Editing Malware (section)

==Mitigation==

===Antivirus / Anti-malware software===
Anti-malware (sometimes also called [[Antivirus software|antivirus]]) programs block and remove some or all types of malware. For example, [[Microsoft Security Essentials]] (for Windows XP, Vista, and Windows 7) and [[Windows Defender]] (for [[Windows 8]], [[Windows 10|10]] and [[Windows 11|11]]) provide real-time protection. The [[Windows Malicious Software Removal Tool]] removes malicious software from the system.<ref>{{cite web|title=Malicious Software Removal Tool|url=http://www.microsoft.com/security/pc-security/malware-removal.aspx|url-status=dead|archive-url=https://web.archive.org/web/20120621103611/http://www.microsoft.com/security/pc-security/malware-removal.aspx|archive-date=21 June 2012|access-date=21 June 2012|publisher=Microsoft}}</ref> Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).<ref name="PCmag">{{cite web|last=Rubenking|first=Neil J.|date=22 January 2025|title=The Best Free Antivirus Software for 2025|url=https://www.pcmag.com/picks/the-best-free-antivirus-protection|access-date=18 February 2025|archive-date=12 February 2025|archive-url=https://web.archive.org/web/20250212195340/https://www.pcmag.com/picks/the-best-free-antivirus-protection|url-status=live}}</ref> Tests found some free programs to be competitive with commercial ones.<ref name="PCmag" /><ref>{{cite news|title=Free antivirus profiles in 2025|website=antivirusgratis.org|url=https://www.antivirusgratis.org|url-status=live|access-date=18 February 2025|archive-url=https://web.archive.org/web/20250117052335/https://www.antivirusgratis.org/|archive-date=17 January 2025|language=es}}</ref><ref>{{cite web|title=Quickly identify malware running on your PC|url=https://www.techadvisor.co.uk/download/security/crowdinspect-1500-3329721|website=techadvisor.co.uk|access-date=2 September 2018|archive-date=2 September 2018|archive-url=https://web.archive.org/web/20180902220617/https://www.techadvisor.co.uk/download/security/crowdinspect-1500-3329721/|url-status=dead}}</ref>

Typically, antivirus software can combat malware in the following ways:
# '''Real-time protection:''' They can provide real time protection against the installation of malware software on a computer. This type of malware protection works the same way as that of antivirus protection in that the anti-malware software scans all incoming [[Computer network|network]] data for malware and blocks any [[Threat (computer)|threats]] it comes across.
# '''Removal:''' Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of anti-malware software scans the contents of the Windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose which files to delete or keep, or to compare this list to a list of known malware components, removing files that match.<ref>{{cite web|title=How Antivirus Software Works?|url=https://antivirus.comodo.com/how-antivirus-software-works.php|access-date=16 October 2015|archive-date=12 January 2017|archive-url=https://web.archive.org/web/20170112193703/https://antivirus.comodo.com/how-antivirus-software-works.php|url-status=live}}</ref>{{Failed verification|date=July 2024|reason=These statements are not matching the info provided by the reference, although they might still be accurate.}}
#'''Sandboxing:''' [[Sandbox (computer security)|Sandboxing]] confines applications within a controlled environment, restricting their operations and isolating them from other applications on the host while limiting access to [[system resource]]s.<ref name=":3">{{Cite report|url=https://csrc.nist.gov/pubs/sp/800/83/r1/final|title=Guide to Malware Incident Prevention and Handling for Desktops and Laptops|last1=Souppaya|first1=Murugiah|last2=Scarfone|first2=Karen|date=2013-07-22|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-83 Rev. 1|language=en}}</ref> Browser sandboxing isolates web processes to prevent malware and exploits, enhancing security.<ref name="g370" />

====Real-time protection====
A specific component of anti-malware software, commonly referred to as an on-access or real-time scanner, hooks deep into the operating system's core or [[operating system kernel|kernel]] and functions in a manner similar to how certain malware itself would attempt to operate, though with the user's informed permission for protecting the system. Any time the operating system accesses a file, the on-access scanner checks if the file is infected or not. Typically, when an infected file is found, execution is stopped and the file is [[quarantine]]d to prevent further damage with the intention to prevent irreversible system damage. Most AVs allow users to override this behaviour. This can have a considerable performance impact on the operating system, though the degree of impact is dependent on how many pages it creates in [[virtual memory]].<ref>{{Cite journal|last1=Al-Saleh|first1=Mohammed Ibrahim|last2=Espinoza|first2=Antonio M.|last3=Crandall|first3=Jedediah R.|date=2013|title=Antivirus performance characterisation: system-wide view|journal=IET Information Security|language=en|volume=7|issue=2|pages=126–133|doi=10.1049/iet-ifs.2012.0192|issn=1751-8717|doi-access=free}}</ref>

====Sandboxing====
[[Sandbox (computer security)|Sandboxing]] is a [[Computer security model|security model]] that confines applications within a controlled environment, restricting their operations to authorized "safe" actions and isolating them from other applications on the host. It also limits access to system resources like memory and the file system to maintain isolation.<ref name=":3" />

Browser sandboxing is a security measure that isolates web browser processes and tabs from the operating system to prevent malicious code from exploiting vulnerabilities.
It helps protect against malware, [[zero-day exploit]]s, and unintentional data leaks by trapping potentially harmful code within the sandbox.
It involves creating separate processes, limiting access to system resources, running [[web content]] in isolated processes, monitoring system calls, and memory constraints.
[[Inter-process communication]] (IPC) is used for [[secure communication]] between processes.
Escaping the sandbox involves targeting vulnerabilities in the sandbox mechanism or the operating system's sandboxing features.<ref name="g370">{{cite web|title=What is Browser Sandboxing?|website=GeeksforGeeks|date=2024-02-19|url=https://www.geeksforgeeks.org/what-is-browser-sandboxing/|access-date=2024-07-07|archiveurl=https://web.archive.org/web/20240707050014/https://www.geeksforgeeks.org/what-is-browser-sandboxing/|archivedate=2024-07-07|url-status=live}}</ref><ref name="a944">{{cite web|title=What is browser sandboxing? How to escape the sandbox?|website=misile00's personal website|date=2024-06-15|url=https://misile00.github.io/notes/Browser-Sandboxing|access-date=2024-07-07|archiveurl=https://web.archive.org/web/20240424000722/https://misile00.github.io/notes/Browser-Sandboxing|archivedate=2024-04-24|url-status=live}}</ref>

While sandboxing is not foolproof, it significantly reduces the [[attack surface]] of common threats.
Keeping browsers and operating systems updated is crucial to mitigate vulnerabilities.<ref name="g370" /><ref name="a944" />

===Website security scans===
Website vulnerability scans check the website, detect malware, may note outdated software, and may report known security issues, in order to reduce the risk of the site being compromised.

===Network Segregation===
Structuring a network as a set of smaller networks, and limiting the flow of traffic between them to that known to be legitimate, can hinder the ability of infectious malware to replicate itself across the wider network. [[Software-defined networking]] provides techniques to implement such controls.

==="Air gap" isolation or "parallel network"===
As a last resort, computers can be protected from malware, and the risk of infected computers disseminating trusted information can be greatly reduced by imposing an [[air gap (networking)|"air gap"]] (i.e. completely disconnecting them from all other networks) and applying enhanced controls over the entry and exit of software and data from the outside world. However, malware can still cross the air gap in some situations, not least due to the need to introduce software into the air-gapped network and can damage the availability or integrity of assets thereon. [[Stuxnet]] is an example of malware that is introduced to the target environment via a USB drive, causing damage to processes supported on the environment without the need to exfiltrate data.

AirHopper,<ref name="z758">{{cite conference|last1=Guri|first1=Mordechai|last2=Kedma|first2=Gabi|last3=Kachlon|first3=Assaf|last4=Elovici|first4=Yuval|title=2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)|chapter=AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies|publisher=IEEE|date=2014|page=|isbn=978-1-4799-7329-3|doi=10.1109/MALWARE.2014.6999418|pages=58–67|arxiv=1411.0237}}</ref> BitWhisper,<ref name="s209">{{cite conference|last1=Guri|first1=Mordechai|last2=Monitz|first2=Matan|last3=Mirski|first3=Yisroel|last4=Elovici|first4=Yuval|title=2015 IEEE 28th Computer Security Foundations Symposium|chapter=BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations|publisher=IEEE|date=2015|page=|isbn=978-1-4673-7538-2|doi=10.1109/CSF.2015.26|pages=276–289|arxiv=1503.07919}}</ref> GSMem<ref>{{cite conference|last1=Guri|first1=Mordechai|last2=Kachlon|first2=Assaf|last3=Hasson|first3=Ofer|last4=Kedma|first4=Gabi|last5=Mirsky|first5=Yisroel|last6=Elovici|first6=Yuval|title=GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies|publisher=USENIX Security Symposium|date=2015|isbn=978-1-939133-11-3|url=https://www.usenix.org/system/files/sec15-paper-guri-update_v2.pdf|archiveurl=https://web.archive.org/web/20240301215837/https://www.usenix.org/system/files/sec15-paper-guri-update_v2.pdf|archivedate=2024-03-01|url-status=live}}</ref> and Fansmitter<ref>{{Cite arXiv|eprint=1606.05915|last1=Hanspach|first1=Michael|title=Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers|last2=Goetz|first2=Michael|last3=Daidakulov|first3=Andrey|last4=Elovici|first4=Yuval|class=cs.CR|year=2016}}</ref> are four techniques introduced by researchers that can leak data from air-gapped computers using electromagnetic, thermal and acoustic emissions.