Analysis Tools for Investigation and Cleanup after Security Incidents

In many cases discovery of a security incident is not easy. Sometimes malware shows itself through error messages or a very slow reaction time of the system. Often a local scan with an alternative antivirus software to the one normally installed, e.g. Malwarebytes, can already reveal hints of infections.

For proper analysis and cleanup of malware a malware-free environment is needed. Ideally a bootable CD/DVD or USB stick is used. Scanning the system with different virus detection applications is recommended for achieving a maximum detection rate.

Bootable Antivirus Systems/Rescue Systems

The German computer magazin c't [de] offers a paid bootable Linux-CD/DVD/USB in its Desinfec't-Projekt [de] with mulitple yearly updated antivirus applications. But many antivirus vendors also freely offer so called rescue systems which allow to boot and scan your system, e.g. Avira Rescue System, Kaspersky Rescue Disk or ESET SysRescue Live. If you don't have a CD/DVD drive you can use UNetbootin to copy the CD images to a USB stick. Microsoft also provides the Windows Defender Offline tool to create a Windows resuce system on a bootable CD or USB stick and perform scans from it.

Expert Tools

The Windows Sysinternals tools can be helpful for local analysis and discovery of anomalies.

Intrusion Detection Systems (IDS), like Snort or Suricata, can discover infected computers through suspicious network activities. But in many cases infections are only found out through external hints.