Protect against malware
Updated9 April 2024
Table of Contents
...Loading Table of Contents...Keeping your device healthy is a critical first step down the path toward better security. Before worrying too much about data encryption, private communication or anonymous browsing, you should protect your device from malicious software (often called malware). Malware reduces the effectiveness of any other actions you take to protect your security.
All devices are targets of malware: it is no longer true that Windows devices are the only ones at risk. You should take the following steps also if your device runs a macOS, Linux, Android or iOS operating system.
Update all software
- Follow the instructions to use the latest version of your operating system to get the best protection for your device:
- Follow the instructions in the list below to manually and automatically update the apps installed in your device:
- Android − Follow the instructions in How to update the Play Store and apps on Android.
- iOS − Apps that you download from the App Store are automatically updated by default, but you can manually update them. To learn how to do this, see How to manually update apps on your Apple device.
- Windows − Turn on automatic app updates.
- macOS
- Linux − If you have installed the full desktop version of Ubuntu, software is already updated daily by default. You can change these settings following the instructions in the Ubuntu Community Wiki page on how to automatically update software.
- Depending on the Linux distribution running in your computer, the method to enable automatic software updates may change: refer to the official documentation of your distribution to learn how to do this.
Learn why we recommend this
New vulnerabilities are found every day in the code of operating systems and apps. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices.
But software developers do regularly release updates that fix these vulnerabilities. That's why it is very important to use the latest version of the operating system for each device you use as well as of the software you have installed. We recommend setting your device to automatically update so you have one less task to remember to do.
Be aware that malicious actors may try to pressure you to act quickly or appeal to your emotions
- Get in the habit of noticing when an email, message or alert tries to make you frightened, distressed, worried, passionate or curious. Anything that suggests an impending risk or a possibility that you will miss out on an opportunity should be looked at with suspicion. When you notice these feelings, look closer at what you are being asked to do.
- If a message includes language that feels strange or out of context, it's wise to consider it suspicious.
- Pause when a message or alert wants you to take immediate action.
- Be wary about any attempt at getting private or valuable information (passwords, accounts numbers, names, ID numbers, etc.), whether by email or through a chat, voice call or physical visit.
- Don't trust any communication that asks you to install a program, app or browser extension (like for example TeamViewer or AnyDesk).
- Be aware that many "win something for free" messages or advertisements are used to trick people into installing malicious software.
- Do not click to proceed unless you have made sure that the request you have received is legitimate. To confirm this contact the sender over a different communication channel. For example, check your user account on the platform the message refers to, or call the sender if you received an email from them.
- Go through the instructions in the following sections about links, attachments, file extensions, and pop-up windows.
Learn why we recommend this
Security experts consider people's emotions and habits the most vulnerable part of digital security. When we are asked to take quick action, when we are curious, or when we feel threatened, we usually comply with the instructions we have received.
The stresses of human rights work can make us especially vulnerable to this kind of attacks. Many of us are convinced we could never be tricked, but thinking twice can stop attempts at installing malware in our devices and spy on us without us realizing what is going on.
Pause before you click and be cautious when you receive a link
Look closely at the address in a link before you visit it. This is especially important if someone sent the link via email or SMS or through a chat message.
- On your computer, hover your mouse pointer over a link in an email or on a webpage to see the full website address.
- On mobile, it is harder to see the links, so it is better not to click them at all and wait until you can check them on a computer. If you still would like to check a link on a mobile device, you can try one of the following methods:
- On Android, you can install URLCheck, an app to analyze URLs before you open them. Find it on the Google Play Store or on F-Droid.
- Both on Android and iOS, most apps let you view links embedded in a text string by pressing and holding the text until a prompt appears. The prompt will include the embedded link together with various options on how to handle it.
Here is how to read a web address:
Starting after "https://", find the first "/" in the web address.
Then move left to the previous "." and the word right before it. For example, in this web page (
https://securityinabox.org/en/phones-and-computers/malware/
) the word you are looking for is "securityinabox".Does it look like the site you expected to go to? If not, someone may be trying to trick you.
Look at this animated gif for a visual illustration of the steps to check a web address:
If you see a strange link and would like to know what it is, it is best NEVER to click on it. To check if it is safe, you can copy the web address and paste it into one of the following page scanners:
If the link looks strange, but you already clicked it:
- Follow the steps in the Digital First Aid Kit troubleshooter I received a suspicious message.
- Take a screenshot and send it to someone who can help you secure your device.
- Be sure to run an anti-malware software on the device where you clicked the link.
Learn why we recommend this
Most cases of malware and spyware infection happen through a visit to a malicious web page.
Use caution when opening attachments
- Be alert for unexpected files that are attached to email, chat, voice or other messages.
- Make sure the sender is who you think they are. Try to contact them through a different channel (for example face to face, or by phone if they sent you an email) to confirm they sent the attachment.
- If you absolutely must open a suspicious PDF, image or document, use the app Dangerzone to strip out dangerous elements. You can find a list of all the supported formats in the Dangerzone About page.
Learn why we recommend this
Many cases of malware and spyware infection happen by inadvertently downloading a file that runs unwanted, malicious code.
Make file extensions on your computer visible to avoid being tricked by malware
To stay safe, make your file extensions visible in your file manager.
- Linux − Ubuntu shows file extensions by default.
- macOS − Show or hide filename extensions on Mac.
- Windows − For instructions on how to make extensions visible, see the official Microsoft documentation.
Before you open a file, look at the extension at the end of the file − the letters after the last dot. There might be two extensions or more. Some are normal − like .tar.gz − but others − like .jpg.exe − are suspicious.
Ask: is this the kind of file I thought it would be? Does it look unusual? Consult the lists of file formats and of filename extensions on Wikipedia to learn what a file might do when you open it.
Learn why we recommend this
People who want to install malicious code on your devices will sometimes make an app look like a harmless document. One way they do this is by changing the app extension: the information that shows up after a dot at the end of a file name, usually about 2-4 characters long, and that tells you what type of file you are dealing with. They may try to trick you by changing an extension for code they can run ("executable code") to an extension you are used to (like .doc, .txt or .pdf for document files). Often they will send these files as attachments to email or via a chat app.
Avoid suspicious pop-up windows
Most modern browsers block pop-up windows by default. You can check whether this feature is enabled in your browser by following the instructions in these links:
- Chrome/Chromium − Block or allow pop-ups in Chrome.
- Firefox − Read the instructions on pop-up blocker settings.
- Microsoft Edge − Block pop-ups in Microsoft Edge.
- Safari − Safari does not block pop-ups by default, but you can set it to block them following the instructions in Allow or block pop-ups on all websites.
Be aware that blocking pop-up windows on browsers may interfere with some websites that use pop-ups for important features. To allow only specific websites to use pop-ups, you can add them to the list of allowed sites.
Blocking pop-ups doesn't always work. To be sure pop-up windows and other advertisement doesn't show in your browser, we recommend installing uBlock Origin in Firefox or Chrome/Chromium to add a second layer of protection.
If a pop-up window still appears unexpectedly, whether you are using a browser or not, follow these steps to mitigate a potential malicious event:
- Pause. Don't touch anything.
- Read the window carefully. What is it asking you to do?
- If this is not something you asked your device to do, close the window (using a button at the window's top) instead of clicking "yes" or "ok".
- Know the names of the apps you have installed. Don’t approve updates by apps you didn’t know you had installed.
- If you are unsure whether it is actually your app or device asking to install software, check your app store or the website of the software to see if the update is official.
Learn why we recommend this
It might seem like hacking your computer requires secrecy and powerful coding skills. In fact, tricking you into doing something for them is one of a hacker's most powerful tools. A button or link that asks you to do something may be waiting to install malware on your device.
Use antivirus or anti-malware
Choose the antivirus software that works best for you
- On Windows we recommend to turn on the built-in anti-malware protection Windows Defender.
- On Linux you can manually scan your device for malware with ClamAV. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware − and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (like ESET NOD32).
- Other multi-platform antivirus options you can consider are:
Learn why we recommend this
The most important thing you can do to protect the security of your device is to update the operating system and software you have installed. However, it is also useful to run the right antivirus or anti-malware app to stop malicious code that may have invaded your device.
Use your antivirus securely
- Whatever antivirus software you decide to install, be sure to know how to check if your antivirus or anti-malware app is working and updating itself.
- Perform periodic manual scans.
- Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with the companies that own them. There have been cases where this information was sold to third parties.
Pick just one anti-malware tool to use
- Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.
- If you need to switch between anti-malware apps it is important to completely uninstall the first one before installing a new one.
Learn why we recommend this
Using two antivirus or anti-malware tools might seem like it would be safer, but these tools will often identify each other as suspicious and stop each other from working properly (like two medications that counteract each other). Pick just one that works for you.
Set your anti-malware tool to update automatically
- Make sure that your anti-malware program allows you to receive automatic updates; if it does not, seek another tool.
- Set your anti-malware software to check for updates on a regular daily schedule.
Learn why we recommend this
New malware is written and distributed every day. Anti-malware tools release updates to fight it. Your computer will quickly become vulnerable and the tool will be of no help if you do not set your anti-malware software to update automatically. Be aware that some tools that come pre-installed on new computers must be registered (and paid for) at some point or they will stop receiving updates. If this is the case and you prefer a free version, consider uninstalling the pre-installed tool and choosing one from the list of antivirus software we recommend in this section.
Scan your device for malware regularly
- If your anti-malware tool has an "always on" mode, enable it. Different tools have different names for this mode, like Realtime Protection or Resident Protection.
- Scan when you have recently:
- connected to an insecure or untrusted network,
- shared USB memory sticks with others,
- opened strange attachments by email,
- clicked a suspicious link,
- seen someone else in your house, office or community having strange issues with their device.
- Consider occasionally scanning all of the files on your computer. You do not want to do this often (and you might want to do it overnight), but explicit scans can help identify problems with the "always on" feature of your anti-malware tool or its update mechanism.
Use good hygiene with USB cables and devices
In modern mobile devices − both Android and iOS − data transfer through USB is disabled by default, but it's best to avoid plugging your device into an untrusted USB port and following the advice in this section when you need to charge your device.
If your device gets charged through a USB cable, never plug the USB part directly into a public USB charging slot unless you are sure the cable you are using is a power-only charger cable. Make sure you use the adapter that lets you plug into a power outlet.
DO: Plug your power cable into an adapter that plugs into a power socket like this:
Image By Electro-world-standard, CC BY-SA 4.0, via Wikimedia CommonsDO NOT: Plug your cable into a USB socket like this unless it's on an adapter you own or you are sure you are using a power-only charger cable:
Image by Amin, CC BY-SA 4.0, via Wikimedia Commons
If you need to use untrusted USB charging slots, you can get a USB data blocker to prevent the public USB slot from infecting your device. Be sure to use your own trusted USB data blocker, as a fake USB data blocker might infect your device when you think you are protecting it.
- Learn more about USB data blockers in USB data blocker: Why do you need one?.
- Read about fake USB data blockers in How to spot a fake data blocker that could hack your computer in seconds.
Never use a stick, card, disc or cable you find lying around; there have been instances of people putting malicious code on other people's devices by leaving an infected USB stick in public.
If you are concerned about what might be on a colleague's drive that you need to plug into your machine, consider using a CIRCLean stick to check it for malware first.
Learn why we recommend this
Malware can spread from device to device through smaller devices you plug into them − particularly SD cards, USB drives, USB cables, "flash" memory sticks and other external storage media. Malware has also been found on public charging stations.
Use good hygiene with sensitive information
- Only store or send sensitive information using encrypted methods.
- Check very carefully to make sure you know who you are giving this information to.
- Be aware that many scams involve someone contacting you electronically or by phone unexpectedly, pretending to be a company or government official who needs this information.
- Be especially careful about pop-up windows or strange links that ask for this information.
- Sensitive information includes:
- Your date of birth or other personally identifying information
- Passwords
- Financial information, including bank account or credit card numbers
- Identifying information, including government ID numbers, passport numbers and numbers of cards you use to get into an office
- Codes of licenses
- Your fingerprints or iris scans
Learn why we recommend this
Some information about you could be dangerously misused if it fell into the wrong hands. Many people are not aware that unencrypted email is not a safe way to send this information, as it is frequently stored on multiple computers and servers, making it hard to eliminate all copies.
Secure other "smart devices"
- Consider whether the risk of having additional devices connected to the internet around outweighs the benefits of what they can do for you.
- Consider disconnecting your TV from the internet entirely, or from electricity when you are not using it.
- Turn off smart speakers like Alexa or Siri. Follow the instructions in the "disable voice controls" section of the basic security guide for your device: Android, iOS, macOS, or Windows.
- Turn off automatic content recognition (ACR) in smart TVs. Automatic content recognition is a smart TV technology that tries to identify the shows you watch, whether you receive them via cable, over the air, through streaming services or even through physical media like USB sticks.
- Apple TV − Turn off automatic content recognition (ACR) by deactivating Siri.
- Other TVs, including Android, Amazon Fire, LG, Roku, Samsung, and Sony − First secure your smart TV, then turn off ACR.
Learn why we recommend this
Some malware is designed to infect other devices to which its victims are connected. Many of these internet-connected devices are not secured as well as our computers and phones. They might include "smart TVs," devices you control with an app on your phone, "smart appliances" like lighting or heating systems, or even children's toys. Attackers might use these devices to get into more important devices around you, or attack other devices as part of a zombie "botnet." Smart TVs in particular may listen for sound around them and record what people are saying, using a technology called "automatic content recognition" (ACR). They share what they hear with advertisers and other third parties. You can turn ACR off using the instructions in this section.
Reboot your device often, and switch it off overnight
Learn why we recommend this
Spyware is often not persistent. By regularly rebooting your device, you can get rid of some spyware infections.
It is also worth noting that malware frequently takes advantage of times when you are not using your devices to search or send data, so you are less likely to notice that something is wrong. Turning off your devices and connections overnight can help protect against this.
If you suspect your device has been infected...
Disconnect your device from networks
- Turn off wifi, mobile data, Bluetooth and other wireless ways of communicating with other devices.
- Unplug any wires (like ethernet cables) the device is using to communicate with other devices.
Learn why we recommend this
By disconnecting your device from all networks, you will prevent malware from sending data, receiving commands or infecting other devices.
Avoid connecting storage media to the infected device
- Do not plug in external hard drives, USB sticks, memory cards or other removable devices unless you are prepared to discard them, or know how to disinfect them safely.
- Similarly, avoid using anything that was previously connected to the infected device.
Learn why we recommend this
Infected devices can spread infections to other devices, so it's best to isolate them.
Run your anti-malware software
Learn why we recommend this
You can sometimes clear a malware infection just by running your anti-malware software. However, be aware some malware is designed to survive a full reinstallation of the operating system and won't be eradicated by a standard antivirus tool. Most infections fall somewhere in the middle: they can resist standard anti-malware software but can still be rooted out with some additional effort.
Use a rescue drive
- If the infected device is a computer, restart it from an anti-malware rescue drive (such as Windows Defender Offline or the AVG Rescue Disk).
- When you're done, discard the USB memory stick you used to create the rescue drive.
Learn why we recommend this
If the malware infection keeps coming back or is resisting your efforts to clean it off your device, starting your device from a rescue drive can help remove infected files deep in your operating system.
Back up files
- Back up your most important documents to a clean, unused drive, preferably one you can plug into your device.
- Be aware that your device could have been infected by a file that you considered legitimate, especially by document formats like PDFs, Word documents or images. Scan your documents with an updated anti-malware tool before you copy them again to your cleaned up computer.
- Do not back up any apps or software.
Learn why we recommend this
You will need to erase as much as possible of your device to eradicate all traces of the malware that has infected it. So first make sure you have copied your most important files to a new, clean drive to keep them from being erased, then make sure that the infection hasn't been caused specifically by one of these files.
Clean your browser by deleting the profile folder
If your browser has a strange behavior or you suspect that it may be infected with adware or a virus, after running a scan with your anti-malware software you may also try to clean the infection by deleting your browser profile folder.
Note that deleting this folder will delete information kept in it like all passwords you saved in the browser, bookmarks, browser add-ons and cookies. Before you delete the folder, consider following the instructions below to back up this information.
- Locate your profile folder:
- You can make a copy of the entire profile folder or skip to step 3 and just back up your bookmarks and passwords. To back up your entire profile, see the following instructions:
- Back up and restore information in Firefox profiles.
- For Chrome/Chromium, copy the folder you have located in step 1 to a different location.
- Back up your bookmarks:
- Back up bookmarks on Firefox.
- To learn how to back up bookmarks in Chrome/Chromium, see "Move or export bookmarks to another browser" in Import Chrome bookmarks & settings.
- Back up the passwords you have stored in your browser:
- If your browser has been infected, be aware that the passwords you have stored inside the browser may be no longer secure. After you get rid of the infection, it is a good idea to change these passwords and store them in a password manager instead.
- Back up passwords stored in Firefox.
- Back up passwords stored in Chrome/Chromium.
After backing up important data in your profile, delete your profile folder and import your backed up data following these steps:
- Close your browser and delete the profile folder.
- Open your browser. It should look like it was freshly installed.
- If the strange behaviors have disappeared, you can import your bookmarks and passwords. Be aware that recovering your entire profile folder will probably also recover the issues you had with your browser.
Learn why we recommend this
Some malware can store itself inside the browser. Sometimes the only way to get rid of a browser infection is by deleting the local profile folder of the browser.
Do a factory reset or reinstall the operating system
- Back up your most important files first.
- For mobile devices, follow the instructions below to do a factory reset:
- Android − Android devices differ, but try following the instructions in the official documentation on how to reset an Android device to factory settings.
- iOS − Follow the official instructions on how to restore an iPhone, iPad, or iPod to factory settings.
- For computers, follow the instructions on how to reinstall the operating system:
- Linux − Follow the guide on how to reinstall Ubuntu without losing the content of the home folder. On other Linux distributions, you may want to back up your home folder before you reinstall the operating system.
- macOS − Follow the instructions in the official guide on how to reinstall macOS.
- Windows − Follow the official guide on how to reinstall Windows.
Learn why we recommend this
Many devices now offer the ability to completely reset their operating system. Doing so can eliminate some malware, but you want to be sure you have saved important files first. Be aware you may need to reset some of your settings and reinstall some applications after doing this.
Buy a new device
If the malware infection affects an older device, consider buying a new one.
Learn why we recommend this
Unfortunately, sometimes it's impossible to get rid of malware in an old device. Whether or not your old device continues to show signs of an infection after you have gone through the steps recommended in this section, the most secure solution to protect yourself against malware may be to get a new device which supports updates to the latest version of the operating system and other software.
Advanced: use a live Linux distribution to back up your files
- Ensure your infected device is not connected to the network using wifi, Ethernet or other connections.
- Get a brand new, clean USB memory stick.
- On a separate, non-infected device, using the USB memory stick, create a live USB drive of Ubuntu or Tails.
- Shut down the infected device.
- Plug the live USB into the infected device.
- Restart the infected device; it should start off the live USB.
- Move your most important files from the infected device to a new clean drive other than the live USB stick.
- Be aware that your device could have been infected by a file that you considered legitimate, especially by document formats like PDFs, Word documents or images. Scan your documents with an updated anti-malware tool before you copy them again to your cleaned up computer.
- Shut down the infected device.
- Discard the live USB stick; do not connect it to any device again or it may spread the infection.
Learn why we recommend this
Starting your infected computer from a live USB stick (with Ubuntu or Tails installed) will help prevent the infection from spreading to your backup disk and beyond.
Be aware that malware may spread through files like PDFs, Word documents or images, so be sure to only back up very important files and possibly scan them with an antivirus tool before you import them to a clean device.
Advanced strategies
Secure your router
- You will need the administrator login information for your router. If you no longer have the manual or contract that includes this information, look for:
- a sticker on the router case that may have this information,
- the default password, which you may find in the "Router passwords" website (search for the manufacturer of your router).
- Also consider that, ideally, the default password may have been changed to increase security. Ask yourself who may have changed it, and where this person could have stored the new password.
- If you cannot access the router, try resetting it to its factory settings. To learn how to do it, search for the model of your router and "factory reset" or follow the How-to Geek instructions on how to factory reset a router.
- Open your browser, making sure that your computer is connected to your own wifi network.
- If you don't know the address of the login page of your router's control panel, try entering the following addresses in your browser address bar:
http://192.168.0.1
http://192.168.1.1
http://192.168.1.254
http://192.168.2.1
http://10.10.10.1
http://10.0.0.1
- If none of the addresses listed above gives access to a login page, search for "default IP address router" and the manufacturer and model number of your router.
- Before you change anything, take a screenshot of what you see after logging into the router control panel, so you can always change the settings back if something goes wrong.
- Change the administrator login password. Access to the router control panel allows to modify the router's settings, so create a strong and unique password using your password manager as explained in our guide on password managers.
- Rename your network:
- Do not use the default name (which can give attackers information on the possible vulnerabilities affecting your router).
- Do not use a name that identifies you, your organization or your family.
- You may have the option to make your wifi network invisible, so devices have to know its name to connect. Make sure your devices can connect in this way.
- Look for information on the control panel page about updates to your router's software (known as firmware). Search online for the latest version of the software and update it if possible.
- Under "security protocol," select WPA3, WPA2-AES or WPA2 if possible (in that order of preference). If your router does not make at least WPA2 available, it may be best to buy a new one, as other protocols leave your router vulnerable to attack.
- Make sure that your router or wifi access point has a firewall enabled. Most of them do, but it is worth checking.
Learn why we recommend this
Your router is the gateway between your local network, including your wifi and devices, and the rest of the internet. Its firewall adds another layer of protection. Not everyone can access the settings for their router; many of us get our routers from our internet providers and sometimes they make it impossible for us to change the settings. However, you can always try to see if you can get access to your router, change the settings and make your connection more secure. Alternatively, you can decide to buy your own router, secure it, connect it to your internet provider's router and use wifi from your own router instead.
If your router software is old and you cannot update it, or if you would like to have better control over your router, you may consider replacing the router's operating system with a free and open-source option like OpenWrt, DD-WRT or FreshTomato. Be aware that replacing the operating system of a router is an advanced task and a mistake may make your router unusable.
Use Qubes OS
Qubes OS is an alternative to Windows, macOS, and Linux that gives very strong protection against malware by dividing your device into secure sections that cannot access each other. Qubes makes use of Linux among other tools. On the surface it resembles a Linux operating system to a certain extent.
Avoid unlicensed software and consider free and open-source alternatives
Proprietary software like macOS or Windows often requires proof that it was purchased legally before you can install updates. If you are using an unlicensed (also known as "pirated") copy of Microsoft Windows, for example, you may be unable to update it, which could expose you and your information to huge risks. Some unlicensed software even comes with malware already installed. By not having a valid license, you put yourself and others at risk.
Relying on unlicensed software can present non-technical risks as well. The authorities in some countries use unlicensed software as a pretence to confiscate devices and close down offices that belong to organisations with which they have political differences.
You do not have to purchase expensive software to protect yourself from threats like these. Free and open-source software (FOSS) can be obtained and updated free of charge. FOSS tools are generally considered more secure than proprietary ones because their source code is publicly available and can be examined by independent experts who can identify problems and contribute solutions. This transparent approach to development also makes it more difficult for someone to hide a backdoor that lets them access important parts of your device without you knowing.
Freeware is software that is distributed free of charge but does not necessarily make its source code visible to the public. While outside experts cannot see whether its code contains backdoors, it may still be safer than proprietary software that is unlicensed or "expired."
Consider trying FOSS alternatives to the proprietary software you rely on. If you do not find something that works for you, consider freeware alternatives to any unlicensed software you may be using.
FOSS applications may be similar to and compatible with the proprietary software they replace. Even if your colleagues continue to use proprietary software, you may still be able to exchange files and share information with them. As a place to start, consider replacing Microsoft Office with LibreOffice.
There are FOSS alternatives to the Windows and macOS operating systems as well. Ubuntu Linux is one of the most popular and easy to use. To try it out, download a live USB version of Ubuntu, install it on a USB memory stick, put it in your computer and restart. When it's done loading, your computer will be running Linux, and you can decide what you think. A live USB will not make any permanent changes to your operating system or other software. When you're finished, just shut down your computer and remove the Ubuntu live USB to return to your normal operating system and apps.
Linux is also a good option for computers that are too old to run updated versions of Microsoft Windows or macOS. In such cases you may consider light-weight Linux distributions made for older computers, like for example Lubuntu or Xubuntu.