Why does wiping a hard drive not always remove malware?

Erasing the device is considered the number 1 option when it comes to dealing with malware . You erase all the data on the infected drive with the theory that the malware cannot survive the process. But is that really the case?

Why does wiping a hard drive not always remove malware?

Persistent malware is some of the worst out there. Most malware is effectively removed by a system restore or, worse, wiping the entire drive. But in either case, some types of malware stay active even after you think you’ve wiped everything off your drive.

Actually, this is a two-part problem.

First, restoring a system restore point is often recommended as a good way to remove malware. This makes sense; you're returning your computer to a known good configuration and hopefully avoiding significant data loss in the process.

However, system restore points are not a panacea. You have to hope that you created a system restore point before you discovered the malware. Furthermore, some types of malware can hide in files and folders that remain unchanged after a system restore, while other types of malware exist entirely outside of traditional file structures. Some malware can even delete your system restore points, making it difficult to restore a good configuration.

This brings us to our second point: Rootkits and bootkits. These truly dangerous types of malware hide outside of your hard drive and infect your hard drive firmware, BIOS/UEFI, master boot record (MBR), or GUID partition table (GPT). Since these components don’t exist on your hard drive, they can escape a system restore point or wipe your entire drive and re-infect your computer just when you thought you were safe.

Are Rootkits and Bootkits Different? How to Check for Persistent Malware

As you may already know, persistent malware, such as rootkits, bootkits, or other types, is particularly dangerous. However, there is a difference between rootkits and bootkits, and the way you remove them is different.

Detecting persistent malware is difficult no matter how you look at it, but there are some options.

First, consider your computer's performance. If you notice unusual startup issues or a significant decrease in performance, your computer may be infected with malware. It may not be persistent malware, but if you run regular malware scans and clean up your system, but the malware keeps coming back, it could be a sign of a more serious problem.

If so, you have a few options:

• Rootkit detection : Dedicated rootkit scanners, such as Malwarebytes Rootkit Scanner or Kaspersky TDSSKiller, are designed to scan for hidden processes, files, and hooks that rootkits use.
• Bootkit detection : There are also dedicated bootkit scanners that scan for threats outside of Windows. These scanners include Bitdefender Rescue Environment and Kaspersky Rescue Disk.
• BIOS/UEFI firmware scanning : ESET has a built-in UEFI firmware scanner that can detect malware at the firmware level.

You should also consider checking with your motherboard manufacturer for firmware updates, as they may have patched bootkit exploits.

Persistent malware is a terrible experience. The best protection is to avoid getting infected in the first place, which means avoiding downloading untrusted, pirated, and similar content, and making sure you have a suitable antivirus or antimalware suite installed in the first place.