Over the past month (possibly more), I have noticed that my laptop (running Windows 10) frequently becomes almost unusably slow, especially after many days of not having turned it on.
I notice that the disk usage in the task manager is at 100% for long periods of time, however this is ridiculous because even the sum of all the processes [that I can see...] could only approach about 5-10% in the generous case.
This is a development machine with 8GB RAM, i7 processor, plenty of space. There are almost no startup programs other than MS default programs (and even there I culled most of the non-essentials out of the startup list). I have also gone through and progressively disabled services such as BITS, Superfetch etc. to no observable effect.
What makes this more suspicious is the pattern in which it occurs - the issue is worst at startup after many days of the computer being physically disconnected and turned off. The startup time is around 3-5 minutes (!) after which the disk runs at 100% usage for a few minutes and then for no explicable reason, suddenly drops down to around 1-5%. All this without showing any processes near full disk usage.
After around a month of investigating this, I am beginning to suspect the involvement of malware, particularly because of the discrepancy in the task manager but also because of how the issue suddenly corrects itself. I should also note that the computer runs AVG Free edition and scans of the computer and anti-rootkit are coming up clean. That being said, I want to pursue the possibility that this could be malware connecting and updating itself, or even worse, exfiltrating data [or even worse, chewing my disk to encrypt my files while telling me everything is OK]?
Currently I do not observe an irregular amount of network traffic which would support the exfiltration theory, however it is also possible to hide this from the task manager / wireshark using a rogue driver.
I have a number of questions:
- Does this pattern of behavior fit any known malware / APT threats?
- Supposing I were to continue this into the forensics direction, what further steps could be taken to investigate and validate the drivers on the machine?
- What steps beyond task manager can I take in order to monitor and identify the process which is actually responsible for the 100% disk usage?
- Are there any legitimate / Windows reasons this might be occurring and if so, how can I narrow down and isolate the problematic components?
No comments:
Post a Comment