Cyber Security

How can I detect and remove fileless malware that my antivirus keeps missing during scans?

RO Asked by Robert Higgins · 22-10-2023
0 upvotes 8,767 views 0 comments
The question

I suspect my system is infected because I'm seeing strange PowerShell windows popping up briefly at startup and my memory usage is spiked, but a full scan with my current antivirus shows zero threats. I’ve heard about "fileless malware" that resides only in RAM or uses legitimate system tools like WMI to hide. How do I even begin to track this down if the traditional signature-based scanners can't find anything on the disk? Are there specific EDR tools available for home users? 

3 answers

0
L
Answered on 05-01-2023

Fileless attacks are notoriously difficult because they "live off the land" by using your own system's tools against you. You should start by checking your Registry for unusual keys under the "Run" or "RunOnce" sections, as malware often hides scripts there. I would also recommend running a dedicated memory scanner like Microsoft’s Safety Scanner or the portable version of Malwarebytes. Look for any suspicious outbound network connections using Netstat. Often, these scripts are trying to reach a Command and Control server to download the next payload stage.

0
C
Answered on 10-01-2023

Have you tried using Process Explorer to look for any processes with strange descriptions or unsigned certificates that are consuming high CPU? 

JA 12-01-2023

Christopher, Process Explorer is great, but for fileless threats, you really need to look at the command line arguments of legitimate processes. If you see 'powershell.exe' running with a long, Base64 encoded string, that is a massive red flag. You should use a tool like Autoruns to see exactly what is being triggered during the boot sequence before the OS fully loads.

0
AM
Answered on 15-01-2023

You should definitely look into "Endpoint Detection and Response" (EDR) lite tools. They focus on behavior rather than files, which is exactly what you need for this scenario.

R 18-01-2023

Great suggestion, Amanda. Behavioral monitoring is the only way to catch these. I’d add that disabling PowerShell for non-admin users can also prevent many of these scripts from executing.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session