Software Troubleshooting
This is a guide on software troubleshooting.
Analyze Microsoft Windows OS Problems
In this section, we want to introduce a couple of core concepts around troubleshooting and how to address the problems that come up in the environment. And the reality is, these things break all the time, which is why we all have jobs, and that's the reality of it.
There is one critical thing, just before we dive into the material, I want to mention, everybody. If you're going to be in the technology business, you have to get very comfortable not knowing things, because it's just impossible to know everything. It's impossible. Very recently a friend of mine had a Windows 8 laptop, not 8.1, not Blue, 8. I couldn't figure out how to shut the thing off. And I've been doing this for 35 years. So that's the kind of thing I'm talking about. Have a sense of humor about it, and be aware we are all living in a world no one could ever have predicted. And that's going to take some adjustment.
So, first things first. You've got a system with a problem, what do you want to do? You want to isolate that problem. You want to check for common issues. Are other people experiencing this problem, or is the problem being experienced in other applications? [Video description begins] Also check if other computers are experiencing the issue. [Video description ends]
The greatest source of instability in the environment is a new install, whether it's software, hardware, service packs, updates, whatever it happens to be. Any changes to the environment, any recent changes to the environment are likely to be the cause of system instability. And so what do you do then? You roll back the driver, you uninstall the service pack, whatever it happens to be. [Video description begins] Check if anything has changed in the following: application install, hardware install, service pack, updates, or updated drivers. [Video description ends]
Can you validate what you're thinking by reproducing the problem? Can you create the same problem on a test machine, right? And these machines should be sandboxed, isolated away from everything else where you can do whatever it is you need to do with it.
This is the system checklist in the CompTIA A+ series. They refer to this system checklist. So imagine, this is a scenario we're all familiar with, you're in your house or in a very small office, right? Fewer than ten people. And, there's a machine that has a printer connected to it, a physical print device, physically connected to the machine. And it's not printing. It's not talking, and the printer's not showing up, whatever it is. What do you do first? Well, the first thing that I do is I check the physical connections, right? And that would be true if it was a network communication error. Check the plug first, it's no good if the thing's not plugged in. So check your physical connections.
Then, check to validate the integrity of the hardware. Are any of the cards loose in the case, right? Just look, right, does everything look right? Restart the machine. 90% of help desk calls are solved with a system restart, in the Windows world, right? And that's just the reality. Go ahead and give it that soft reset. When it comes back up, check the event viewers and logs and reference those errors, you know you can look up those errors online, right? And get additional information. Though today the event viewer service is tied into the online database, so there's commonly a link right there in the error. You can hit that, that will take you out.
If the problem persists, if these things didn't do it or if we didn't find a knowledge-based article or a mediation for this, what do we do? Maybe even we found on the Microsoft site that it's a known issue and that there is no fix for it. You know, if that's the case, you might choose to uninstall that feature or software completely and find another solution. Or if there is a fix for it, can you implement the fix? And that likely will require uninstalling and reinstalling the affected feature or software or hardware, right? Whatever it happens to be.
Now, in addition to the system, the five-step system checklist, in the CompTIA A+ path, there's the six-step analyzing systems. And there's also the seven-step remediation of malware. And for those of you testing, I would encourage you to take a look at the five, six, and seven-step processes, and be able to differentiate between them.
So the first thing is, somebody comes to you with a problem, what controls this system feature or device? What are the dependencies here? Does this only occur when the application is running, right? These are the questions I want to be asking. What's happening when the problem occurs? Has this ever happened before, and if so, how frequently? Has anything been installed recently, right? [Video description begins] This can be either hardware or software. [Video description ends]
And commonly, of course you're not supposed to, right, but this is where you shortcut to, this is where I always start, and then you work back. But this is the official six steps here. What are the system specifications for this device or application and does this system meet them? Because if it doesn't, there's the problem right off the bat. So these are the questions that we ask as we try to determine what the problem is.
Then what do we do about it? Well, we've identified the problem, right? We've asked those questions, analyzed, identified the problem. Establish a theory of probable cause, right? Where do we see this happening? What are the causes of these kinds of events? Test the theory to determine the cause. If it's a virus, does the virus scan show files there? If it's running out of memory, can you check the active memory? Establish a plan of action to resolve the problem. Do I need to install more RAM in that machine? Does it need a disk upgrade? Does the operating system need to be reimaged and reinstalled? [Video description begins] And then implement the solution. [Video description ends]
Verify full system functionality and, if applicable, implement preventative measures. If we know how we got there, maybe we can prevent ourselves from going there again. And finally, and this is the thing that none of us do enough of. Document the findings, the actions, and the outcomes. So that the next time that this happens we have some easy way of accessing the knowledge that we gain today. It's not just stuck in your head, somebody else can get at it, too. So if you don't have an in-house knowledge base, that's something you'd want to start to develop.
Troubleshoot Microsoft Windows OS Problems
In this section, we want to address the common operating system errors that we see. And what the most common ways of responding to those are.
And the first is the infamous Blue Screen of Death, right? Or more appropriately, or properly, what we call a Windows Stop Error. [Video description begins] The acronym for Blue Screen of Death is BSoD. [Video description ends] And a stop error is just that, the machine has stopped. Why? We don't know yet. And it's not uncommon for this message to flash by too fast for you to see it. And so then you have to go into the Event Viewer or into the dump file and find the errors in there. Although, frankly, this is not the problem it used to be. Not in my experience at any rate.
Your mileage may vary on this one guys, but look, the only reason that you get a stop error is because some kernel level component has failed, right? [Video description begins] The Windows Stop Error presents diagnostic information. [Video description ends] The nature of the Windows architecture. Applications running up in user mode, the device drivers, the protected and privileged operating system functions down in kernel mode. This environment, when a kernel mode process fails me, that's when I get one of these. And that happens very rarely these days. At least that's what I'm seeing out there. Also, kernel level rootkits can cause this kind of problem, and that's a real hassle, right? [Video description begins] Kernel Service and malfunctioning hardware also cause a kernel process error. [Video description ends]
Some of you may not want the machine to automatically reboot after the blue screen. You can disable that feature in the Control Panel, [Video description begins] Since Vista, Windows restarts immediately after a Blue Screen of Death, by default. Also, an on-screen message displays, but too fast to see the error. [Video description ends] today it's in the System and Maintenance group, or in the System applet. In the advanced system settings, there's the Startup and Recovery settings. And then just remove the checkmark from the automatically restart box.
With devices, with hardware, I want to make sure that I follow the manufacturer's instructions precisely. And I'll tell you it's a good idea to search the forums. If your manufacturer, and they all do, have a user forum. Go into the forum and ask for feedback on the installations of this device in an environment like yours, right? Some general sense of the specifications. And you'll get back responses from people about how it went and where they ran into problems. Take that experience and avoid those pitfalls. Or it could very well be if there are common problems with it, you'll find a thread and you'll alleviate an issue before it happens.
When we do run into these problems, what are some of the solutions that we commonly find? Well, in the case of an updated driver, we almost always know immediately that that's a problem, right? I installed the updated driver, it's not compatible with Windows 10, gosh, roll it back. We consult the manufacturer's guidance. The manufacturer ought to know where their machines break and how to fix them. And a lot of times we need a BIOS update. I've got this problem right now, my television. It won't play on YouTube. I need to flash the BIOS. So I'm going to download those drivers and we'll get the TV working on YouTube again.
Service failures, when a service fails to start. What could stop a service from starting? Well, we know that services run under a user context. So if there's been a logon error. Or if the machine was logged in with cached credentials because no network connection was available at the time of log in. Guy comes into the place with a laptop, right? He hasn't connected to the Wi-Fi yet, but he logs in. And the service requires the network connection and the authentication and it's not there, and so the service stops.
Resource conflicts, whether that's services that are competing for access to the physical resources on the machine. Or to a logical component that's installed on the machine. Or a service dependency, that is to say that there's a dependent service that hasn't started. And that's one of the first things commonly that I would want to look at is the service dependencies. [Video description begins] Another remediation is to restart services. [Video description ends]
And so there's actually in the Services applet, in the Control Panel, if you launched that Services applet, there's a choice in there for service dependencies. If I open any service I can see what other services it's dependent on. And I can go right down the list. Although I have found that if you sort by the status, right? Is it set to automatic startup, delayed startup, whatever. And if you sort all the automatic startups and you look down the list of automatics and see which ones are not running, you'll commonly identify the failed service quickly that way, if it's not otherwise obvious.
In terms of boot errors, especially for the A+ test, guys, you want to be familiar with these two. An invalid boot disk or the inaccessible boot drive. Now in the case of an inaccessible boot drive, commonly, the drive is not operational. There's a physical problem, right, the pins are out of the case. Or there's some other issue in there. [Video description begins] The fix for an inaccessible boot drive is to verify that the drive is operational. [Video description ends]
The invalid boot disk is commonly that the boot order is starting with a device other than the hard disk and that's not a valid boot device. Right, I left a USB stick in there and USB is configured first in the boot order in the BIOS. And so with these errors, we always enter the BIOS setup and validate the boot order. And make sure that the hard disk that's got the operating system is the one that we point to as our preferred first boot. [Video description begins] The fix for an invalid boot disk is to remove media from the booting drive. [Video description ends]
Be aware, if you go into F8, into the advanced startup options and into a system recovery, there's a tool called BOOTREC. [Video description begins] BOOTREC.EXE is a WinRE tool for Vista and later. [Video description ends] And this is a tool designed to fix boot sector errors. So it'll diagnose and fix those boot sector errors, master boot record errors, and boot configuration data store errors. [Video description begins] The acronym for Master Boot Record is MBR and the acronym for Boot Configuration Data is BCD. [Video description ends]
Finally, here in terms of common operating system issues, applications fail to install or start or load. And that will commonly be caused by version incompatibility or operating system. They've got the wrong version of the software for their operating system. Or hardware compatibility. It can also happen if there are permission problems. The application runs under a certain security context, and the user doesn't have the rights for that.
To remediate these issues, well, with the permissions problems we've got to elevate somebody's privileges. Or figure out a way to shim that application so it doesn't need those elevated privileges. But beyond that, we look at applying updates, repairing the application, uninstalling, or reinstalling the app.
This is a look at some of the most common Windows operating system problems and their most common fixes.
Common Symptoms and Solutions
In this section, we want to talk about common Windows operating system problems, the common problems and the common solutions. And if it's on this list, guys, you do want to maybe take some notes here or be aware of what the guidance is for this item, if you're planning on taking the test.
The first is slow performance. And what slows the machine down? Running out of disk space will slow a machine down when nothing else is wrong. Wherever possible, if I can keep the disk 50% empty or if I can outfit the machines with a second physical drive, not a second logical partition, but a second physical drive, and offload the page file, right, the virtual memory file to that disk, then I worry less about how much data the user actually sticks on the disk, right? If they get 60, 70, 80%, I don't care because I've got that virtual memory on a separate physical disk, on a separate spindle, separate heads reading and writing to that platter. That's going to help ensure real performance over the long term.
Slow performance can be caused by, think about the four subsystems, the disk subsystem, the memory subsystem, the processor subsystem, and the network subsystem. You open Task Manager today, you get a graph in there of what those subsystems are doing. You can see which one's getting hit, and then go from there.
Limited connectivity. That's always going to be a user issue these days. Either that or the WAP is down, something like that. Failure to boot. You look at this list, right? No operating system found, failure to boot, application crashes. If you're getting that regularly across lots of users, there's a problem. There's an endemic problem.
Blue screens, black screens, these I don't see these days like we used to see them, certainly. I know the Windows 10 machine I'm on has been up and running for about two years now. It was a Windows 7 machine before it's a Windows 10 machine, and I have encountered not a single blue screen on this thing, not one. And when I do encounter them out there, I don't have time to figure out what went wrong. I mean, I don't know about you but this is the job in 1995. This is not the job today. [Video description begins] Other Windows OS problems include: printing issues, services fail to start, slow bootup, and slow profile load. [Video description ends]
Today, if I'm seeing a lot of this stuff, what do I want to do? I don't want to defrag the hard drive, I want to reimage and reload the OS, wipe it, wipe that machine clean, restore the user data from the backup, and let's move on. And if that doesn't fix it, send that piece of hardware back to whoever it is we leased it from.
Now, that's not the world that everybody lives in, I understand that. But we have moved out of the PC age, my friends. I do want to mention something here. I realized recently that if I didn't learn some new stuff, I was going to be obsolete in about five years. Because our whole industry is moving away from this focus on individual machines and into a focus on delivering the services. And machines are easily replaced. If I have an automated deployment mechanism using Windows Deployment Services or another deployment service, image deployment service, there's no reason I can't reimage and reload that machine and load the user data back from backup, and get on with my life. [Video description begins] Other common solutions include: reboot, kill tasks, and update network settings. [Video description ends]
Now, for the purposes of the test, right? I'm going to back up here. With the blue screens and black screens, with the black screens, you're looking at a monitor issue commonly, and so I want to check the monitor drivers. With the blue screens, that's a kernel level error. So a little bit of investigation there, and if it happens repeatedly, either the hardware's gotta go back or the device has to be reimaged. And commonly, we reimage first, and then if that's still a problem, we send that piece of hardware back.
Application crashes, I want to know why? Why am I having these application crashes? Because today, we've got, from the Microsoft Suite of things, everything is XML based, it's all built to standards. The APIs from Windows 7 or Windows 10 haven't changed, so all of the manufacturers out there have had those now for generations of the operating system. I should not be seeing this. If I am, I want to know why? Am I getting run out of memory errors? The machine is just not scaled to do what I'm asking it to do? Am I getting processor overhead? Are there too many operations being run on this machine?
Failure to boot and no OS found. That's going to be a boot sector virus or a boot sector rootkit, kernel level rootkit, or a hardware failure, right? The disk that holds the operating system has failed. Commonly, those would be the reasons.
Printing issues. I'm going to check the printer and the drivers. Services fail to start, we talked about that one already. Slow boot up and slow profile load. Commonly, this is around group policy processing.
Now, troubleshooting group policy processing is a little bit outside the scope of this course. But you do want to be aware that you can create environments where lots of interesting exceptions to the rules get made. I can reverse the order of machine and user processing. If I need to, I can enable features of group policy like slow link detection. So if the person is dialing in or coming in over a slow network connection, we don't try to load all the group policies, right? Or do any software installations, that kind of thing.
Defragging the hard drive, that should be set as a scheduled operation. Reboot will fix 95% of all help desk calls. Kill the task. You've got a task that won't shut down, right? You can kill it, either in PowerShell in the command prompt or in Task Manager. If I'm having network communication problems, I might need to update the network settings, am I talking to the right DNS Server? And when all else fails, reimage/reload, this is my first option, really. If I get a problem machine, wipe it, wipe it and load it. If you just had updates and then you get problems, roll back the updates.
Check your boot order, especially for the system failed to find an operating system or no boot, no operating system was detected. Disable Windows services and applications if that's what's giving you the problem. You can disable application automatic startup and MS config if it's there. Boot to Safe Mode, everybody ought to know what Safe Mode is, right? That's a limited run of the operating system, not all the drivers are loaded. And finally, you might have to rebuild Windows profiles. But again, if you are at that level, I will just reimage and reload the OS personally. But that's because I've got an automated solution to do it. If you don't have an automated solution, I would encourage you to look at one.
This is a look at some of the most common problems and common solutions in Windows today.
Common Security Issues
In this section, we want to talk about some of the specific security issues that come up.
And to be clear from the outset, the answer to many of these may be your antivirus, your antimalware solution. Because these days when we see these kinds of problems, very often, I'm either dealing with one or two things commonly. I got a machine that's been upgraded two or three times. It was a Windows 7 machine, then it was an 8.1 machine, now it's a Windows 10 machine. It's been in service for five years, the disk drives are failing, guys running out of disk space, that's a machine that needs to be replaced. And then the other big thing, of course, are these infections, and this persists. This is a very real problem that we all wrestle with every day. You know, maybe not every day, but that's only because you didn't notice it that day.
So in the world that we're living in today, having the Windows Defender antimalware running, having another solution on top of that running is going to be the recommended course of action, along with user education, especially around email attachment handling. Even when we know, we think we know who it's from, if the directions say new security rules, and this is not the security officer talking. New security rules force you to enter your network credentials when you open this attachment, you should immediately be suspicious of that. If you have not had emails from the corporate security chief, if you have not been prepared for the roll out of this new option, you should be suspicious immediately. And you want to train your users to be suspicious too.
Now if it's not an antivirus, and how do we get to the fact that it's a viral concern, well, we do the other things first, right? And so in the case of pop-ups, I put a pop-up blocker on, did that, and really of course, it should be on from the beginning.
Browser redirection. Now this can be a real sticky wicket as the British used to say. You've got an infection in all likelihood, or because if it's just an active session, you just reboot the machine and you shouldn't have that problem. Don't reconnect to that website again. But in a browser hijack, a browser redirection, I'm almost always going to have to remove the application, and reinstall it, or fail back to a system restore point from before the infection had occurred, one of those two things. And they're both going to involve, commonly, restoring user data to the machine if the user's data is on that machine.
Your spam filter should be on and up and running to prevent spam so that this is not the issue. Internet connectivity, where do you go anytime that you have a connectivity issue? You go into the TCP/IP settings. Does the machine have a valid IP address for the network segment that it is on? Is it configured with a default gateway so that it can leave that network segment? Is it properly configured with the DNS server that answers its Internet requests? You know, commonly, there's a DNS Server on site that does Active Directory DNS lookups, and then it's configured to forward Internet requests out to your ISP's DNS Server, or out to the Google DNS Servers, some servers on the Internet. Is this machine getting those configurations?
Now, if that's all true, what else could be wrong? Well, did you check the plug? Is the network cable plugged in? Right, that's the first thing you check. Is the machine locking up? This often happens because of disk space. And it doesn't happen because the machines are looking to write data to the disk, except in as much as it is to the page file. If I've got client machines that have a single physical disk in them, I can't offload the page file to a separate spindle, which is what I had always wanted to be able to do. And if I can't do that, then I would prefer to keep about 50% of the disk free for virtual memory access. And I know that seems crazy and like way too much, but I assure you, you watch your machines. You do performance testing on a Windows machine. When that disk, if it's a single disk machine, when it hits 50% full, you watch how the performance degradation sets in after that.
If you get a rogue antivirus, and this is one of these where it says download this free antivirus tool, and they do it, and of course, it's a malicious payload. There's almost never anything you can do but reimage that machine. If the operating system updates are failing, does the machine have a communication channel to the update server? Is it properly configured to poll that update server at regular intervals, right? What are the configuration settings there? And are they in line with what you know the settings should be? [Video description begins] In other words, verify update settings. [Video description ends]
This I put separately because, my friends, if you have system files that are renamed, if you have files that are disappearing, if you have files where the permissions are suddenly changed, you have a virus. You have some malware, some virus, something. And you're going to want to reimage that if you can't clean it out with the antivirus and your antimalware.
The security tools that we use against these emergent threats to the 21st century Internet include our antivirus software, our antimalware software. [Video description begins] Also known as antispyware. [Video description ends]
The Recovery Console, which I get into through the Advanced Startup Options, right? As the machine is booting, before the Windows logo displays, I hit F8. And that brings me in there, where I can also do system restores. Now you got to be careful with the system restores. Because if you fail back to a restore point where the malware was already infected, you have to know that the restore point is a clean restore point. If it's not, you're just putting the virus back to its original state.
Pre-installation environments. Now, everybody should know that if I want to boot Windows in memory, maybe so that I have exclusive access to the boot sectors on the disk so I can clean out a boot sector virus, then I need to have another operating system. And that's the Windows PE environment, right, the pre-installation environment. It's a tiny little microkernel operating system, it runs up in system memory so that your boot sector virus cleaner has access to those otherwise sections of the disk that it wouldn't have access to, or that the boot sector virus would be in charge having loaded its instruction code before the hard-coded operating system loaded. We get in there through the Windows Recovery Environment, which I either preload on my Windows image, or I launch from the DVD, the install DVD.
And, finally the Event Viewer, my best friend and the first place I go whenever anything goes wrong.
This is a look at some of the common security issues.
Specific Security Issues
In this section, we want to address some specific security issues.
One of the things that we see happening with web-based email applications like Hotmail accounts, Yahoo accounts, those Gmail accounts, those sorts of things, is that they get hijacked. It can happen with your on-premise solution, too, but then there's generally a bigger problem. Commonly, with this question of the hijacked emails, and it's best to really shut those accounts down if you can, right? If you can contact the provider and shut them down. But you'll also want to remove and reinstall the browser at the very least. And then, of course, consult the manufacturer's documentation based on the apparent threat, what you think the apparent threat was.
Automated replies from unknown sent mail, right? It appears to be a reply to an email that you sent them, but you never sent them an email, it's a hoax, right. It's a phishing scam and you want to make sure that your email solution includes anti-phishing rules. So that I can force those anti-phishing rules on everything. Scan those emails coming in, do heuristic analysis, look for the signs of a phishing email. And I should say again, right, antivirus and antimalware can also be the fix for these, and if not that then one of these.
Invalid certificate Root CA. If I'm communicating with somebody outside my organization, I may well need to get a copy of their root certificate and publish that out to my list of trusted publishers. And so there's two things there. There's who it is that issued the certificate. I have to trust them. And then the mechanism, the server that actually performs whatever authentication that you're having trouble with, may need to have a copy of the partner's certificate installed on it. And we commonly see that in MTLS Solutions, Mutual Transport Layer Security Solutions, where you've got certificate-based machine authentication between the machines. [Video description begins] Also, if the certificate has expired the fix is to issue a new certificate. [Video description ends]
The system/application log errors, take a look in there, that's where these security-related issues are going to be reported. [Video description begins] In other words, research the errors. [Video description ends] Now you may be thinking to yourself, well wouldn't they be reported to the Security Log, no. What gets reported to the Security Log are only the results of audit events that you have enabled. Right, what gets reported to the Security Log are only auditing events that you've enabled, otherwise, nothing gets reported there at all.
Access denied. First thing I want to do is check permissions. If I just put the guy in a group to give him those permissions, he's got to log back in, right? When your access token gets constructed at authentication, that's when the list of the groups that you're in is associated with your user account. And, then as you traverse the network you present that token and it says, okay you're in these groups I can give you these permissions. So, you have to force a new token to be generated by logging back in.
The specific security issues tools for resolving these issues. MSCONFIG will let me look at services, give me an insight into the services that are running. It will let me configure applications that startup automatically or I can remove them from the list so that they don't start up automatically.
In the Event Viewer, we go through those logs, right, the application log where I get application events reported. The Security Log where the results of auditing events are reported, the system log where the system events get reported, the setup log where setup errors and information events get reported. And the types of events that are reported into the Event Viewer include information events: the service started. Warning events: the service stopped but was restarted. Error event: the service stopped and could not be restarted. Now, what would make that critical is if the service was associated with some role that the server played on the network. So if it's a DHCP server and the DHCP service didn't start, that's a critical error as opposed to just an error.
WinPE, a tiny little micro-kernel operating system, lets me boot the machine, a machine with no software on it at all, no operating system, or an operating system that's non-responsive. I can boot into Windows PE and then I have exclusive access to the hard drive. I could capture an image of that hard drive, reimage it, do whatever I want in there, unlock the file system, now, assuming that it's not bitlocker. With WinPE, I can bring it to the machine on a USB and boot it from the USB. I can have it on a CD, DVD, or if you've loaded the recovery tools beforehand, there's some options in there that depend on PE.
The system recovery options. When I hit F8 and go into the advanced startup options and then I choose System Recovery options. This is what I see, Startup Repair, System Restore. Either Complete PC Restore or System Image Recovery depending on if it's Vista, 7, 8, 10. The Windows Memory Diagnostic Tools and access to a Command Prompt. And so, these tools are available to me by going into the Advanced Startup Options and hitting F8. Whether or not particular tools are available to me may depend on whether or not I've done the preliminary work to make them useful. A system restore is no good if you don't have any prior restore points. They've got to be created on an ongoing basis automatically.
And finally, there's Safe Mode, which when you have a troublesome machine, the very first thing you do is you try to reboot into Safe Mode with Networking. So you have network access that loads a minimal driver set so that I can remediate the problem without the machine hanging up.
This is a look at specific security issues in Windows today.
Best Practices for Malware Removal
In this section, we want to take a look at the CompTIA seven-step process for malware removal. And for anybody looking to take the A+ certification exam, I'd spend a little time on this.
As an ongoing process, you should always be identifying and researching malware symptoms. When an infection occurs, it quarantines the infected system.
Now there's a couple of ways that you can do that, right? Physically isolating it on a quarantine network segment, which is also the network segment where the remediation servers are. So your software installation point is on that remediations network. And you can install an antivirus from there, if the client doesn't have an antivirus. Or an anti malware if the client doesn't. You can update the definitions from that server.
Your Microsoft Windows software update services server or other patch management solution should be on that remediation network segment. So an out of compliant client gets an IP address on this isolated network, can only communicate with the remediation servers, and gets cleaned up before we let it back on the production segment. The recommendation from CompTIA here is that you disable System Restore. [Video description begins] This is in Windows. [Video description ends] And the concern there is I don't want to just restore the machine to a point where the virus is already there. Because the virus will be captured as part of a system snapshot. So we want to disable the System Restore at this juncture, so that we don't inadvertently restore the thing and be in the same boat. Then remediate the infected systems.
And this is almost always going to be a process of following the instructions and guidance, either from your antivirus or antimalware solution, or from some other Internet provider that's trustworthy and you've dealt with this. Microsoft sometimes publishes articles about how to cleanup, where in the registry do I want to go and what do I want to reset these keys to. So that I'm returning the machine to a state that it was in before the infection.
Part of this process should be an update of your antivirus, antimalware solutions. And you may need to reboot the machine into Safe Mode to do this. [Video description begins] This is an example of scanning and using a removal technique. [Video description ends] And you may want to do that without the networking components, so that there's no Internet connection, there's no network connection. The drivers for the NIC card don't even get loaded, and so you know that infection is going to be isolated to that machine. That's another way to quarantine it, pull the cable.
Or you may need the pre-installation environment, particularly in those cases where there's a boot sector virus. Some kernel level rootkits can require you to get at them without bringing the operating system online. So you need another operating system, Windows PE, that lets you do that, right? And again, you can do that on the DVD, the original installation media from Microsoft, or put WinPE on a bootable USB, which is nice to have, right?
Everybody should have automatic scans scheduled, and they should be running. And they should be updated, that software, you should have an update solution in place for that software. And it should be getting updated virus definitions, signature files, etc., from the antivirus manufacturer as part of the regular routine. Should just be routine. And it's got to be part of somebody's job to validate that it's happening out there.
We can now re enable System Restore and create a restore point, right, when we're sure that the infection is cleaned up. We're ready to return the system to working production. [Video description begins] This is for Win. [Video description ends] And finally, follow up with the end user, find out what happened exactly. Why did they think it would be okay to listen to this guy they barely know and enter their network credentials just to open an attachment? Why did they think that would be a good idea? Spend a little time with them and ask them that question and listen to the answer. And you'll know what to tell them so that it doesn't happen again.
I would mention that subject, just as an aside, because I have one more minute here. Guys, there's a secret to this business that nobody ever talks about. If you work in the technology field, you are going to work every single day with people who live in terror that their colleagues are going to find out how little they know. And this is a problem in our industry, because that kind of pressure comes out in all kinds of ways, real interesting ways, boy. So what you want to do is cultivate an attitude of patience.
It's very hard for me personally, but people really are insecure about this. Not everybody, of course, but the odd fellow here and there. You'll meet them. You may be one, and if you are, I want to assure you, nobody can know everything in this business. Saying, I don't have the answer right now but let me make a note of what you're saying and let me get back to you, should be a perfectly acceptable response in virtually every situation. Except for a server down kind of emergency situation, then you better get in there, but that's the reality of this business. And if you're going to be in this business, you must be prepared to be a lifelong learner, which medical science today is telling us there's all kinds of benefits to. So congratulations, it's a good choice.
This is a look at the best practice procedures for malware removal.
Troubleshoot Mobile OS and App Issues
In this section, we want to talk about troubleshooting mobile OS and application issues.
And in this first example, the connectivity question, a soft reset or an adjustment to the configuration and settings of the device will often do the trick. The soft reset, everybody understands when we're talking about mobile devices, what we're talking about there is a restart of the device. Or not a restart, rather a full shutdown and then a reboot. That's what's considered a soft reset. Clears all the application memory, closes all the applications at least for the time that the machine is off, and then restarts them upon startup. [Video description begins] Another universal fix is to adjust configuration and settings. [Video description ends]
With wireless and Bluetooth connectivity issues. With wireless, I might want to close all the running applications, particularly if my signal strength is low, right? I want more power to be directed to the antenna, to the processing from the wireless card. With Bluetooth connectivity, try testing another device. Maybe it's not the device, it's the Bluetooth device, whatever that happens to be, a speaker or whatever. And you may have to reset the factory defaults, either on the Bluetooth device or on the mobile device.
Dim display. Configurations and settings, soft reset, or just charge your phone. You might also check, in the configurations and settings, what you want to look for is what your brightness level's set to.
Short battery life. Now, a lot of devices have a run battery optimization feature. And so you can run through that routine and make sure that that's been optimized. You can try closing running applications. The more applications you have running, the faster it's going to consume that battery. And then again, the configuration and settings, you may have lots of things set to do background synchronizations. Well, they're synchronizing all the time, and that's running, right? It's running the power. So those are some of the things we think about with these.
Unable to broadcast to an external monitor. I want to make sure that the device I'm trying to connect to is supported, right? Whatever the applet is that lets me connect to the monitor, does that applet support this monitor type? If it does, then commonly it's just a configuration issue, and I go into the configuration and settings. The app that you are using to connect, maybe that needs to be reinstalled. And, as always, close running applications may free up what you need.
Inaccurate, unresponsive touch screen or frozen systems. This gets us to the point now when you get into these kinds of errors. Where you're looking at hard resets, resets to factory defaults because the device is likely failing. The touchscreen is losing responsiveness, especially if it's been responsive up until now.
System lockout. Reset to factory defaults and then restore your cloud backups.
If you're unable to decrypt the email, the most likely reason for that is either because your e-mail settings are incorrect in the configuration and settings, or you don't have a valid certificate to present for the decryption keys. You can't be authorized to get those decryption keys. And so I would want to check the mail configuration and settings as well as the certificate on that device.
If you've got a situation where apps are not loading, you can try to uninstall/reinstall the apps. You might try closing some of the running apps. It's amazing, sometimes when users come to you and you look at how many apps are running, what's really running? There's 12 browser windows open, there's Calendar, there's Sketch, everything is open, everything is open. And when all else fails, soft reset. And if that fails, reset to the factory defaults.
You're not getting any sound from the speakers. It's either a configuration and settings issue, or there's some other issue, and you got to reset that phone. At the very least, soft reset first. And then if you need to fail back, hard reset.
If it's overheating, again the soft reset may well be your friend here. Shut it down, leave it shut off for ten minutes, come back to it again. It could be that, in the configuration and settings, you have lots of applications that are doing background synchronization, that are communicating all of the time. When you're not necessarily using those applications, shut them down, close those running applications.
Slow performance, running applications again, that's going to be your biggest consumer of resources on the device. [Video description begins] Therefore, close these running applications. [Video description ends] Adjust configuration and settings so that background refreshes aren't happening, background synchronizations aren't happening, etc. You may need to force stop some applications, right? You have applications that won't shut down properly, force stop them, shut them down. And if you need to, soft reset.
And that's a look at some of the most common mobile OS and application issues and potential remediations.
Troubleshoot Mobile OS Security Issues
In this section, we want to talk about troubleshooting mobile operating system security issues.
And the first thing, if you're unfamiliar with the Wi-Fi analyzer, this is an application that you can load on your phone and it will look for rogue wireless devices. It will look for interference sources, it'll analyze the nature of the connection, and net available bandwidth. And so that Wi-Fi analyzer is a valuable tool to diagnose slow data delivery.
A signal drop or weak signal. Again, if you're connecting to the WAP, it's a Wi-Fi analyzer. If you're on your cell, there's a cell tower analyzer that'll give me cell towers in the area, the one that I'm currently connected to, and who the owner of those towers is, etc. And so I can pick and choose from there.
Unintended Wi-Fi connection or Bluetooth pairing. That can be a function of malware, or it could just be a misconfiguration. How do you know? Well, Wi-Fi analyzer will give me some insight. And then, an app scanner. And when I say an app scanner, I don't mean an application that acts like a scanner. An app scanner looks for flaws in the application development, right? In the source code, in the underlying binaries. And so something like App Vigil on Android is a good example of that. [Video description begins] Other fixes include: antimalware, and adjusting configuration and settings. [Video description ends]
Now here's a point where we're into what is almost certainly malware. So the device is compromised. Personal files or data has been leaked, it's published out on the public Internet, it all came off your phone, you know it, right? Well, I would want to restore my back-up from the cloud and I would want to change my password. I'd probably want to get rid of that device depending, right, on what I think the infection was and whether or not we've quarantined it.
Data transmission is over the limit. Use your Wi-Fi analyzer to analyze your usage patterns and see what you can do. Make sure there's not some rogue application that's eating up all your bandwidth. [Video description begins] You can also use a cell tower analyzer. [Video description ends]
Unauthorized account access. Again that's going to be a compromised device, right? Restore from cloud backup and change your password.
[Video description begins] For leaked personal files or data, data transmission over the limit, and unauthorized account access the following fixes may also apply: antimalware, and uninstall and reinstall apps. [Video description ends]
Location tracking, this is the worst. There was a large American retailer who recently was found to be basing the price it advertised things to you, on how close you were to their store, right? The idea being that if you have to drive, you need to drive for a bigger bargain. And so if you're half an hour away, like I am out in the country from everything, 20 minutes one way for a quart of milk. You'd have the app up, you'd see the sale price, $4.99 or whatever it was. And then the moment that I would pull into the parking lot, it would change to $5.99, just like that.
Now that retailer has acknowledged that practice of location tracking and pricing based on location, and they said they're going to stop that. But it's insidious, it's really insidious, and this is frightening. For anybody who has children, for anybody who's a parent, I mean the idea that somebody can turn on the microphone or the camera to your device, and you don't know it. It is, I can't even conceive of it, right? Like who would think to do such a thing? It's such a rank invasion of privacy, but this is the reality that we live in. And so what we do is we make sure that the application configuration and settings are correct. We might have to uninstall and reinstall some of those apps, or even perform a factory reset clean install. Or let the antimalware clean it up. Of course, if you're at that point, the antimalware has failed.
That's unauthorized root access, right? These guys are connecting to your device. They're admins on the device. They can do what they want. Again, I want to restore that to a prior version from before the root access happened, or I just want to wipe that machine clean. Commonly I would want to wipe it. [Video description begins] You can also change your password, install antimalware, or perform a factory reset and clean install. [Video description ends]
Power drain. Maybe you got too many applications running, right? Force stop on the applications. Now if you do the analysis, and this device is simply using more power than it should be based on what it's supposed to be doing, then either there's a hardware problem or you've got some kind of an infection.
High resource utilization. Adjust your application and configuration settings. Those background services will eat up a lot of resources.
[Video description begins] For power drain and high resource utilization you can also install antimalware or uninstall and reinstall the applications. [Video description ends]
And that's a look at some of the principal mobile OS security issues today.