On the Lambda

I have two basic philosophies underpinning how I approach infected computers. To begin with, I don’t really believe in cleaning an infected computer at all. I could cover the reasoning for this in more detail, but I already have a well-voted answer on SuperUser.com that I think says it better than I could fit here. For computers that I manage at work, I capture base hard disk images for our deployed PCs, and can use those to rebuild an infected computer from scratch. Combine this with the fact that most end-user data lives on a server, rather than the local machine, and this process is often faster than cleaning the computer anyway.

That said, I don’t use roaming profiles, and therefore this process is still very disruptive for users. There are literally thousands of settings that go into a user profile, and while most will never change from the default, over time the cumulative effect of a setting here, an option there, can make a real difference. Additionally, just because you have a few pop-ups, it doesn’t mean you have a rootkit.

Therefore the policy I follow at work is that we do allow some clean-up before resorting to wiping or replacing a computer. However, I limit the techniques I’ll use. Here is the full list:

• Uninstalling unwanted items via the Control Panel
• Editing specific registry keys where startup programs are kept
• Manually disabling Services and Scheduled Tasks
• Using MSConfig or the StartUp tab in the Task Manager (Windows 8 and later)
• Manually deleting normal files and folders left behind from an uninstall process
• Using existing Antivirus software already on the computer

This is the extent of it. If these don’t get the job done, it’s time for a wipe. Some notable items that are not in the list include rebooting to safe mode, installing an anti-malware tool, and running an anti-virus scan in a clean environment. If I have to do those things, I usually figure I’m better off wiping the machine.

Even with the tools I will use, there’s a catch: I’ll only do this once for a given infection. If, after an initial clean-up attempt, there are still pop-ups or other signs of infection, or if the symptoms return, that’s it. It’s time to nuke the machine and start over.

The other philosophy I follow is regarding administrator rights. I do allow staff to have administrator access on their own machines by default. This is a practice that pre-dates my time here, and one I was not fond of when I started. However, over time I’ve come to accept it as more helpful than hurtful… especially since the introduction of UAC. Under no circumstances do I permit UAC to be disabled, and there are some settings that are enforced through Active Directory Group Policy as well. But the main thing is that, by and large, I do permit administrator rights on end-user PCs.

This is important because I’m only will to wipe a machine for free once. For an end user, if it’s to the point where we’re replacing your machine for the second time, you’ll find you no longer have administrator rights to your computer when the third machine arrives. I worry that eventually this policy will lead to unreported infections, especially if it’s ever embraced by non-technical management to the point that maintaining the ability to have administrative access is necessary to being able to do your job. However, to date I’ve only had to enforce this one time.