At times the IT department and the custodial department share a lot in common. Both spend hours cleaning and disinfecting. Both clean up after user misbehavior. Except custodians get the snappy jumpsuits.
For the IT department, though, its Christmas office party mop-up is the extensive malware infection. Reimaging and rebuilding a workstation after a malware infection is a long, repetitive process that takes a couple of hours.
Typical reimaging process:
- Physically going out to the endpoint
- Locating the latest backup
- Determining if the backup is uninfected and uncorrupted
- Downloading the backup
- Locating and entering software license keys
- Updating drivers if necessary
- Patching vulnerable software
- Endpoint customization to restore it to the user’s preferred functionality
Not quite on the level of squeezing spiked fruit punch out of the office couch cushions, but close.
You can see how this time quickly adds up. And there’s no guarantee that the restoration is seamless—there’s always the question of what was lost between the last clean backup and time of infection. The result is lost productivity, from the workstation downtime, to time spent by IT reimaging, to possibly lost work needing to be recreated by the user.
Yet, ask an IT admin anywhere, and he’s probably resigned to weekly reimaging despite having endpoint security in place.
According to testing by independent lab AV-Test.org, many antivirus products can detect and block known malware, but many of those same products can’t completely remove the malicious files. And these are threats that have been identified. Polymorphic and other advanced evolving threats often aren’t even detected. Therefore, the reimaging.
There should be a better answer.
For any organization that devotes significant resources to malware infections, the goal should be finding an endpoint security solution or layer that effectively rips malware out by the roots. Removing (remediating) to save the hassles of reimaging. Properly executed, remediation removes all traces of malicious code while leaving legitimate files untouched. And it should take only a few moments.
The advantages of remediation over reimaging:
- Is vastly faster to implement
- Restores all work
- Can often be done remotely over the network
- Reduces workstation/user downtime
Attacking the problem from a new angle are the anti-exploit products. Anti-exploits block the transmission (“dropping”) of malware in the first place, and therefore are particularly effective against zero-day attacks that traditional endpoint security haven’t yet identified. An effective anti-exploit layer reduces the need to reimage even further—the workstation doesn’t even become infected. And, because they operate in an earlier phase of the malware attack, anti-exploits complement, and are compatible with, common endpoint security solutions.
By wrapping endpoints in a powerful remediation layer and an anti-exploit layer, reimaging really does become only a last resort. And IT can drop the mops and buckets.
This guest blog post was written by Chad Bacher, VP of Products at Malwarebytes. See more blog posts by Chad here. Malwarebytes is a Gold sponsor of Kaseya Connect; visit them in our Sponsor Pavilion.