I suspect my system is infected because I'm seeing strange PowerShell windows popping up briefly at startup and my memory usage is spiked, but a full scan with my current antivirus shows zero threats. I’ve heard about "fileless malware" that resides only in RAM or uses legitimate system tools like WMI to hide. How do I even begin to track this down if the traditional signature-based scanners can't find anything on the disk? Are there specific EDR tools available for home users?
3 answers
Fileless attacks are notoriously difficult because they "live off the land" by using your own system's tools against you. You should start by checking your Registry for unusual keys under the "Run" or "RunOnce" sections, as malware often hides scripts there. I would also recommend running a dedicated memory scanner like Microsoft’s Safety Scanner or the portable version of Malwarebytes. Look for any suspicious outbound network connections using Netstat. Often, these scripts are trying to reach a Command and Control server to download the next payload stage.
Have you tried using Process Explorer to look for any processes with strange descriptions or unsigned certificates that are consuming high CPU?
You should definitely look into "Endpoint Detection and Response" (EDR) lite tools. They focus on behavior rather than files, which is exactly what you need for this scenario.
Great suggestion, Amanda. Behavioral monitoring is the only way to catch these. I’d add that disabling PowerShell for non-admin users can also prevent many of these scripts from executing.
Christopher, Process Explorer is great, but for fileless threats, you really need to look at the command line arguments of legitimate processes. If you see 'powershell.exe' running with a long, Base64 encoded string, that is a massive red flag. You should use a tool like Autoruns to see exactly what is being triggered during the boot sequence before the OS fully loads.