to fix any remaining entries they may find. These tools will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants. They also remove related files and folders wherever they hide...to include those within the AppData folder and elsewhere.

Updated: 05/15/25

Push Notifications: A Growing Threat to Browsers & Mobile Devices
 
A Web Push Notification is an optional feature that allows websites to send messages (notifications) to users even when the site is not loaded via a web browser. Mobile push notifications are sent to smartphone users via a mobile app. These Push Notifications serve as a communication channel enabling companies to send messages, offers or other information to their customers (subscribers) without their request. Subscribers can be anywhere on the browser and still receive these messages as long as the are online or have their browsers open on their devices. The notifications are displayed outside the web page...allowing web apps to send information to a user even if the application is idle or in the background. Push Notifications are not the same as a pop-up which is a new browser window or tab but folks complain they are annoying and aggressive.

These articles provide a history of how Push Notifications evolved and how they work. The second link was sharded with me by Rob Koch, a Volunteer Moderator Colleague at Microsoft Community.

• Behind Web Push: All You Need to Know About Web Messaging’s Secret Weapon
• Behind Web Push [Part 2]: The History of Web Push
• Push Notifications: The Ultimate Guide

Dubious websites are exploiting push notification functionality to serve ads, malware, or phish users' credentials. Criminals and other threat actors are increasingly abusing push notifications to impersonate legitimate alerts. Push notifications often employ social engineering tactics as a way to instill fear into users by warning about virus infections or problematic issues with their devices. Some threat actors are increasingly abusing push notifications to meant to trick users into installing malicious Apps. There are reports that even government agencies are using push notifications to spy on it's citizens. As such, folks should be selective about which websites they visit and the notifications they allow.

• Think twice before accepting notifications on Chrome: threats on the rise
• Fighting notification spam in Microsoft Edge
• The Privacy Danger Lurking in Push Notifications
• Are Push Notifications Safe?
• Malicious push notifications: Is that a real or fake Windows Defender update?
• Governments Are Reportedly Spying on You Through Push Notifications

In some cases, the alerts and warnings indicating your computer has been infected by a virus are related to Spam Push Notifications that pretends to be from fake or well known antivirus companies such as McAfee, Norton, Trend Micro, Microsoft Defender, Avast, Avira and Panda.

The alerts may say "Warning! Virus Detected”, "Call virus removal tech support", Critical virus alert!!!", "Windows Defender has temporarily disabled your Internet connection and computer for suspicious activity", "System Error...To Remove Virus, Click Here" or similarly worded warnings. Although the alerts look like and act like malware, they aren't but do try to trick you into thinking that an antivirus scan has detected viruses on your device as explained in these examples.

“Warning! Virus Detected” pop-up push notification
"WARNING!
Virus Detected
Protect your personal and financial information
Call virus removal tech support
Critical virus alert ! ! !
Enable virus protection"

“Viruses Detected (5)” pop-up push notification
"Viruses Detected (5)!
Drive (C:) is infected with
TROJAN
Click here to resolve issue.
McAfee : system files damaged
TROJAN detected. Click here to remove"

Fake Antivirus Pop-Ups vs. Real Security Alerts: How to Tell the Difference

Fighting notification spam in Microsoft Edge

Note: Use of Ad Blockers will not stop push notifications. In fact they just refer you instructions on how to disable them in various browsers.

• How to block push notifications

How to Disable Push Notifications

• Browser push notifications: a feature asking to be abused & How to disable them
• How to Turn notifications on or off in Google Chrome
• How to Turn notifications on or off in in Firefox
• How to Manage website notifications in Microsoft Edge
• How To Enable or Disable Push Notifications in Brave Browser
• How to Manage website notifications in Opera Browser
• How to stop fake System notifications on macOS
• How to Manage website notifications in Safari on Mac

How to Enable or Disable Push Notifications on a Mobile Device

• How to get rid of spam notifications and rogue ads on your Android phone or tablet
• How to Get Rid of Push Notifications on Android: 4 methods
• How to Enable and Disable Push Notifications on Android
• How to Turn Off Push Notifications on iPhone
• How to Change notification settings on iPhone
• How To Disable Push Notifications On Your IPhone Or Android Device

Edited by quietman7, 27 July 2025 - 05:12 PM.

Keygens, Cracks, Warez, Pirated Software, Torrents and File Sharing (P2P) are a Security Risk
 
The practice of using pirated software, fake/illegal activators for Windows & Office, warez, torrents, keygens and other cracked software is not only considered illegal activity in many countries but it is a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, identity theft and ransomware resulting in the encryption of all your most valuable data, in many cases beyond recovery. That means your personal data (documents, pictures, videos) may be lost forever.

Keygens, Cracks, Warez, and Pirated Software

Of six counterfeit Microsoft Office disks tested, they found that five were infected with malware. Of the twelve counterfeit Windows disks tested, they found that six could not install and run, and so could not be tested. They were duds!

Of the six counterfeit Windows disks that could run and be tested successfully:
* Two were infected with malware;
* 100% of the six copies had Windows Update disabled;
* 100% of the six copies had the Windows Firewall rules changed.

In total of the twelve counterfeit software copies that could be installed successfully (six Office and six Windows) and tested:
* Seven copies (58%) were infected with malware
* A total of 20 instances of six different types of malware code found

The Hidden Risks of Using Pirated Software

Recent research shows that websites and programs related to software piracy are likely to be infected with malware due to the way they are distributed...over 50% of all pirated files are infected with malware that are constantly repacked to evade even the most up-to-date anti-virus programs. Software piracy acts as a gateway for cybercriminals to infect computers, leaving individuals and their personal data vulnerable to malware infection.

File Sharing, Piracy, and Malware

...pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware...downloading pirated software and software cracks is among the fastest and likeliest ways to infect your computer with something that ultimately hands control over of your PC to someone else.

Software Cracks: A Great Way to Infect Your PC

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

TrendMicro Warning

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

* IDC study on The Dangers of Counterfeit Software
* IDC White paper: The Dangersous World of Counterfeit and Pirated Software
* Software Piracy on the Internet: A Threat To Your Securiy
* File Sharing, Piracy, and Malware
* Pirated software carries malware payload that can cost billions

When you use these kind of programs, be forewarned that some of the most aggressive types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not always possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Using these types of programs or the websites visited to get them is almost a guaranteed way to get your system infected!!
.
 
 
File Sharing, Torrents, and Peer-to-Peer (P2P) Programs

File sharing networks/torrent sites are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge.

...It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

Software Cracks: A Great Way to Infect Your PC
 
Some file sharing programs are bundled with other free software that you may download (sometimes without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, Potentially Unwanted Programs (PUPs), and browser hijackers as well as dangerous malware. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, have targeted and spread across P2P files sharing networks because of their known vulnerabilities.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. Some P2P programs are also configured to allow other P2P users on the same network open access to a shared directory on your computer by default. If your P2P program is not configured correctly, you may be sharing more files than you realize. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat by hiding a file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.

• US-CERT: Risks of File-Sharing Technology
• A Study of Malware in Peer-to-Peer Networks
• SANS Institute Peer-to-Peer File-Sharing Networks: Security Risks
• More malware is traveling on P2P networks these days
• File Sharing, Piracy, and Malware

Many security forums ask members to remove P2P software before assisting them with malware disinfection. The nature of such software and the high incidence of infection or reinfection is counter productive to restoring the computer to a healthy state...see here.

Using P2P programs, file sharing or browsing torrent sites is almost a guaranteed way to get your system infected!!
.

Updated: 05/15/25

What are Cookies and are they dangerous?

Cookies are NOT a "threat" in the typical sense we think of malware infection. As text files, cookies are inherently harmless and cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Cookies are text string messages given to a web browser by a web server. Whenever you visit a website or navigate different pages with your browser, the website generates a unique session ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server.

A cookie is essentially a piece of information that is added to a hard disk when a user visits a website...it is used to track and record their preferences as they use that website. The cookie can be retrieved later by websites and web servers to authenticate the user's identity, speed transactions, monitor user behavior, streamline user experiences, track personal information, auto-fill personal information on web forms and more.
 

Microsoft's Description of Cookies

A Cookie is a small text based file given to you by a visited website that helps identify you to that site. Cookies are used to maintain state information as you navigate different pages on a Web site or return to the Web site at a later time...

Cookies cannot be used to run code (run programs) or to deliver viruses to your computer. The purpose of a cookie is to tell the Web server that you have returned to a specific Web page.

Do cookies pose a security risk?

Cookies are short pieces of data used by web servers to help identify web users. The popular concepts and rumors about what a cookie can do has reached almost mystical proportions, frightening users and worrying their managers.

• Fact and Fiction: The Truth About Browser Cookies
• Misconceptions about cookies
• The Unofficial Cookie FAQ
• Web Browser Cookie Forensics

The primary purpose of cookies is to identify users and prepare customized web pages for them. There are two different types of cookies.

• Persistent cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site. Essentially, these cookies help websites remember you and your settings when you visit them again. Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted.
  .
• Session cookies (transient or Non-persistent cookies) are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session. Session cookies are not saved to the hard drive since they only last one session, do not collect any information and have no set expiration date.

Cookies can be categorized as:

• Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
• Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
• Bad cookies (e.g. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.

Edited by quietman7, 01 March 2025 - 03:55 PM.

Beware of Phony Emails, Phone Calls, Tech Support Scams, Ranscams & Extortion/Sextortion Scams

 
 Email Phishing Scams and Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware", “All Your Files Are Encrypted", "suspicious ransomware activity" and other fake "alert messages" has become an increasing common scam tactic. The scams may involve phishing emails or web pages with screenshots of fake Microsoft (Windows) Support messages, fake reports of suspicious activity, fake warnings of malware found on your computer and fake BSODs many of which include a phone number to call in order to fix the problem. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.  

• Anatomy of a support scam website
• How To Spot, Avoid, and Report Tech Support Scams
• How to recognize, avoid, or recover from a tech support scam
• Microsoft: Protect yourself from tech support scams

These criminals have even diversified their techniques to target customers of ISP (Internet Service Providers), computer manufacturers, anti-virus software and family members. This targeting is more likely to occur if your personal information was compromised or hacked from a computer, a company or website.

• Cold-calling Scammers Target Antivirus Customers, Diversify Their Tactics
• 'Grandparent' Scams Get More Sophisticated
• Trojan.Tech-Support-Scam Family of Badware

Tech Support scams have become so prolific that the FBI and other government agencies have released warnings to the public.

• Federal officials warn phone scams and scammers getting more sophisticated
• FBI warns of rise in costly technical support scams
• Phishing attacks are increasing and getting more sophisticated

In the majority of scams, the criminals use social engineering to trick a victim into spending money for unnecessary technical support or to buy an application which claims to remove malware. They typically use bogus error or warning messages (web page redirects & pop-ups) to falsely indicate that your computer is infected or has critical errors. This is done as a scare tactic to goad you into calling a phony tech support phone number shown in the pop-up alert and allowing the scammer remote control access to your computer in order to fix the problem. In some cases you are instructed to download malicious software which will actually infect your system. If the victim agrees, the support usually costs hundreds of dollars and often leaves the victim's computer unchanged or intentionally infected with malware.

Sometimes the scam tactic involves tricking their victims into believing that their computer is infected by having them look at a Windows log that shows dozens of harmless or low-level error entries. The scammer instructs their victim to type "eventvwr" in the RUN box to open Windows Event Viewer and points out all the warnings and error messages listed under the various Event Viewer categories. The scammer then attempts to scare their victims into giving them remote access to the computer in order to fix it and remove malware. More nefarious scammers will install a backdoor Trojan or Remote Access Trojan in order to steal passwords and other sensitive personal information.

• Beware of US-based Tech Support Scams
• FTC cracks down on tech support scams
• Information on Tech Support Scams
• Tech Support Scams – Help & Resource Page
• How to Protect Yourself From Tech Support Scams

Scammers may claim to be an employee affiliated with Microsoft or Windows Support. However, there have been reports of scammers claiming to be affiliated with major computer manufacturers such as Hewlett Packard, Lenovo and Dell, well known security vendors like Symantec, Panda, McAfee, etc. and even popular ISPs.

• Microsoft Help Desk Tech Support Scam
• Fake Windows Defender Prevented Malicious Software Scam
• Fake Microsoft 1-844-879-7840 Suspicious Activity Tech Support Scam
• Scammers target Dell customers after apparent data breach
• Latest tech support scam stokes concerns Dell customer data was breached

“Hello....I am calling you from Windows.....”

Microsoft does not make unsolicited phone calls, display pop-up alerts in your browser to call a support number or send unsolicited email messages. This includes any messages using the Microsoft, Microsoft Office, Windows Defender or Windows Security name to call them at a toll-free support number to "fix or unlock your computer", warn about "virus infections", prompts to renew/activate subscriptions, prompts to confirm or verify orders for purchases, request personal/financial information, or ask that you pay for support. 

Any emails, phone calls and computer pop-up alerts from someone claiming to be an employee affiliated with Microsoft or Windows Support are scams.

Microsoft: Protect yourself from tech support scams clearly states ...

• Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer
• If a pop-up or error message appears with a phone number, don’t call the number. Error and warning messages from Microsoft never include a phone number.

Microsoft and others have been warning folks about Email Phishing Scams and Tech Support Scams for years

• How to spot a tech support scam
• The fight against tech support scams
• Is that call from Microsoft a scam?
• Avoid scams that use the Microsoft name fraudulently
• Avoid and report Microsoft technical support scams
• Microsoft Scams: Identify & avoid scams that fraudulently use the Microsoft name
• No, Microsoft Won’t Call You About Your Computer
• Microsoft calling? Mind the tech support scammer!
• Ask Leo: I got a call from Microsoft and allowed them access to my computer. What do I do now?

Similar fake messages and emails using the names of other well known security companies like McAfee, Norton, Trend Micro, Microsoft Defender, Avast, Avira and Panda are also scams.

- Not responding to or clicking on any link in an email or browser or calling any number listed on the page is the best way to deal with email and browser scams...then report them to the appropriate authorities.

- Not answering any questions and hanging up the telephone is the best way to deal with phone scammers...then report them to the appropriate authorities.

Tech Support Scamming using browser pop-up alerts with telephone numbers from "so-called Support Techs" advising your computer is infected with malware has also become an increasing common and prolific scam tactic. In some cases, the scam may be a web page which looks like a BSOD and includes a tech support phone number to call in order to fix the problem.

Programs that are part of the Rogue.Tech-Support-Scam use legitimate or fake utilities bundled with Trojans that display fake alerts that try to scare victims into calling a remote tech support phone number for help and trick them into purchasing a license key or junk software to remove the fake malware.

• Avoid this BSoD Tech Support Scam
• Tech Support Scammers Bring Back FakeAV
• “Your PC Is Infected” Round-up…
• Your PC/Device needs to be repaired BSOD Tech Support Scam
• Tech Support Scams – Help & Resource Page

Scammers and cyber-criminals are very innovated...see Tech Support Scams use new Tricks to Hold Browsers Hostage. They are always developing creative and more sophisticated techniques to scare their victims into providing personal information or stealing their money for financial gain. The criminals can target specific browsers like Microsoft Edge, Google Chrome, specific devices like Apple and even your iPhone or iPad.

• Microsoft Edge...Can Be Abused for Tech Support Scams
• Tech support scams and Google Chrome tricks
• Scammers target Apple customers
• Fake iOS Crash Reports hijack your iPhone or iPad

What should you do to get rid of the warning message or if you computer locks up?

Closing the web browser and then relaunching it usually eliminates the bogus warning message and is the best way to deal with these scams. If the browser freezes or hangs, you may have to close it with Windows Task Manager (Force Quit a Tab in Google Chrome) by selecting End Task. Afterwards, you should also clear your browser cache.

Some scam sites may lock up the browser, load the page in full-screen mode or spawn an infinite loop of repeating fake alert dialog boxes that prevent the victim from closing the web page or navigating away from it. This repeating "dialog loop" essentially is a script that reloads the fake pop-up alert every time victims attempt to close it. Microsoft Edge includes Dialog Loop Protection that enables Microsoft Edge users to stop repeating dialog loops via a checkbox in order to escape or close the page. Google Chrome has a feature to "Prevent this page from displaying additional dialogs". Some Tech Support scams have similar alerts while others are simply made up and clicking OK can produce the opposite effect.

If you are dealing with this type of scam, click the OK button at the bottom of the alert and you should then see a box that says "Do not allow this site to create new pages". Check that box and close the window.

If using Task Manager does not resolve the problem, perform a force-restart using the Power button (press and hold down the power button for at least 10 seconds until the screen goes off, release the button, then press it again) or perform a hard shutdown to forcibly turn off the computer completely by cutting the power for 10-20 seconds and then restart the computer. After restarting the computer and opening your web browser again click "No" if you see the prompt to to "Restore Previously Open Pages".

If the warning alerts continue to appear after closing and reopening the browser or a forced restart of the computer, they could be the result of an ad-supported browser extension, change in browser settings, adware or a potentially unwanted program that was bundled with other software you downloaded and installed. In that case, you may need to check for and remove unfamiliar browser extensions and add-ons/plug-ins or reset your browser to its default settings. After that you may want to perform security scans with programs such as AdwCleaner, Malwarebytes Anti-Malware and Emsisoft Emergency Kit.

• How to remove Tech Support Scam Popups in your Browser
• How to Remove Adware from a PC
• How to use Emsisoft Anti-Malware to scan and clean malware from your computer
• How to find and clean malware infections with Emsisoft Emergency Kit
• How to use Malwarebytes Anti-Malware to scan and clean malware from your computer

If you need individual assistance from our experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs Forum, NOT here, for assistance by the Malware Response Team.

FAKE ANTIVIRUS  WARNING SCAMS:

Scammers will use pop-ups or web pages with screenshots of fake Microsoft Defender Antivirus or other fake anti-virus software with well known names (e.g. Norton, Trend Micro, Panda, McAfee, Avast, Avira) displaying bogus warnings of malware infections to scare victims into calling a toll-free support number in order to remove the malware or unlock your computer. These criminals may even trick an unsuspecting victim into purchasing a useless and high priced support plan.

• Scam of the Month: Windows Defender Pop-ups
• Fake Windows Defender Security Scan scam
• Fake McAfee Computer Infected With Potentially Critical Viruses scam
• Fake Avast “Your PC Is Infected” Pop-up Scam

PUSH NOTIFICATIONS SCAMS:

In some cases, the alerts and warnings indicating your computer has been infected by a virus are related to Spam Push Notifications that pretends to be from fake or well known antivirus companies such as McAfee, Norton, Trend Micro, Microsoft Defender, Avast, Avira and Panda. 

The alerts may say "Warning! Virus Detected”, "Call virus removal tech support", Critical virus alert!!!", "Windows Defender has temporarily disabled your Internet connection and computer for suspicious activity", "System Error...To Remove Virus, Click Here" or similarly worded warnings. Although the alerts look like and act like malware, they aren't but do try to trick you into thinking that an antivirus scan has detected viruses on your device.

“Warning! Virus Detected” pop-up push notification
"WARNING!
Virus Detected
Protect your personal and financial information
Call virus removal tech support
Critical virus alert ! ! !
Enable virus protection"

“Viruses Detected (5)” pop-up push notification
"Viruses Detected (5)!
Drive (C:) is infected with
TROJAN
Click here to resolve issue.
McAfee : system files damaged
TROJAN detected. Click here to remove"

Fake Antivirus Pop-Ups vs. Real Security Alerts: How to Tell the Difference

Fighting notification spam in Microsoft Edge

As with phony email and phone scams, the warning alert may claim to be affiliated with Microsoft or Windows Support. Again, Microsoft does not contact users via web page messages, phone or email and instruct them to call tech support to fix your computer.

• See my comments in Push Notifications: A Growing Threat to Browsers & Mobile Devices (Post #10) for information on how to stop and disable them in your browser or mobile device.

Note: Use of Ad Blockers will not stop push notifications. In fact they just refer you instructions on how to disable them in various browsers.

• How to block push notifications

 Ranscam (fake ransomware scamming) is where the criminals use various scare tactics and threats to coerce victims into to paying a ransom demand. These scams typically involve involving web browser pop-ups (and sometimes audio messages) with false warnings about fake ransomware usually involving prompts to click suspicious links for help or to call a phone number for assistance. Fake ransomware such as Browlock provide bogus warnings that indicate "Your browser has been blocked...and "All your files are encrypted.."

A common tactic used by these scammers is warning the victim that they will delete or publish all their files if payment is not made usually within a certain time period. Some criminals behind Ranscam just delete victim's files since they had no intention of decrypting files after the ransom is paid regardless if they were actually encrypted in the first place. This type of scam is another example of why criminals cannot be trusted even if the victim complies with the ransom/extortion demands.

• Ranscam - When Paying Out Doesn't Pay Off
• Malware And Ransomware Scam
• Ranscam Ransomware Deletes Victims’ Files Outright
• Ranscam doesn’t care if you pay the ransom
• Ranscam ransomware and the advent of the cut-rate cybercriminal
• How to tell if you've been hit by fake ransomware
• Scammers Attack Email Inboxes With Fake Ransomware Threats
• Fake Ransomware Attacks Are Tricking Businesses Into Paying

 Extortion/Sextortion Scamming is a tactic involving phishing emails / email spoofing sent to unsuspecting victims where the criminals make various threats with demands for money in exchange to keep sensitive, personal, salacious, derogatory information (photos, videos) they allegedly claim to have collected about you from being published or sent to family, friends, coworkers, social media contacts. The scammers may claim they hacked your computer, know your password and have access to all social media accounts, email, chat history and contact lists. They may also claim to have had access to your webcam and have compromising photos or videos of you watching pornography on an adult web site or pleasuring yourself while watching porn.

These scammers often indicate they were able to obtain photos or videos by installing malware with a keylogger and using Remote Desktop Protocol (RDP) to remotely control your computer screen and webcam. In addition to visiting websites with adult content, the personal information collected or captured on video or photographs could relate to any number of accusations such as compromising sexual situations, inappropriate behavior with a child, infidelity, stealing from your employer, etc. There is an example of an Extortion/Sextortion Email noted in this news article.

The next part of the scam is a threat to expose (release) those videos, photos or other sensitive information via email and social media unless you pay them a certain amount of money usually in Bitcoin. The scammers typical claim they have access to your email accounts and all personal contacts and threaten to release what they have to your spouse, family, friends, law enforcement authorities or government related agencies which may be interested. Scammers may even claim they have stolen sensitive business records or financial data from your computer which they intend to release, publish or destroy unless you pay them. This is all a ruse intended to scare a victim into paying the extortion demands.

These are a few examples of Extortion/Sextortion Scam reports and news articles.

• Large email extortion campaign underway, DON'T PANIC!
• Beware of Extortion Scams Stating They Have Video of You on Adult Site
• Sextortion Scam Stating Xvideos Was Hacked to Record You Through Webcam
• Extortion email scam claims to have video of email recipient “self-abusing”
• Sextortion Email Scheme Sent by ChaosCC Hacker Group
• Big change in the plague of Blackmail, Sextortion Scam attempts
• Sextortion Email Variant: With QR Code (Quick Response Code)
• Sextortion Scam Uses Recipient’s Hacked Passwords
• Attempted Blackmail scam watching Porn
• ‘Fake-tortion’ email scam demanding payment in Bitcoin
• The "Your Password" Email extortion scam
• Is the Porn Blackmail Scam Real?
• More tagged articles on Sextortion Scams

Extortion scams have become so prolific that agencies like the FBI, U.S. Department of Justice and others have released Extortion Scam Alerts to warn the public.

• FBI warns of companies exploiting sextortion victims for profit
• Email sextortion scams are on the rise — here’s what to do
• What is a Sextortion phishing scam  — How to protect yourself
• The Basics of Extortion Scams

Avoid Phishing & Email Scams: Resources to Protect Yourself:

• Common phishing scams and how to prevent them
• Avoiding Social Engineering and Phishing Attacks
• Breaking Down the Anatomy of a Phishing Email
• How To Recognize and Avoid Phishing Scams
• Phishing and suspicious behavior in Outlook
• How to Spot a Phishing Email
• Examples To Help You Spot A Fraud Or Fake Email
• How do I spot a fake, fraudulent, or phishing PayPal email or website?
• Ebay: Tips for recognizing scams, phishing emails, fake web pages
• Risks of opening email attachments

.

Reporting Fraud, Phishing, Extortion, Phone, Tech Support Scams & other Cyber Crimes

1. Reporting Phone and Tech Support Scams:

• Reporting Phone Scams
• FTC ReportFraud Assistant
• Avoid and report Microsoft technical support scams
• Report a technical support scam to Microsoft

2. Reporting phishing, suspicious email, junk email to Microsoft:

• How do I report phishing or junk email to Microsoft?
• How do I report a suspicious email or file to Microsoft?
• To report fraudulent, suspicious emails directly to Microsoft, forward the email to reportphishing@Microsoft.com.
• Protect yourself from phishing scams: How to report a phishing scam

3. Reporting Fraud, Phishing & Extortion Scams:

• USDOJ Reporting Consumer Fraud and Scams - FTC ReportFraud
• USA.GOV: Where to Report Frauds and Scams
• ConsumerFraudReporting.org: How to Report a Fraud or Scam
• Outlook Policies, Practices, and Guidelines: Abuse and Spam Reporting...report unlawful, abusive, unwanted or malicious email originating from an Outlook.com, Hotmail, Live, or MSN account to abuse@outlook.com.
• Report a phishing Page to Google - Avoid and report phishing emails to Google
• Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov
• Scambook.com: Submit complaint
• Scamguard.com: Submit complaint
• PissedConsumer.com: Submit complaint
• ComplaintsBoard.com: Submit complaint

4. Reporting Ransomware, Distribution of Malware & Cyber Crimes:

 
FBI says: Victims Aren't Reporting Ransomware Attacks

Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report, released yesterday by the FBI’s Internet Crime Complaint Center (IC3)...FBI urges victims to file official complaints.

 
According to US Government CISA, victims of ransomware should report it immediately to the FBI, CISA or Secret Service.

Victims my also want to file a report with NoMoreRansom (NMR) Project Report a Crime (includes links to other countries).
 
For victims residing outside the United States, contact the INTERPOL Cybercrime Unit or Action Fraud: UK’s national reporting centre for fraud and internet crime.

Updated: 08/17/25

Edited by quietman7, 17 August 2025 - 07:45 PM.

Most Effective Strategy Against Ransomware - Prevention (Mitigation)

Most security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place and the best solution for dealing with encrypted data after an infection is to restore from backups.

The most effective strategy to protect yourself from ransomware is a comprehensive approach with layered security that incorporates multiple layers of defense to include prevention and backing up data on a regular basis...keeping a separate, offline (isolated) backup to a device that is not always connected to the network or home computer so they are unreachable.  

Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• Importance of Layered Security in Cyber Defense
• The Importance Of Layered Network Security
• Seven Layers of IT security
• The 7 Layers Of Cybersecurity
• What are the 7 Layers of Security? Understanding the Fundamentals

Mitigating Ransomware attacks requires a multi-layered approach.

Since there's no way to completely protect your organization against malware infection, you should adopt a 'defense-in-depth' approach. This means using layers of defense with several mitigations at each layer

 Make sure you are running an updated anti-virus and anti-ransomware or anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploit features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin, close Remote Desktop Protocol (RDP) if you do not need it.

• For more details about using "anti-exploit tools", see the Important Note near the bottom of Supplementing your Anti-Virus Program with Anti-Malware Tools (Post #4).

 An anti-virus solution alone is not adequate protection since many types of malware and ransomwares will evade, circumvent and deactivate (disable) your anti-virus and security measures by design before encrypting data. Malware developers are very innovative. Modern ransomware often involves targeted attacks which makes it less detectable to antivirus and other security software since these threats avoid the usual detection methods. Ransomware developers can evade an antivirus by changing the code, encrypting it or modifying the signature string. Cybercriminals can also use other (multiple) techniques which an antivirus may not protect may not protect against such as phishing scams, fileless malware, ofuscated malware, polymorphic malware, malicious PowerShell script, DLL injection and even using a webcam to circumvent Endpoint Detection and Response (EDR}. Once infected by ransomware, an antivirus will not restore your encrypted files.

• Why Antivirus Is Not Enough To Prevent Ransomware
• How Ransomware Can Evade Antivirus Software
• Can Antivirus Protect Against Ransomware?
• What Is Ransomware & Can an Antivirus Prevent It?
• Is Antivirus Enough To Prevent Ransomware?
• The Role of Antivirus Software in Fighting Ransomware Attacks

 No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.

• Are Humans the Weakest Link in Cyber Security?
• Humans and Cybersecurity— The Weakest Link or the Best Defense
• Why Are Humans The Weakest Link In Cybersecurity?
• Studies prove once again that users are the weakest link in the security chain

Ensure you are using strong secure passwords.  Human weakness starts with weak passwords. Many of the newer types of malware are designed to steal passwords and logins to banks, credit cards, board forums and similar other sensitive web sites before encrypting data as I explain in Section 8 Answers to common security questions - Best Practices (Post #1).

 Your best defense against ransomware infection is prevention and backing up data on a regular basis and the best solution for dealing with encrypted data after an infection is to restore from backups.

• How to beat ransomware: prevent, don’t react
• Want to Survive Ransomware? Here’s How to Protect Your PC
• How to Protect and Harden a Computer against Ransomware
• How to protect against and prevent Ransomware attacks & infections

If infected by ransomware, without having safely stored backups to restore from, your data most likely will be lost forever. According to Doctor Web’s statistics

...the probability of restoring corrupted files is roughly 1%...That means that most of user data has been lost for good!.

The only reliable way to effectively protect your data and limit the loss with this type of infection is to have an effective backup plan.

• The smartest way to stay unaffected by ransomware? Backup!
• 3-2-1 Backup Strategy
• The Backup Rule of Three

Backing up data and disk imaging are among the most important prevention tasks users should perform on a regular basis to protect themselves from ransomware, yet it's still one of the most neglected areas. Folks should focus on prevention and resilience beginning with addressing vulnerabilities, security awareness, data backup redundancy and building a strong cybersecurity strategy with layered protection.

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data on a regular basis in order to mitigate the risks of a ransomware attack. Ransomware can not only encrypt and/or delete data (including backups) but in the case of Wiper/Eraser Ransomware, it can completely destroy it.

• An Overview of the Increasing Wiper Malware Threat
• The Anatomy of Wiper Malware, Part 1: Common Techniques
• The Anatomy of Wiper Malware, Part 2: Third-Party Drivers
• What Is the Wiper Malware? Is It Worse Than a Ransomware Attack?
• Why are cybercriminals disguising wipers as ransomware?

Note: Backing up infected files, can be source of reinfection (or reinfection) if not performed properly. The safest practice is not to backup any high-risk executable files (.exe extension, screensavers (.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml)  files because they could be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the executable files within them. Some types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups (offline) to a device that is not always connected to the network or home computer so they are unreachable. If not, you risk not only malware infection but ransomware encrypting your backups and any backups of the backups when it strikes. In addition to encrypting data, many ransomware developers are now routinely searching for and destroying backups or simply deleting your backups.

• Ransomware’s Next Target: Backup Data
• Sophos: The Impact Of Compromised Backups On Ransomware Outcomes
• Ransomware Can Destroy Backups In Four Ways
• Ransomware Attacks Have Entered the Realm of the Insidious and Vile?
• Ransomware attacks shaking up threat landscape...routinely locate and destroy backups

For the average home user, it is simpler to just buy an external hard drive, copy your critical data to it, disconnect the device and store it in a safe/secure location rather than try to monitor and maintain a complex backup system. Program like SoftByte Labs Comparator make doing backups easy for home users as well as professionals before creating an image.

Some imaging/backup software (e.g. Macrium Image Guardian, Acronis Active Protection/Acronis True Image) automatically restore and/or prevent targeted backup files from being encrypted by ransomware but you must pay for this protection.

• For a list of Backing up Data & Imaging Resources, see Post #1.

 Security begins with personal responsibility. Since YOU are the first and last line of defense, you need to stay informed of mitigation tactics to protect yourself and/or your organization and keep vigilant of Indicators of Compromise (IOC)...pieces of forensic data, clues or evidence of a compromise and data breach.

• Indicators of Compromise (IOC) explained
• Indicators of Compromise (IOC): An Introductory Guide

You should also stay informed of of the Latest Ransomware Threat Updates

• Halcyon Ransomware Attacks Database
• Ransom-DB Live Ransomware Updates
• Ransomware Live: Ransomware Groups, Activity, Latest Attacks, Victims
• Map of US ransomware attacks - Map of worldwide ransomware attacks
• CSIS Significant Cyber Events & Ransomware Attacks since 2006

Latest Real-Time Malware Threat Meters & Maps

• Kaspersky Cyberthreat Real-Time Map
• Bitdefender Cyberthreat Real-Time Map
• Talos Cyber Attack Map
• SonicWall Live Cyber Attacks Map
• Cyber Security Portal: Cyber Threat Intelligence
• Threatbutt Internet Hacking Attack Attribution Map

Mitigation Against Ransomware:

Mitigation includes creating a ransomware mitigation checklist, patch management, network traffic analysis, application control, whitelisting, performing routine security assessments, preparing for a ransomware incident with recent offline backups of important files and data. preventing malware from being delivered and spreading to other devices, detection with rapid response and recovery.

Since there's no way to completely protect your organization against malware infection, you should adopt a 'defense-in-depth' approach. This means using layers of defense with several mitigations at each layer

There is no stopping ransomware attacks. However, businesses can use tried-and-true ransomware mitigation technologies and techniques to address these attacks before they get out of hand...The term "ransomware mitigation" refers to the measures put in place to prevent a ransomware attack.

• How Can I Protect Against Ransomware?
• Preparing for a Cyber Incident
• Mitigation Against Ransomware: How to protect yourself
• Mitigating Ransomware Attacks
• Steps to Mitigate Ransomware Attacks for your Business

Kaspersky labs reports RDP Bruteforce attacks are on the rise. Everyone should be aware that Remote Desktop Protocol is a very common brute force attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside. Attackers will use remote port scanning tools to scan enterprise computer systems, searching for RDP-enabled endpoints commonly used to login from outside the workplace. When the attacker finds a vulnerable RDP-enabled endpoint they use a barrage of login attempts by guessing or brute force attacking the password. Attackers can also use phishing of a company employee to gain access and control of their machine, then use that access to brute-force RDP access from inside the network. 

EclecticIQ researcher Arda Büyükkaya has reported ransomware gangs creating tools to automate firewalls and VPN brute-force attacks.

The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. The framework has enabled BlackBasta to streamline initial network access and scale ransomware attacks on vulnerable internet-exposed endpoints...the framework was specifically designed to brute-force credentials on....VPN and remote-access products.

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything including the ability to reset the passwords of other administrators' The attacker can use remote access tools to introduce and execute crypto malware, generate the encryption keys, encrypt data files and upload files back to the them via the terminal services client. The attacker can also steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here.

• Account Manipulation and Access Token Theft Attacks
• What is Privilege Escalation?
• How do attackers use privilege escalation to escalate their access from a user to an admin?
• Privilege Escalation Tactics and Techniques

IT admins and home users should close RDP if they don't use it. If they must use RDP, the best way to secure it is to only allow RDP from local traffic, whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, setup a VPN to the firewall, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges. Those using a server may even want to consider using a host-based intrusion prevention system (HIPS). Brute force RDP attacks depend on your mistakes.

• Experience an RDP attack? It’s your fault, not Microsoft’s
• How Can You Prevent RDP Attacks?
• RDP hijacking attacks explained, and how to mitigate them
• RDP brute force attacks: 5 tips to keep your business safe
• Securing Remote Desktop (RDP) for System Administrator

Security Managers and home users should use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software. Some anti-virus and anti-malware programs include built-in anti-exploitation protection.

For example, Microsoft Defender Exploit Guard (introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. 

• Exploit protection
• Controlled folder access
• Attack Surface Reduction (ASR)
• Network protection

To further secure Windows against attack, Microsoft added new security features to include "Core Isolation" and “Memory Integrity” as part of Microsoft Defender Exploit Guard.

Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows so they appear normal. It is uncommon for ransomware to disguise .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email.

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to show known file types

Keep in mind that even if you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.

More Ransomware Prevention Tips:

• US-CERT: How to protect your network from ransomware
• How to Protect and Harden a Computer against Ransomware
• How To Lock Down So Ransomware Doesn't Lock You Out
• SANS Enterprise Survival Guide for Ransomware Attacks
• Ransomware: Best Practices for Prevention and Response
• Ransomware: 7 Defensive Strategies
• How to Strengthen Enterprise Defenses against Ransomware
• Best practices for securing your environment against ransomware
• Ransomware Do's and Dont's: Protecting Critical Data
• How Businesses Can Best Defend Against Ransomware Attacks
• 11 things home users can do to protect against ransomware
• 22 Ransomware Prevention Tips for the home user
• Why Everyone Should disable (rename) VSSAdmin.exe Now!

IMPORTANT NOTE: Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,

While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn't use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.

How-To Geek on Anti-exploit programs
 

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts.

Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsofts Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).

• The State of Return Oriented Programming in Contemporary Exploits
• Return-Oriented Programming (ROP) Chain
• Return Oriented Programming (ROP) attacks

As such, users need to know and understand the protection features of any anti-exploit/anti-ransomware program they are considering to use.

Ransomware Prevention Tools:

• AppCheck Anti-Ransomware
• Kaspersky Anti-Ransomware Tool (KART) free for Home & Business
• Check Point ZoneAlarm Anti-Ransomware
• Acronis Cyber Protect
• Malwarebytes with Anti-Exploit & Anti-Ransomware
• Malwarebytes Anti-Exploit standalone
• RdpGuard HIPS for Windows Server to protect from brute-force attacks
• CryptoPrevent - CryptoPrevent FAQs
• NoVirusThanks OSArmor
• Cybereason Ransomfree <- discontinued 12/08/18, see here
• CyberSight RansomStopper
• McAfee Ransomware Interceptor - How to Use Interceptor, FAQs
• TEMASOFT Ranstop - Ranstop FAQs, Support, System Requirements
• CryptoDrop
• GS Anti-Ransomware
• CryptoLocker Tripwire for file servers
• HitmanPro.Alert with CryptoGuard
• Ransomware Simulator
• MBRFilter - Using MBRFilter against Ransomware that modifiy the Master Boot Record
• Bitdefender Anti-Ransomware
• Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
• Symantec's NoScript or AnalogX Script Defender
• List of Anti-Ransomware Software & Comparison

Other Malware Prevention Tools:

Updated: 03/21//25

Edited by quietman7, 21 March 2025 - 08:22 PM.

Ransomware: How it Works - Stages of Encryption

 What Is Ransomware:
 
Ransomware is a sophisticated type of malware (form of extortion) designed to encrypt files/sensitive data and hold it hostage until the victim agrees to pay a specified ransom demand to the attackers in exchange for a decryption key. In many cases the criminals also threaten to release (publish) all sensitive data if the victim refuses to pay the ransom. Some forms of ransomware act like Rogue security programs, generating bogus infection alerts and warnings to scare their victims.

• What Is Ransomware? Definition, Types
• Ransomware Explained
• What Is Ransomware and RaaS?
• What Is Ransomware and why it is a major cyberthreat

Usually when a computer is infected with ransomware there most likely will be obvious indications (signs of infection or signs of ransomware activity) that something is wrong.....it typically targets and encrypts data files so you cannot open them locally (and on any connected drives at the time of infection), in most cases it appends an obvious extension (may be random or with an id and/or email address) to the end or beginning of encrypted filenames, demands a ransom payment by dropping ransom notes in every directory or affected folder where data has been encrypted and sometimes changes Windows wallpaper. In rare cases the criminals will send victims an email with the ransom demands as reported here.

• 10 Warning Signs of a Ransomware Attack in Progress
  The Five Early Warning Signs Of An Imminent Ransomware Attack

The first known ransomware attack was in 1989. Ransomware began to go more widespread from 2009-2013 with the emergence of cryptocurrencies such as Bitcoin. Although ransomware has been around for many years, financial success of CryptoLocker (Crilock) which appeared in the beginning of September 2013 gave it widespread media attention because it demonstrated how these infections could generate a large profit for criminals. This in turn led to a significantly increase in various other families of ransomwares to include CryptoWall in July 2014, CTB-Locker (Critroni) in July 2014, TeslaCrypt in February 2015 and Cerber in Match 2016. Between 2013 and 2016 ransomware became more widespread and numerous variants appeared across the globe.

See my comments in a Brief History of Ransomware - Types of Operating systems affected (Post #19) for detailed information on how ransomware has evolved.

 How Ransomware Works - Stages of Encryption Process:
 
The time factor involving the process of crypto malware (ransomware) infection and encryption can vary, however, attacks are typically conducted over time, ranging from a day to a month or longer, starting with the criminals breaching a network. After the attackers gain access to an individual computer or computers on the network, they can steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here by Lawrence Abrams, site owner of Bleeping Computer. The same principles apply if the infection is the result of a direct attack or downloading a malicious file with ransomware...at some point the malware is going to communicate with the attackers or install a backdoor Trojan giving access to the criminals.
 
In simplistic terms, crypto malware is usually packed by some kind of obfuscator or packer in order to conceal itself and goes through various stages before actual encryption of data and before most victims become aware of it's presence.

1. The first stage of an attack (Network Penetration) occurs when the criminals access a victim's system.

2. The second stage involves downloading and executing a malicious file (Network Propagation) which spreads and connects to the criminal's Command and Control server (C&C) in order to send information about the targeted computer.

3. The third stage (Pre-Encryption) is the phase where where attackers take steps before encryption to maximize damage and evade detection...delete shadow copies and backups to prevent recovery, then inject malware into trusted processes.
4. During the fourth stage, (File Discovery) the ransomware scans local drives, connected removable media (external hard drives) and any accessible network locations (mapped drives, network shares) searching for files to encrypt. 

5. The Encryption stage begins with encrypting all identified data (file formats) using some form of an encryption algorithm.

• Many encryption schemes are optimized on the CPU (computer's specifications) allowing the malware to encrypt blocks of data very fast...in a matter of a few seconds, a few minutes to several hours depending on a variety of factors to include the amount and size of data files as well as the intentions of the malware developers.

6. Data Exfiltration stage involves the exfiltration (theft) of sensitive data (personal, financial information or intellectual property) before or during the encryption process.

• Between 2017-2019, FireEye researchers have found that most ransomware gets executed three days after initial infiltration. This is a deliberate tactic which allows the attackers to delay encryption so they can use the extra time to harvest victims' data and use it as leverage to make victims pay the ransoms under the threat of leaking the stolen information.

7. The last stage is the creation and appearance of the ransom demand in the form of a screen message or ransoms notes dropped in every folder where files were encrypted.

8. Some attackers will include a Persistence Mechanism stage where the ransomware sets up a continuance mechanism, such as a registry entry or scheduled task, to ensure that it will run aagain automatically each time the system is rebooted.

• Ransomware: How an Attack Works
• Anatomy of a Ransomware Attack...Five Stages of Crypto-Ransomware
• Anatomy of a Linux Ransomware Attack
• Spotlight on Ransomware: How ransomware works
• Spotlight on Ransomware: Common infection methods
• Unpacking Ransomware -The Anatomy of a Malicious Attack
• All about Ransomware Attacks
• The realities of ransomware: Five signs you’re about to be attacked

With the latest generation of ransomware there is also the possibility of encountering an infection with a time bomb feature designed to delay the execution of an attack. This involves a gestation period where the ransomware does not immediately encrypt data by design to maximize revenues and overcome any backup defense. Following this stage the ransomware will lie dormant and not delete or encrypt backup files. The ransomware may lie dormant for one, two or several months before finally beginning the encryption stage. However, when encryption begins, that process can start and finish very quickly.

• Ransomware Can Destroy Backups In Four Ways...Plant a ransomware “time bomb.”
• Ransomware Attacks Have Entered the Realm of the Insidious and Vile
• Ransomware operators lurk on your network after their attack

Some ransomware (STOP Djvu, LockFile, BlackCat (ALPHV), Qyick, Agenda, Black Basta, LockBit 2.0, DarkSide, BlackMatter, Ryuk, Nemty, Play) only partially encrypt a file (first so many KB's at the beginning and/or end especially if it is very large). This is deliberate in order to avoid detection and encrypt the data as quickly as possible (before anyone notices) so it does not actually read/write/encrypt the entirety of data.

• Ransomware Developers Turn to Intermittent (Partial) Encryption to Evade Detection
• Intermittent Encryption Analysis
• Ransomware gangs switching to new intermittent encryption tactic

Since some ransomware use partial (intermittent) encryption of large files, but will run the full process on smaller files...in normal encryption mode, the ransomware enumerates files and folders, encrypts the file contents and renames them or just appends an extension to the end of the file name. In stealth encryption mode, the ransomware decouples encryption from file renaming, which is less likely to trigger alarms because file I/O patterns mimic normal system behavior. Even if security software react at the start of the first phase, on the second pass, the entire targeted dataset will have been already encrypted as explained here.

Unfortunately, partial (intermittent) encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data.

• Partial Encryption can corrupt large files
• Ransomware can partially encrypt files and cause corruption

Note: There are ransomwares (such as Prince) which are written with the primary aim to render files unrecoverable by traditional recovery tools, ensuring that only the designated decryptor can restore the affected files.

US-CERT Alert (TA13-309A: Impact) has previously advised that many ransomware families have the ability to find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives (if connected) and even some cloud storage drives if they have a drive letter. Some ransomware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other ransomware will use a white list of excluded folders and extensions that it will not encrypt. By using a white list, the ransomware will encrypt almost all non-system and non-executable related files that it finds.

Most crypto malware (ransomware) typically will run under the same privileges as the infected user account and encrypt any files that are accessible to that user. Ransomware needs write-access to files it encrypts so it will not be able to encrypt files owned by another account without write-access while running as a non-admin account. If the user account is member of the Administrator group then the ransomware can install itself to run for all users. Executables can run as the user who started it or can ask for elevated privileges to run as Administrator.

Ransomware will encrypt any directory or file it can read/write to regardless if previously encrypted by disk encryption software or another ransomware variant. In simplistic terms, encryption converts (scrambles) readable information (plain text) into unreadable information (cipher text). Encrypted files are not locked or immune to secondary or ransomware encryption so encrypting your files before an infection will not help. Ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt) them again and again if it has access.

• Why Encrypting Your Data Won’t Protect You From Ransomware
• How Can Ransomware Encrypt Encrypted Files?
• Can ransomware affect already encrypted devices and files
• Can Ransomware Encrypt Already Encrypted Files?
• Can Ransomware Encrypt Files That Are Already Encrypted?
• Can Bitlocker encryption be attacked/disabled by ransomware?
• Can ransomware encrypt files in a drive locked by BitLocker?
• What happens if infected with ransomware and files is already fully encrypted with TrueCrypt?

As such, ransomware can be responsible for double (multiple) encryptions since it will encrypt any directory or file it can read/write to regardless if previously encrypted by another ransomware variant. Again, ransomware does not care about the contents of the data or whether your files are already encrypted...it will just re-encrypt them again and again if it has access. Even the same ransomware can encrypt files multiple times with different strains and that means the data may get corrupted multiple times in the process. Any file corruption complicates possible decryption solutions.

• Threat actors now double encrypting data with multiple ransomware strains
• Double-Encrypting Ransomware
• Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data)
• Dual ransomware attack victims now get hit within 48 hours
• Fake ransomware decryptor double-encrypts desperate victims' files

Double (multiple) infections also means having to deal with all ransom demand payments and different decryptors created by the criminals in order to decrypt data if the encryption was caused by different ransomware families. Unfortunately there is not much you can do in scenarios like this especially if any of the ransomwares are not decryptable. 
 
Decreasing your chances for recovering data with multiple infections is possible corruption caused by the victim if they tried to use another victim's decryption key, removed the extension or attempted to fix the files by renaming them first. Further, using a faulty or incorrect decryptor (one intended for another specific type of ransomware) usually causes additional damage which corrupts the encrypted files even more.

 
 Types of Ransomware & How it Spreads:

• File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. The first file encrypting ransomware variants used a symmetric-key algorithm but malware developers eventually upgraded to public-keys before moving on to use a combination of symmetric and public.
• Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer.
• Ranscam (fake ransomware scamming) is where the criminals use various scare tactics and threats to coerce victims into to paying a ransom demand. Some criminals behind Ranscam just delete victim's files since they had no intention of decrypting files after the ransom is paid regardless if they were actually encrypted in the first place.
• Ransomware as a Service (RaaS) involves criminals renting access to a ransomware strain hosted anonymously by the ransomware author who offers it as a pay-for-use service. The author may handle all aspects of the attack (from distributing to collecting payments, restoring access) in return for a percentage of the ransom collected.
• Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.
• Wiper/Eraser Ransomware is a class of malware that is designed to destroy files (overwrites data)...meaning the affected data is not recoverable...it is destroyed beyond repair.

With Wiper Ransomware, the process is almost identical to how ransomware works (skipping files, terminating processes, not wiping certain extensions) and even appending an extension to the encrypted files. Usually with Wiper/Eraser Ransomware, the file size is equal to 0 or 0-byte kilobytes...meaning the files are erased/overwritten with nulls 00 (0-bytes). When dealing with wiper/eraser ransomware, paying or considering to pay the ransom is useless since the data cannot be recovered.

• An Overview of the Increasing Wiper Malware Threat
• The Anatomy of Wiper Malware, Part 1: Common Techniques
• The Anatomy of Wiper Malware, Part 1: Common Techniques
• What Is the Wiper Malware? Is It Worse Than a Ransomware Attack?

Ransomware can be further classified as:

• Polymorphic Ransomware
• Publishing Ransomware (Doxware)
• Time Bomb

Ransomware spreads via a variety of attack vectors...through social engineering (trickery) and user interaction, opening a malicious or spam email attachment, executing a malicious file, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads, downloading software cracks, pirated software, fake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs) and RDP bruteforce attacks, a common attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside as explained here.

• Spotlight on Ransomware: Common infection methods
• Cryptojacking Overtakes Ransomware, Malware-as-a-Service on the Rise
• Attack tools and techniques used by major ransomware families
• How ransomware spreads: 9 most common infection methods
• How ransomware attackers evade your organization’s security solutions

Threat Bulletin: Ransomware 2020 - State of Play

During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).

• 2023 State of Ransomware Report
• The State of Ransomware in State and Local Government 2024
• 2025 State of Ransomware Report

During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).

In some cases, criminals may use (misuse) legitimate software such as Process Hacker to help facilitate the spread of malware, hack a computer in order to steal data, commit identity theft and other nefarious activities. Process Hacker is a program used for viewing, managing, and manipulating processes and their threads/modules. However, it is one of several tools which can be used (misused) by hackers and malware developers during the compromise of a computer system/network in order to spread various types of malware and ransomware. Table 4 (page 8) shows a list of legitimate and open-source tools used by threat actors.

Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.

• Vulnerabilities And Exploits On Synology & QNAP NAS
• Synology: Security Vulnerabilities
• Ransomware uses brute-force SSH attacks to infect Linux-based NAS servers

For more detailed information, please refer to How Malware & Ransomware Spreads.
  
 What to do when you discover your computer is infected with ransomware:

• Ransomware Response Checklist: I've Been Hit By Ransomware!
• Ransomware Response Guide

When you discover that your computer or network (if applicable) is being infected with ransomware you should immediately shut it down the computer prevent it from encrypting any more files. Shutting down the computer should stop any encryption to other drives that were connected at the time of infection as explained here by Lawrence Abrams, site owner of Bleeping Computer.

After detecting a ransomware attack, the first step a company should do is shut down their network and the computers running on it. These actions prevent the continued encryption of data and deny access to the system for the attackers. Once this is done, a third-party cybersecurity company should be brought in to perform a full investigation of the attack and audit of all internal and public-facing devices. This audit includes analyzing the corporate devices for persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by the ransomware operators.

Disconnecting the infected computer from the Internet does not stop the encryption process locally. There are some types of ransomware (e.g. Spora, DMA Locker 3.0, Cerber, Locky) that can encrypt files offline.

 
The infected computer should be isolated from other devices and if possible you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system. 

Imaging the hard drive backs up everything related to the infection including all encrypted data, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is ever discovered in the future. The encrypted files and ransom note text files do not contain malicious code so they are safe to back up. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive with a fresh install of Windows. If a future decryption solution is ever found or the criminals arrested and master keys are seized and released to allow creation of a public decryptor, victims will have the original hard drive to restore their encrypted data.

 
Even if a decryption tool is available, there is no guarantee it will work properly (it may be fake, defective, or malfunction) or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files (or the original infected hard drive) and related information is a good practice.

• How To Safely Store Ransomware Encrypted Files
• I’ve been infected with ransomware! What should I do?
• What to Do If You're Infected by Ransomware

IMPORTANT!!! The window for finding attackers on your network before ransomware is deployed is getting much smaller. 

 Removing Ransomware From An Infected Computer:

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed but there are some exceptions. The malware developers usually do this to make it more difficult for security researchers to find and analyze their malicious payload. That also explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe.

Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom notes and discovery only occurs at a later time when attempting to open an encrypted file. As such, many victims don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware which could still be present on the infected computer.

However, some crypto malware (e.g. STOP Djvu Ransomware) are known to leave behind malicious components that will encrypt any new files saved and re-encrypt any files victims previously managed to decrypt. Other ransomware (e.g. Phobos Ransomware) are very aggressive and do not end on a single run...they will run multiple times ensuring repeated infection. There are a few ransomwares that will store a victim's master key in the registry and if removed, the next time the computer is restarted, the ransomware could create a new master key and begin encrypting files again. That means encrypted data by two different keys.

Therefore it is recommended to isolate the infected computer from other devices and thoroughly check the system to ensure no such malicious components have been left behind. IT folks and advanced users who are ransomware victims can use Farbar Recovery Scan Tool (FRST), an advanced specialized tool designed to investigate for the presence of malicious and suspicious files. FRST logs provide detailed information about your system, registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, partition specifications and will also list system files that could be patched by malware.

There are a few ransomware variants that will add an entry to Run and RunOnce Registry Keys so the malicious executable or ransom screen always displays itself on each restart of the computer. In such cases, victims should look for a related entry under the Startup tab in Windows System Configuration Utility (msconfig) or use a tool such as Autoruns to search for and remove any malicious entries.
 
When dealing with ransomware removal it is best to quarantine malicious files rather than delete them until you know or confirm what infection you're dealing with. In some cases, samples of the malware itself are needed for further analysis in order to identify it properly or investigate for flaws which could lead to the creation of a decryption tool so your data can be recovered. Quarantine is just an added safety measure which allows one to view and investigate the files while keeping them from harming your computer. If using security scanning disinfection tools, system optimization and/or cleanup software on some ransomware before backing up, there is a chance they could remove related registry keys and malicious files which may be required to recover your data.
 
Important Note: Some ransomware have been known to install password stealing Trojans on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more. It is imperative that you change all passwords for your computer to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Emsisoft Emergency Kit, Malwarebytes, Zemana AntiMalware or RogueKiller Anti-malware.

• How to Perform Manual Ransomware Removal
• How to remove ransomware the right way: A step-by-step guide
• The Basics of Manual Malware Identification and Removal
• Emsisoft: How do I remove the ransomware?
• How To Safely Store Ransomware Encrypted Files

If the computer was shut down to prevent it from encrypting any more files as explained here, then you can use LiveCD/Rescue Utilities or Bootable Antivirus Tools to assist with malware removal without having to boot into Windows. Offline scanning is a method to disinfect malware from outside an infected Windows system environment by using an anti-malware program that runs outside of the traditional operating system. Offline scanners are usually self-contained, do not require a network or Internet connection and are typically loaded onto a flash drive or CD/DVD and set to boot prior to the operating system. The advantage of offline scanning tools is that they can be used when the malware is not running and interfering with the clean-up process.

• Comprehensive List of 26 Bootable Antivirus Rescue CDs for Offline Scanning

Note: Disinfection will not help with decryption of any files affected by the ransomware.
 
Again, before doing anything, if possible it is recommended to backup or create a copy or image of the entire hard drive which allows you to save the complete state of your system as noted above. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive.

Of course you can always choose to reinstall/refresh/reset Windows, perform a factory reset or reformat instead which will remove ransomware related malicious files...it also will erase all the data on your computer to include your encrypted files, ransom notes, any programs you installed and the settings on your computer so backup your important data first even if it is encrypted. Reinstalling will essentially return the computer to the same state it was when you first purchased and set it up to include any preinstalled and trial software provided by the vendor. However, there are boot sector viruses (bootkits) which can alter the Master Boot Record (MBR) as explained here and in those cases, you should also rewrite the MBR to ensure all malicious code has been removed.
 
If you have an older operating system you may need to reformat the hard drive.

• What Does Format Mean?
• What does it mean to reformat a hard drive?
• How to Erase and Format a Hard Drive

It never hurts to try a manual clean-up first with trustworthy security scanning tools if that is something you want to consider. However, it is still recommended to create a copy or image of the entire hard drive before doing anything for the same reasons noted above.
 

 If you need individual assistance only with removing the malware infection, there are advanced tools which can be used to investigate and clean your system. Please follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your FRST logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.

Ransomware victims should ignore all Internet web searches which provide numerous links to bogus and untrustworthy ransomware decryption and removal guides, including Facebook and YouTube videos, many of which falsely claim to have decryption solutions. After expert researchers write about new ransomware variants, junk articles with misinformation are quickly written in order to scare, goad or trick desperate victims into using or purchasing mostly sham removal and decryption software. Victims typically are directed to download a multitude of unnecessary and useless tools. In some cases, unsuspecting victims may actually be downloading a malicious file or fake decryptor that makes the situation even worst. Only use trusted sources when searching for information. Do not let yourself be victimized twice.

• What we know about those who claim they can decrypt your data (Post #2)

 
Updated: 12/15/25

Edited by quietman7, 15 December 2025 - 05:11 PM.