This repository contains the code and datasets for the WoRMA 2025 submission.
Jerre Starink, Cassie Wanjun Xu, Andrea Continella. "Toward Automatically Generating User-specific Recovery Procedures after Windows Malware Infections". Proceedings of the Workshop on Robust Malware Analysis (WoRMA). 2025
Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a novel framework for automatically generating user-specific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and infer the exact system resources that the malware changed without imposing additional performance burdens on the user's machine. We test a prototype against 894 real-world malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3% even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.
- WoRMA '25 Paper (to be released).
- WoRMA '25 Slides (to be released).
If you use our prototype in your research, please consider citing us:
@inproceedings{starink2025:malware-remediation,
title={Toward Automatically Generating User-specific Recovery Procedures after Windows Malware Infections},
author={Starink, Jerre and Xu, Cassie Wanjun, and Continella, Andrea},
booktitle = {Proceedings of the Workshop on Robust Malware Analysis (WoRMA)},
year = {2025}
}