What do you first do when you discover your clients computer has been infected
To contain and eliminate a threat, you must know all of the threats that are present on the computer, and what the threats were designed to do. You must also understand which methods the threats use to propagate throughout the network. Show
To identify the threats, follow the instructions under the condition that applies, based on whether or not you have identified infected or suspicious files. You have identified infected or suspicious filesSymantec Endpoint Protection (SEP) detects a threat, and you need additional information about the threat; or, Endpoint Protection does NOT detect a threat, but you have identified a suspect file that you believe to be malicious. 1. Submit the file to Symantec Security ResponseSymantec Security Response can identify all known malicious files. In the event that additional information is required, submit the file to Symantec Security Response for further research. If the file is a new malicious file, Symantec Security Response can create virus definitions to detect it. 2. Configure Auto-Protect to allow network scanningNetwork scanning allows Auto-Protect to scan files the computer accesses from remote computers. This helps prevent malware from spreading, and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer. You have NOT identified any infected or suspicious filesEndpoint Protection does not detect a threat and you need to determine which files are infected, if any. 1. SymDiag - Check common load points for threatsThe Symantec Diagnostic Tool (SymDiag) collects technical diagnostic data for many Symantec products. The Threat Analysis Scan in SymDiag lets you determine the risk level of files that are launched automatically on your computer. 2. Heuristics - Increase the heuristic level of your Symantec Endpoint Protection programIncreasing the heuristic level allows Symantec Endpoint Protection to detect more threats based on their behavior. 3. Network Scanning - Configure Auto-Protect to allow network scanningNetwork scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer. Additional resources within Endpoint Protection for identifying the threat and its behaviorsEndpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment. Basic steps:Advanced steps:Step 2. Identify the infected computersOnce you have identified the threat, you must determine if other computers are infected. You can use the Endpoint Protection Manager to identify infected computers (see Using Endpoint Protection Manager reports and logs to identify infected computers for details), but there are circumstances that may require additional methods. (Recommended) Update virus definitions with a signature file that detects the variant of the threat(Good) If virus definitions are not available for the threat, or if parts of the network are not protected by Endpoint Protection, then use other means to identify possible infected computers.Monitor DNS server logs or perimeter firewall logs for the external IP address or URL the threat is using for communication. This should reveal which computers may be infected. Tips for identifying infected computersEndpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment. Step 3. Quarantine the infected computersAfter you have identified a threat and you understand how the threat spreads, you have to prevent the threat from spreading through the network. It is critical that you remove the compromised computer from the network or add it to a "quarantine network." Otherwise, the threat will spread as it infects other computers on the network. (Recommended) Remove the infected computer from the networkPhysically unplug the network cable from the infected computer and disable all wireless connections. (Good) Move the infected computer to a quarantine networkOn occasion, a compromised computer is mission-critical and cannot be isolated from the network. In some cases, depending on the infection, these can be isolated in so-called quarantine networks with some heavily restricted network access. Naturally, this only works for cases where the threat's activity does not coincide with the functions needed by the compromised computer. The quarantine network itself is a carefully configured subnet designed to restrict the traffic that the threat needs to propagate to other computers. This will allow the infected computer some restricted form of use.
(Exception) When removal from the network or quarantine is not possibleDue to business need, you may not be able to quarantine some infected systems or remove them from the network. You may need to configure special rules to allow them to function within their current subnet and still prevent the threat from spreading. This may include any combination of the following actions depending on the attack vector used by the threat. Caution: This action carries with it a high degree of risk. Seriously evaluate the risk before you follow these steps. Learn more in .
Additional resources within Endpoint Protection for quarantining infected computersEndpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment. Step 4. Clean the infected computersWith the threat isolated to individual computers, you can remove the threat and reverse its side effects. As you take the steps outlined in this section, you should assess the following:
1. Stop the viral processIn order to remove the malicious files from the computer, you must stop any processes used by the threat. There are three primary options for doing this.
2. Remove the malicious filesThe simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed, the scan should be able to remove the threat in most cases without incident. If the threat is a worm or Trojan, you can manually remove the files. Caution: Do not attempt manual removal of file infectors; it is impossible to determine which files are infected and which are not. The added complexity of threats leaves it possible to overlook something when you attempt manual removal. 3. Restore changes made by the threatThreats can make a number of changes to a computer in addition to installing files. Threats can also lower security settings and reduce system functionality based on changes to the computer's configuration. In many cases, Endpoint Protection can restore these settings to the default security setting. Some cases require you to confirm settings or restore them manually after removing a threat. You can further adjust these settings to suit the needs of the network. There may additional cases where Symantec software cannot reverse the changes because we are unable to determine the previous setting. 4. Check for registry changesThreats create or modify registry entries that perform functions ranging from loading the threat when the operating system starts to granting Internet access through the Windows Firewall. Leaving these entries unchanged after the threat has been removed may cause error messages to appear as the computer boots or when using the computer. In some cases, this may prevent the user from logging in after they restart the computer. Remove or restore any registry items added by the threat to the computer's default setting or, if possible, to a more secure setting. You can do this manually, with a script, or with a Group Policy Object. 5. Check system files and softwareThreats may use several system files used by the operating system. When cleaning a computer, check the following items for signs of modification:
6. Reintroduce computers to the networkAfter you have successfully cleaned a computer, Symantec recommends one final safety check: an antivirus scan with the latest definitions. If the scan comes back clean, reconnect the computer back to the production network. Note: Connect only a few computers at a time to ensure that you have properly remediated the threat and that no secondary symptoms present themselves. Additional tips for cleaning infected computers with Endpoint ProtectionEndpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment. Step 5. Post-op and prevent a recurrenceIncident review and network auditAfter you have removed the threat, you should perform the following:
Some people believe that security and usability are inversely proportionate to each other, with an increase in security increasing the steps needed to perform a task. Ease-of-use, while more efficient, can open security holes that make it easier for threats to spread. Weak points in a network are usually those technologies that make computers more accessible and user-friendly. The myth of re-infectionUnder normal circumstances and best practices, threats cannot re-infect a protected hard drive without security software detecting the threat. If this seems to happen, re-examine the system and security software configuration. Also, review the following security weak points and ensure that you have closed common attack vectors. Patching vulnerabilitiesMalicious code can exploit vulnerabilities due to software flaws. You can repair flaws and prevent security incidents using patches provided by the software vendor. You should have a Patch and Configuration Management Policy in place for your network to test new patches and roll them out to client computers.
Windows AutoPlay (AutoRun)AutoPlay is a Windows feature that enables users to choose which program opens or plays files from CDs, DVDs, and removable drives such as USB. This feature has become one of the largest attack vectors in the enterprise environment. While removable drives may provide an initial source of infection, most network drives also use AutoPlay. AutoPlay allows threats to attack from a network drive as soon as a user maps the drive. Companies design antivirus software to scan the local hard drive; therefore, the threat can attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed. To protect your network, you should disable AutoPlay. You can do this on individual computers, push this to client computers using the Group Policy editor, configure a policy in Endpoint Protection, or entirely disable the external media ports on the computer from within the BIOS. Caution: A known Windows vulnerability may turn on AutoPlay unless you apply specific Windows patches. Network sharesAccess to all network shares should require a strong password not easily guessed. "Open shares" are network shares that allow the inherited permissions from the user to validate access. Open shares do not require additional authentication, which allows threats to spread very fast. Because of this, you should minimize the use of open shares as much as possible. When they are essential to business continuity, open shares should be restricted to use write and execute privileges. If a user only needs to obtain files from a source, grant them read access. For added security, you can limit write access for users needing file transfer capabilities to a "temporary" storage folder on a file server, which you set to clear semi-regularly. Limit execution permissions to administrators or power users who have such a need. Symantec also recommends disabling or limiting access to other types of shares:
The problem with the aforementioned shares is that regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user logs in, their rights and permissions are implicit -- the door has been unlocked. Anything accessible through the user’s account will also be accessible to anything that impersonates the account. Network share best practices
While not as prevalent, attackers still use email attachments to spread malicious code. Most mail servers provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread. Investing in antispam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end-users, and thus the network as a whole. Firewalls and other toolsPerimeter firewalls are critical to protecting the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to managing today's threat landscape. Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real-time. Many client-side firewalls today provide these features. User educationAn educated end-user is a safer one. Ensure that your users understand the basics of safe computing, such as the following:
Emergency response team and plansEven after you complete all tasks, you need to prepare for the worst-case scenario. Draft a plan that details how to respond to a potential outbreak, and assign tasks and responsibilities to members of your emergency response team. When drafting a response plan, ask, and answer the following questions:
Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money. Basic security best practicesSymantec Security Response encourages all users and administrators to adhere to the following basic security best practices:
Additional resources and informationRapid release virus definitionsUse rapid release virus definitions when facing an outbreak or when Technical Support or Symantec Security Response suggests its use. The primary focus of these detection signatures is the rapid detection of newly emerging threats. Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, the rapid release virus definitions may pose some risks such as a higher potential for false positives. Rapid release virus definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released approximately once per hour. Learn how to update Endpoint Protection Manager with rapid release virus definitions so that it can update clients as they check in. Virus submissions to SymantecIf you believe that a threat has infected a file and Endpoint Protection has not detected the threat, submit the suspicious file to Symantec Security Response. CustomersCustomers making submissions to Security Response are encouraged to create a support case at the same time. This will allow the support representative to confirm that you have submitted to the correct queue, which will dramatically affect the ability of Symantec Security Response to provide a timely response. |