How to be certain you don't have a virus when anti-virus scanners find nothing malicious? (Windows 7)

Question

I recently spent many hours troubleshooting a laptop that could not connect to the internet. The laptop exhibited no other unnatural behavior, and so my first thoughts were to try connecting to other networks, try a new NIC, etc... The question I posted can be found here with more detail. One of the first things I did was to check for viruses with MalwareBytes, eSet, and Panda Cloud Antivirus... All 3 scans were run separately and independently of one another, and no virus was found. I then proceeded to spend hour after hour troubleshooting, and in the end I just took the computer to a repair shop where it was discovered to have a virus.

My question is not subjective, I'm not asking what is the best anti-virus software to use. I'm asking how can I actually be certain I have no viruses when popular and generally effective anti-virus scans detect absolutely nothing?

In the past my routine would be to run through the list of running processes and start-up programs, and use online resources to try and find anything malicious. This routine seemed relatively silly to me in the face of all of these anti-virus programs, and I thought it would be more effective to run scans than to manually look on my own.

Obviously IT firms have some effective method of identifying viruses, and I doubt these companies are just running some virus scanner. Clearly experience would have led me to identify my own problem as a virus, but I feel like there are all kinds of ways an undetected virus can manifest itself, so I don't want to rely solely on experience.

Edit:

I should clarify this a little bit. I'm not necessarily looking for some "ultimate" checklist of things to do to identify viruses, but clearly there are ways to identify them when our normal anti-virus scans fail, and I'm wondering what some of these approaches might be.

score 13 · Accepted Answer · answered Aug 22 '12 at 19:23

No antivirus package is perfect. I had seen viruses which I submit to http://virusscan.jotti.org/en and only 2 or 3 of the packages detect them. I have also had a virus which was reported clean by them all.

So, if I need to clean/scan a machine for virus, this is some of the things I do.

Prelimary Check

Check and possibly delete the files in the temp folder and also temporary internet files. If there are ten of thousands of files or more, deleting these can significantly reduce the time it takes to perform a full scan. It is however possible for this to delete a virus stored in these locations before it can be identified.

Stage 1

Boot off a clean CD/DVD for example a Bart CD or a special AntiVirus CD

Run scans with several different anti-virus, anti-malware and rootkit programs
Configure Explorer to show hidden files and folders and look for files that are recently added to the root folder, Windows, Windows\System32, and Program files folders. Also look for hidden files and/or folders in those places. The presence of such files does not necessarily mean an issue, but I usually try to identify them to make sure they are legitimate)

Stage 2

Boot in the operating system normally

Run scans with several different anti-virus, anti-malware and rootkit programs
Run programs such as Autoruns and Hijackthis which show everything that is started automatically or things that hook into windows (eg addons to Windows). Neither of these programs try to determine what is good and what is bad, but instead they give you information and it is up to you to decide if the entries are valid.
Run TaskManager or Process Explorer to see what processes are running.
Look in add/remove programs and see what sort of programs have been reinstalled and remove any junk. Don't want to mention any names, but there are some toolbars, poker games and some file sharing programs that always seem to cause programs and quite often the user/owner of the computer did not deliberately install them. (For example, toolbars that are bundled with other programs)

Stage 3 (time permitting)

Reboot into windows and connect to the internet and leave for a while and then repeat Stage 1 to make sure the machine is still clean.

Stage 4

Keep fingers crossed and/or pray that the machine is clean.

score 5 · Answer 2 · answered Aug 22 '12 at 16:49

How to be certain you don't have a virus when anti-virus scanners find nothing

You can't.

However if you want to be sure that a virus isn't causing problems with Internet access, just boot from a live-CD or USB. If that cannot access the INternet you may have a hardware problem. Preferably one created on a different and clean system.

Steam · Answer 3 · 2013-09-19T21:11:51.350

I am not a malware analyst, but I will share my little knowledge with you. My two cents -

Look for things like - strange files in your start up, windows folder and wide fluctuations in free hard disk space. Sometimes malware file names are similar to windows OS file names like %svchost%.exe or %Splwow64%.exe etc. Also, look for "weird" processes in task manager.

You cannot be certain that an AV will even be able to detect a malware written and detected 1 year ago. How ? If this malware is crypted properly then it will become undetectable. Crypters can be purchased from illegal online markets. Here is a video which advertises a crypter with a lot of features. Don't know how effective it is at making malware FUD though.

http://www.youtube.com/watch?v=wlaO7flygKQ

Also, consider becoming a member of bleepingcomputer.com. IMHO, it is a better place for asking these type of questions and for reading free tutorials for securing home computers and also for anti malware strategies.

HTH

score -1 · Answer 4 · answered Apr 26 '24 at 14:00

I personally dont use a live anti-virus. I keep a clean backup image and backup to a external regularly. Although if i were to experience a syatem that needed a deep clean, rootkits are the nemesis.

Boot into bart run a rootkit revealer, reboot into bart cleanup, reboot into bart run malwarebytes (free) if you do this before cleanup it takes forever.

Reboot into OS and run rootkit revealer, you may need to tun regedit and clean out any regfiles that are suspect. Then cleanup again, malwarebytes and run defrag…

If rootkit still there you may need to reimage the machine to a clean OS to kill any sys files that are infected… ive had to boot into dos and replace startup files in the past no fun.

Aaron · Answer 5 · 2016-04-09T14:25:08.600

For any virus made by a competent programmer, what has been mentioned isn't enough, luckily most virus are made by 15 year-old's using visual basic. That wasn't a joke, it's a fact, but here is some more information.

Because Microsoft is so "great" NTFS has a way to hide files, it's called alternate data streams, nothing there is visible though explorer or command line, some anti-virus's don't even scan it, erreech.

Make sure you're using Windows 8 or grater, there have been some long overdue security updates that "prevent" Direct kernel object manipulation, before it was as easy as a few lines of code and you could hide a process from the process list.

Most viruses are made exclusively for Windows, but Windows does have better security in many aspects such as memory protection.

The best defense against viruses is knowledge, training people and getting them to follow safety rules, for example not downloading anything not made by trusted companies.

How to be certain you don't have a virus when anti-virus scanners find nothing malicious? (Windows 7)

Edit:

5 Answers5