Malware Related > Compromised Servers

Injected or Infected Process and How to

(1/2) > >>

randy:
i'm wondering on how to :

When a Critical or Any other Process ( SvcHost ...etc ) is Injected or Infected by a Malware , how an AV should react ?
Normally the Injected / Infected Process should be Stopped ( From Memory ) to avoid Infection spread , But as for a Critical Process like the WinLogon or SvcHost they cannot be Stopped , here What an AV is Supposed to do ?
I know about the On Next Reboot Disinfection / Delete / Quaranting Queuing but How about these Critical Processes  How on the Next Reboot the Av will deal with Them ?

Thank you

arebc:
That's a good question.
 
Injected and infected are two totally different things. If the malicious file is injected into a critical process, usually what happens is the malware will be deleted on reboot. Since the injected file has been deleted/quarantined on reboot the critical process should be okay depending on what settings were changed. Critical processes usually can not be killed because this will make the OS unstable.

If the critical process has been infected, this adds a much more complicated process because a clean routine has to be written to repair the infected critical process.

Does that help?

randy:
Thank you arebc , let's assume that's NO AV is installed and an XProcess is Injected if i Reboot the Machine will this XProcess will be Clean ?

arebc:
Depends, has the process/file been deleted? If not, then most likely the file will still inject into the Xprocess on reboot. Usually the malicious file writes some type of setting to protect itself so it resumes on reboot.

MysteryFCM:
If a file is injected into a process, you can bet your life that it's written at least a file and reg key, to re-inject it on re-boot.

Navigation

[0] Message Index

[#] Next page

Go to full version