If you suspect that your PC as been infected with malware, what should you do?

Breaking this question off from the Windows hardening guide thread since it’s not relevant anymore.

@anon33963123 inspired me to ask the question of what should you do if you think your computer is infected. The simplest answer is to completely replace everything on your PC with a fresh install, but I wanted to ask because I’m sure there are things I don’t have in mind.

If I thought I had a virus on my system, these are the things I would think to do:

  1. Back up my PC.
  2. Replace my OS with a fresh install, whether that be factory resetting or installing with a fresh iso.
  3. Start getting everything configured to how I use it again.

I figure I should also probably change all my passwords right? Or at least to the most important things. I can’t do anything about the data that may have been taken or copied, but if I can at least make sure they’re not getting into any of my accounts I imagine I’ve gone as far as I can in terms of protecting myself.

What would you do, or what else would you keep in mind to check? Give as much detail as you want. As of now I’m a little worried that just replacing the OS wouldn’t be enough, but I don’t know if that’s just a question for my threat model to answer.

You should be doing this before you think you have a virus on your system :slight_smile:

7 Likes

Look into TronScript

1 Like

Yes, 100%, lol

I meant as in “don’t wipe your hard drive before backing up one more time.”

3 Likes

You should have clarified not to backup a PC you suspect is infected in any way. Backup only the important things, NOT the system files, because some viruses will persist in the old system if you backup the entire thing. I recommend using the normal, Windows supplied backup functionality or using an external drive to simply rsync your important files to. Also, rolling backups exist so please regularly backup your stuff and if you think you’re compromised you can just roll back to a previous clean version.

The only problem with backups is storage. Redundant storage is necessary (two or more copies are needed for it to be safely stored in case of drive or OS failure). You can buy SSD’s and HDDs with 2TB+ for relatively cheap nowadays. Apart from my cloud backups on my VPS I have redundant on-prem storage for work things and personal things. You should also lookup an easy way to handle this amount of storage because it’s nice to have a GUI to handle it all instead of terminal (though possible, it’s a pain). There are plenty of services you can use for this that are FOSS and have high usability. Don’t store files unencrypted if uploading them to a cloud provider and don’t use local storage for sensitive files like tax documents and other docs containing PII unless they’re also encrypted.

3 Likes

Would this extend to dot files and folders on Linux? As of now I think that all I’m backing up is my home directory.

While I’m using Fedora Linux, I was asking the question more in general, so that if someone wondering what to do in this situation was looking it up, they could find different perspectives on it. I guess the details of how you would fix your problem would of course be OS specific.

1 Like

I would say backing up the home directory (which includes dotfiles and folders) will cover most if not all of your files. You would probably know whether you have important files or not outside of your home dir. Would recommend you use backup software that can do deduplication and file versioning. I myself use Borg, fwiw.

1 Like

True. I think that /home and C:/Users/User/ contains your dotfiles and your important media and documents so it should be included in the backup. For Linux obviously this includes keyrings, GPG config, ~/.ssh, and other configs and very important directories you should already be keeping regular backups.

1 Like

Is it likely that a virus would try to save itself in a user’s home directory? Because what I figure to do personally is just make sure that the home directory is backed up and then manually reinstall anything else on top of the fresh install.

As a Linux novice, why are these things important to keep track of? I figured that anything outside of the home directory would be part of the system that should be getting replaced.

Is it likely that a virus would try to save itself in a user’s home directory?

It is. However, file versioning (assuming you started backup up before the infection) that I mentioned does defeat it.

As a Linux novice, why are these things important to keep track of?

If you mean as far as files go, pretty much everything in your home dir is important to you. Every folder and file is created by the apps you use (such as config files, cache, etc). Unless you have games or virtual machines, your home directory isn’t likely to be very big anyways. You can use Borgbase with Borg (it gives you 10gb and 2 repos for free). Keep in mind you would have to back up your repo password and your ssh key somewhere else (if you use ed25519 keys, which I recommend, they are very short and you can even fit the key on a sticky note probably (is not opsec advice)) :slight_smile:

2 Likes

Ok, so I assume the play here is to use a backup from a time before whenever you think you got infected and count all backups after that point to be infected?

Regarding the Linux novice thing, I was referring specifically to comment @pterocles made about “keyrings, GPG config, ~/.ssh, and other configs” which I thought were not already in the home directory. Would they be?

Directories in a common Linux filesystem to backup

/home

Pay special attention to these in your /home:
~/.gnupg
~/.ssh
~/.rvm … etc.

You get the general idea of this. User data, downloads, documents, pictures, files and other extremely important information is kept in your /home and for that reason it is the probably the most important when backing up. Most of your installed software use either their installation directories or /usr/local or /home/user/.local/ to store configurations and these may have taken a long time to either write or setup. You may wish to save time by keeping a copy around on a separate disk. It’s up to you to know where your important /home directories are and what is maybe not so important and to avoid altogether. /home can accrue a large amount of junk as well, so you may wish to clean before you backup, but again, it’s up to you. It takes a bit to backup my own /home, which includes my development environments for Python, Java, C and Ruby. An alternative is to keep a Gemfile somewhere to record your gems and a requirements.txt or Poetry lockfile containing your important Python modules to easily and quickly reinstall them later, so you can save space when making backups.

/root

Sort of self-explanatory to system administrators but for the regular user this will contain all your administration scripts you create for maintaining the system and is vital to backup because if things go wrong and you can’t repair your /root directory then you are gonna have a bad time.

/var

This contains very important databases (MySQL, PgSQL, spool, spamassassin, etc…). Backup only the important databases containing what you need. You probably don’t need a full copy of /var unless you really want to, so I would avoid doing it if not needed. Add exceptions with --exclude to avoid backing up certain files and paths if you have to; this will keep your backup clean and avoid duplicates later on which can be annoying to sort. I also recommend avoiding system OS specific /var/run and /var/lock.

Probably /usr/local/bin

It’s up to you if this is a priority. It may also just be empty, who knows.

/usr/local/sbin

Same as /usr/local/bin.

/srv

This is important to me and I keep a regular backup for my own reasons. It may be important to you as well.

/opt

Third party software goes here, at least for most. For me, this just includes one or two sub-directories, such as gradle-7.4.2/ and others that I wanted separate from my usual installed software.

You can either use rsync like I do (on almost all my systems including domain controller client), or you can pick another way to do it. I have a full RAID setup but that’s beyond the scope of a blog post.

2 Likes

Yeah, correct.

~ means your home directory. Your GPG keyring is in your ~/.gnupg directory as well. So yeah, additional info regarding directory types and what not is above this post by @pterocles. Nicely written.

2 Likes

Many thanks to you and @pterocles as well for that write up! :slight_smile:

2 Likes

Assuming I had backed-up everything important beforehand, it would not be a terrible idea to nuke the system. (Especially if you use Linux)

Like most people who use Linux, I always have a USB lying around with some distro ready to be fired up. A clean install of Linux takes me less than forty minutes to complete. Tack on an extra twenty minutes to do a system-wide update and you’re golden.

1 Like

tron script is a good solution

1 Like

Thank you, i only found it earlier this year. On older PCs it can take hours and hours to fully run. On mine it was about 3 hours.