Suggestions for Malware Scanning on your Server

[ftballpack 4]

tl;dr, a few suggestions for anyone intent on malware hunting.

FYI, obviously nuking from orbit and rebuilding is the best approach to making sure all malware is gone but I thought I would add a few helpful suggestions for those otherwise trying to hunt down any remaining malware.

The best approach for Windows machines is scan first with an offline/bootable scanner with current antivirus definitions if possible. A few examples are ESET's bootable scanner https://www.eset.com/int/support/sysrescue/ and Kaspersky's Rescue CD https://usa.kaspersky.com/downloads/free-rescue-disk (FYI, Kaspersky is a Russian company and with the current political climate some may not want to use Kaspersky at all). The biggest plus of rescue discs is it's hard for any malware to try and hide from the AV scanners when the AV is running from a separate OS.

Another good approach is to download and update Malwarebytes and run a full system scan and/or standalone malware scanners and run them in Safe Mode. Microsoft https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide among others offers a standalone anti-malware scanner which can be used to check for malware. Add the file first while booted into regular Windows then manually trigger the standalone scanner when in Safe Mode.

On the Mac side a number of AVs exist. Sophos unfortunately moved from an awesome free AV to a trial version for Mac. https://home.sophos.com/en-us/download-mac-anti-virus. On the plus side Sophos now incorporates machine learning detections into their MAC AV after incorporating the tech from purchasing Invincea a few years ago. Bitdefender usually tests well also and offers a free trial on their MAC AV also. https://www.bitdefender.com/solutions/antivirus-for-mac.html

On the Linux side things went from awesome to horrible a few years ago. A number of top rated vendors offered free Linux AVs for home use which were eliminated in favor of enterprise only versions of the Linux AVs. One thing a person can do is download an AV which is good on both Linux and Mac on their Mac computer (i.e., Sophos' Linux and Mac AV utilize the same scanning engine) and mount the Linux computer as an extra drive from your Mac. https://osxfuse.github.io/  If you take this approach, make sure your MacOS is running the latest security updates for the OS before mapping the Linux computer. Taking this approach you can use the AV on the Mac to scan for malicious files on your Linux machine.

ClamAV for Linux is also available and free; however, ClamAV does not have great detection numbers. It' better than nothing but I would not count on it to find hidden malware on any system. https://www.clamav.net/

For anyone who is "OCD" level about making sure their Windows machine does not have any more malware, HitmanPro performs cloud scans using a combination of Bitdefender, Sophos, and Kaspersky's AV engines (all highly rate with low false positive rates) in the "cloud" to verify files are not malicious. The scanner skips files it recognizes the hashes for but will upload the files to HitmanPro's servers it does not recognize thus, HitmanPro is not a suggestion for those who privacy is paramount and you definitely don't want HitmanPro scanning your media files by running an "Early Score Warning" scan on your entire computer.

[softworkz 5073]

@ftballpack- Thanks for the overview, that's very helpful advice in the current situation and I had already thought about having an article like this.

Due to its value and relevance I have split out your post into a new top-level topic.

[CharlieMurphy 92]

If I even find malwarebytes or anything like that on someone's PC, it's enough evidence for me to re-image it. I guess I'm thoroughly "OCD." lol

I just assume that if there were detectable malware than it's far too likely to have undetectable malware as well.