Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections

Jerre Starink; Cassie Wanjun Xu; Andrea Continella

doi:10.1109/EuroSPW67616.2025.00011

Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections

Jerre Starink
, Cassie Wanjun Xu
, Andrea Continella

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

57 Downloads (Pure)

Abstract

Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a prototype for automatically generating userspecific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and automatically infer the exact system resources that the malware changed without imposing additional performance burdens on the user's machine. We test a prototype against 894 realworld malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3 % even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.

Original language	English
Title of host publication	Proceedings - 10th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2025
Publisher	IEEE
Pages	39-47
Number of pages	9
ISBN (Electronic)	9798331595463
DOIs	https://doi.org/10.1109/EuroSPW67616.2025.00011
Publication status	Published - 2025
Event	10th IEEE European Symposium on Security and Privacy, Euro S&PW 2025 - Venice, Italy Duration: 30 Jun 2025 → 4 Jul 2025 Conference number: 10

Conference

Conference	10th IEEE European Symposium on Security and Privacy, Euro S&PW 2025
Abbreviated title	Euro S&P 2025
Country/Territory	Italy
City	Venice
Period	30/06/25 → 4/07/25

Keywords

Malicious Behaviors
Malware
Recovery

Access to Document

10.1109/EuroSPW67616.2025.00011

starink-malwareremediation-2025Accepted author version, 713 KB

Cite this

@inproceedings{92911f37f80647d9bb9531d7f818f5cf,

title = "Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections",

abstract = "Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a prototype for automatically generating userspecific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and automatically infer the exact system resources that the malware changed without imposing additional performance burdens on the user's machine. We test a prototype against 894 realworld malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3 \% even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.",

keywords = "Malicious Behaviors, Malware, Recovery",

author = "Jerre Starink and Xu, \{Cassie Wanjun\} and Andrea Continella",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 10th IEEE European Symposium on Security and Privacy, Euro S\&PW 2025, Euro S\&P 2025 ; Conference date: 30-06-2025 Through 04-07-2025",

year = "2025",

doi = "10.1109/EuroSPW67616.2025.00011",

language = "English",

pages = "39--47",

booktitle = "Proceedings - 10th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2025",

publisher = "IEEE",

address = "United States",

}

Starink, J, Xu, CW & Continella, A 2025, Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections. in Proceedings - 10th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2025. IEEE, pp. 39-47, 10th IEEE European Symposium on Security and Privacy, Euro S&PW 2025, Venice, Italy, 30/06/25. https://doi.org/10.1109/EuroSPW67616.2025.00011

Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections. / Starink, Jerre; Xu, Cassie Wanjun; Continella, Andrea.
Proceedings - 10th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2025. IEEE, 2025. p. 39-47.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections

AU - Starink, Jerre

AU - Xu, Cassie Wanjun

AU - Continella, Andrea

N1 - Conference code: 10

PY - 2025

Y1 - 2025

N2 - Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a prototype for automatically generating userspecific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and automatically infer the exact system resources that the malware changed without imposing additional performance burdens on the user's machine. We test a prototype against 894 realworld malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3 % even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.

AB - Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a prototype for automatically generating userspecific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and automatically infer the exact system resources that the malware changed without imposing additional performance burdens on the user's machine. We test a prototype against 894 realworld malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3 % even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.

KW - Malicious Behaviors

KW - Malware

KW - Recovery

UR - https://www.scopus.com/pages/publications/105016566637

U2 - 10.1109/EuroSPW67616.2025.00011

DO - 10.1109/EuroSPW67616.2025.00011

M3 - Conference contribution

AN - SCOPUS:105016566637

SP - 39

EP - 47

BT - Proceedings - 10th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2025

PB - IEEE

T2 - 10th IEEE European Symposium on Security and Privacy, Euro S&PW 2025

Y2 - 30 June 2025 through 4 July 2025

ER -

Toward Automatically Generating User-Specific Recovery Procedures after Windows Malware Infections

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this