You’re not going to like the answer to this one.
There may be no signs at all. It’s possible for a machine to be compromised even though it seems to be working properly.
That’s why we need help.
Become a Patron of Ask Leo! and go ad-free!
The goal of most malware is to hide
Hiding is the holy grail of malware: to be able to do something malicious without being caught.
“Malicious” can literally mean anything. Malware that sends spam, steals your information, or monitors your activity would like very much to never, ever be caught. To that end, such malware uses techniques that minimize any signs of its presence. It hides, and tries to hide for as long as it possibly can.
If written properly, malware might not do anything noticeable during normal computer use.
There would be no signs at all.
The goal of some malware is to cause trouble
Other malware is more obvious — but often not until it’s too late.
For example, malware that encrypts your files and extorts a payment for recovery — ransomware — clearly wants to be discovered, just not before it has done its damage. While it encrypts your files, it might do so in a way that is virtually undetectable to you or me. Some ransomware minimizes its impact by performing the encryption slowly, taking days or weeks to complete the task, at which point it presents its demands.
Other malware doesn’t really want to be discovered, but discovery is an inevitable side-effect of its more explicit goal. As soon as your files are missing, your network connection overrun, or other malicious impacts, it becomes clear you have a problem.
Some malware is just poorly written
Fortunately, a lot of malware is easy to spot, regardless of its goals. Staying stealthy is hard, and not all malware authors are up to the task. As malware has transitioned from an annoyance to a business, it has certainly become more sophisticated. Still, the vast majority of malware is relatively easy to spot with the right tools.
But just because “most” might be easy to spot doesn’t mean all are.
Your own observations are the worst
You cannot and should not rely on what you see happening on your computer as a way to detect malware. Chances are you’d be very, very wrong.
As I’ve said, malware tries to hide, and if well constructed, can do a pretty good job of it.
What I see more often is the reverse: people who are concerned — even convinced — that they have malware, or are being spied on, when they are not. The clues they see are frequently explained by significantly more mundane and less nefarious causes.
Using the right tools
Since you can’t rely on yourself as a “malware detector”, you need to rely instead on three things:
- Rely on yourself as a “malware avoider”.1 Understand what it means to be safe on the internet. Don’t put yourself into positions where you are likely to allow your machine to be compromised in the first place. You are the first line of defense when it comes to staying safe.
- Rely on your anti-malware tools for detection. Make sure you’re running anti-malware tools, and that they are up-to-date. That also means keeping all your software up to date, including the operating system and the applications you run.
- Rely on your backups for recovery. When, not if, “stuff” happens, you’ll be able to undo the damage done to your files and other important data by recovering from your backups.
There are no guarantees
There is simply no way to guarantee 100% safety. There just isn’t.
Technology is a lot like life that way. Getting out of bed in the morning involves risk2; using your computer involves risk.
There’s no guarantee you’ll notice malware.
All you can do is reduce the risk and stack the deck in your favor with good behavior and good tools.
And backups. Always backups.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 5:20 — 2.5MB)
Subscribe: Apple Podcasts | RSS
3 comments on “How Do I Know If My Computer Has Been Compromised?”
WRT tools, consider the free Norton Bootable Recovery Tool: https://security.symantec.com/nbrt/nbrt.aspx
How do you know your machine is compromised with hidden malware? There are ways to investigate this, but let me say that not too many people will perform the steps outlined below, not even IT professionals. If you do need to go beyond what your anti-malware software tells you about an infestation, here are a few methods of inspection you can do:
(1) Always know what background tasks are running on your machine. You should have a record of what processes are running on your machine and do a before-and-after comparison if you suspect malware. You can use the Windows Task Manager, but there are other and better tools to tell you what is running. Also, check what’s set up to run in msconfig.
(2) Always know what services are running on your machine. Similar to checking processes, do a before-and-after comparison.
(3) Do a before-and-after comparison of your Registry (which, incidentally, is the most vulnerable point of attack on a Windows machine and the worst OS design decision anyone ever made). You can export the contents of your entire registry when you believe your machine is not infected and then compare that as two text files with the registry export when you suspect malware. Of course, you’ll need a smart comparison tool, such as Beyond Compare, and you’ll need to know what you’re looking at among the hundreds of changes.
(4) Run the HijackThis tool, which scans your computer for unusual settings and usually is very good at identifying things you need to analyze further.
(5) Run the Belarc Advisor tool, which build a very detailed profile of what’s on your machine. Use this to do a before-and-after comparison.
(6) Do a search of your User folders for all exe and dll files and know what they are. If you see files with cryptic file names, such as random letters and numbers, investigate further.
To be sure, all of the above requires a great deal of effort and these methods are just the starting point for an investigation and further analysis. Even if you find something you don’t trust, you still have the problem of getting rid of it. As I said, these steps are not practical for the average user, but if you suspect hidden malware which is not obviously damaging your files or system operation, then you might also suspect that your backup was created with the same hidden malware already on your machine.
There is a way to tell if malware is running on your PC.
Most malware will try to send information to remote sites on the Internet. So close your browsers, mail program, anything that would send network signals.
Then run at a DOS prompt “netstat -ano|more”
You may need to do this several times. If you see some remote addresses, write them down. Then use another computer to do a WHOIS search on those IPs. This will tell you if your computer is trying to connect to a remote server.
If you see IP addresses that belong to Russia, China, or an Eastern block country, chances are your computer is infected with something.
This only works if it happens frequently. A lot of malware will only make these connections once every hour or so.