I can't find antivirus software that will tell me where malware came from once it's detected by a full scan. My current AV software is Microsoft Security Essentials and it just gives me the name of the malware, its location on my hard drive, and its threat level. What's the easiest way to figure out what website it came from? I was thinking I can determine when it was saved to my computer using the file manager or a command at the command line, then I can check a Wireshark log to see what was happening at that time. Is that really the easiest way?
asked 27 Sep '15, 16:30
One option would be to get a malware scanner that is able to scan your network data streams (HTTP, HTTPS, POP3, IMAP, MAPI, whatever). HOWEVER Even then you will not be 100% safe. Often a new malware won't be detected by the current pattern database of all AV vendors, so the malware will slip through and it will be detected only days, weeks or months later by a disk scan after a pattern was developed.
An that's exactly the problem with network forensics. Malware can sit undetected on a system for weeks/months, so you would have to collect an store the whole network traffic for that period of time (several 100Gbyte or even Tbyte) and that's certainly impossible on a typical enduser PC/Laptop.
Sorry, I don't have a technical network forensic solution for your scenario, as I believe there exists none, at least not a feasible one.
What I usually do: Use a virtual machine for Internet access (Linux based, if possible), which I reset at every start. That way a possible malware infection has the least possible impact.
answered 28 Sep '15, 01:05
Kurt Knochner ♦