There is no such thing as an anti-malware product that is 100% percent effective against all malware. So, it's very likely that during its life span in your environment, SCEP will fail you at least once. This recipe will guide you through the process of dealing with such a failure and helping to ensure that the infection does not spread to other machines.
In this recipe, you'll be working with a scenario, where SCEP has detected a piece of malware and reports that it has successfully removed it, but unfortunately after a short time, the malware comes back and is re-detected by SCEP. No one has been logged into the PC during this outbreak, which removes the possibility that a user is re-downloading an attachment or re-installing a rouge program, after each infection.
Typically what this kind of behavior would indicate is that there is actually more malware on the PC than what SCEP can detect. The malware that is going undetected is likely a Trojan downloader, which is a piece of malware that hides on a PC and downloads other payloads from a web server.
To combat this, we will be performing what is referred to as an offline or a boot scan. To do this, we will be using Microsoft's free Windows Defender Offline scan tool (which is available online as a free download). It's important to note that this is the same function you would perform if you looked up at malware detection event in the SCCM console and the malware status stated that remediation status was Offline Scan Required.
Before you can begin the procedure, you'll need to download the latest version of the offline scanner tool.
http://go.microsoft.com/fwlink/?LinkID=232461
It is strongly recommended that you download and run the utility to create the bootable media from PC that is not the one with the infection.
You will need either a CDR or USB drive that you are willing to reformat to complete this procedure.
Follow these steps:
- Double-click on
mssstool.exeto begin the process. The Windows Defender Offline tool should launch. Agree to the EULA and click on Next, as shown in the following screenshot:
- Select the type of media you wish to use for this procedure, as shown in the following screenshot:
- If you are using an USB drive, then agree to the warning message pertaining to reformatting, as shown in the following screenshot:
- Next, the utility will automatically download the latest version of image file, format the media, and write the image to the media. This can take several minutes to complete, as shown in the following screenshot:
- Once the process is complete, you'll be presented with a screen outlining the next steps, which essentially consist of booting the infected PC to the USB drive we have just created. Once the PC is booted, you'll be presented with the option to do a full or quick scan. It is recommended to do a full scan in this situation, since if you've had to go to the length of doing an offline scan, the PC could be infected with multitude of malware. Refer to the following screenshot:
Under the hood, Windows Defender Offline scanner is essentially the same thing as your SCEP client. It has the same engine and definition files that you use on your desktop. What gives it the ability to combat malware that SCEP couldn't remove is the fact that you're booting into a sandboxed environment. The only things that are allowed to load when you boot to offline scanner media are the components of the OS that are needed to run the scanner and nothing else.
Other standalone scanners:
In addition to the Windows Defender utility covered in this recipe, there are several other products that you might choose to utilize in combating malware that SCEP could not deal with.
I would recommend Malware Bytes, which is free and highly effective.