Malware removal - beyond content and context scanning presented at Virus Bulletin 2007

by Tom Brosch (,


Summary : "Detecting threats is only one of the things anti-malware software needs to be capable of today. Removing malware,
often several hundred linked registry keys and files, has now become an equally important task. And this is where the
trouble begins, because content and context scanning is just not enough to cope with it.In this paper we'll discuss briefly the problems of the usual approaches in removing malware as well as adware and
spyware, why and where the programs fail. They may be missing files, registry keys and values or delete, alter and
change settings done by the user to an unwanted default state. Or even worse, they will just ignore everything but the
detected EXE file, simply because no analysis has been carried out by the vendor yet, hence no dedicated removal routines are known, let alone generic removal routines. To support these points, extensive testing results of different technologies will be presented. And nearly all of them will face serious problems.
We will then look into other approaches which might help solving the problem. Supervising the system and bugging the
user 100 times per hour is only one of the possible 'solutions'. A sandbox analysis of the malware might be an
interesting other way, to get an idea of what the malware did and what should be removed or changed back. A comparison
of the different techniques will then close the paper.