9 Replies Latest reply on Feb 12, 2009 3:21 AM by SergeM

    Best practices : Virus/malware detected, what do you do ?

    SergeM
      Hi,

      I'd like to know/see what you guys do when you find out you have a compromised PC. (What would "best practices" be ?)
      I can see several possible situations :

      • you find out in the Event Logs that one PC (VSE) detected an infection but for some reason it couldn't fix it (handle it)
      • one (or a few) system reports a lot of Critical alerts (VSE) with information that a file is infected with a backdoor - assuming the threat was handled...
      • system reports critical alerts (VSE) ; some system (?) file is infected with a backdoor - assuming the threat was not handled...
      • no installed product (VSE) reports anything, but network logs show "unusual" activity from one or a few PCs
      • VSE reports an infected boot record



      What would you recommend to do ? or what would you do ?

      thanks in advance
      Serge
        • 1. RE: Best practices : Virus/malware detected, what do you do ?
          New image?
          Put no regular users or regular user groups in the local Administrators group?

          IMHO if you avoid using Admin accounts on systems you will see a complete absense of infections like these.

          reg, Henno
          • 2. RE: Best practices : Virus/malware detected, what do you do ?
            SergeM


            While your suggestions may be pertinent, it does not apply...

            Once you _have_ an infected system... what do you do about it?

            Now pushing a new image is interesting... in a way. It fixes that situation but not the whole thing.:(

            I was also thinking in terms of... "with all the security measures we have, firewalls, antivirus and so on... how was the system infected ?"...
            Having an infected swystems proves me that there's a hole in my security. I feel I need to identify the hole and plug it. (Hence my vision of "best practices" :cool:)


            (Besides, believing that is is possible to "see a complete absense of infections" is IMHO not realistic. I have +8'000 users... some of which will sometimes work as admins. I know I will have infected systems "someday"... "Make it foolproof, and someone will make a better fool")
            • 3. RE: Best practices : Virus/malware detected, what do you do ?
              tonyb99
              RE not knowing what something is or suspicious activity some of the general things I do are:

              run process explorer to look for unusual processes
              check the windows and system32 folders for new files
              check the application data and start menu startup folders for new files
              check the windows run keys/ explorer add on keys and winlogon keys in reg for unknown entries

              run malwarebytes and superantispyware and liveonecare online scanner

              any resultant files found I upload to www.virustotal.com

              once I have a list of other vendors ideas on what the issue is I can moan at webimmune until it goes in the dat, and usually remove it using malwarebytes or by clearing the reg keys and using pendmove utils to clear locked files.

              if you have ideas on worms you can drop in temporary access protection rules to report on inbound and outbound traffic on specific ports or ranges aswell, this is often pretty handy.

              RE any infection that gets picked up I always (remotely) run full scans on machine and profiles (including removable drives option) depending on the detection I sometimes check the registry of the user and use the network keys to find out their general mapped drives and scan these too for autorun files etc
              • 4. RE: Best practices : Virus/malware detected, what do you do ?
                SergeM


                For all those things you need (direct) access to the computer !?
                Unfortunately, I have no real access to 95% of the computers under my surveilance...
                What I usually can do is call or write an email to someone at a distant location and ask them to do something (not too complicated as they're not always comp. geeks)

                But I'll keep that somewhere for further thinking (brainpicking ;)

                Serge

                PS : I wonder, how do you identify false positives ?
                • 5. RE: Best practices : Virus/malware detected, what do you do ?
                  tonyb99
                  access but not direct access

                  you can use remote registry/admin shares/wmi console to get most things

                  for false positives its usually just brain work, if its all normal and its widespread and you shove it through virustotal.. then its generally false. Must admit you learn to hate generic.dx pickups though
                  • 6. RE: Best practices : Virus/malware detected, what do you do ?


                    i have created a few groups in EPO for immediate scans, which i can drop machines in to kick one off. i assume you are doing something similar, but i am wondering how much of an impact you have on your users with your setup. hey tony, how long would you estimate your full scans take?

                    also, is this for mcafee events that virus is detected and not removed, or for removed successfully also.

                    i ask because while i do see one offs for 'removed successfully', on occasion i will see multiple entries from the same machine for an infection which mcafee seems to be able to detect, but isnt able to get to the root of the cause so it just keeps coming back. i target these machines with full scans, HJT/mbam, etc.

                    are you doing something similar?
                    • 7. RE: Best practices : Virus/malware detected, what do you do ?
                      tonyb99


                      A full scan with high cpu takes between 30-90 minutes depending on the number of files and pc performance, we dont accept user complaints over the slowdown (or even notify them in most cases) as its generally their fault silly I check on removed and not removed as lots of the easy to remove ones have additional components that may still not be detected until a full scan.

                      If I get repetitions or unable to clean i usually run malwarebytes and some of the online scanners, isolate the files concerned and upload them to virustotal. Then use what ive found to kill it off, then upload it to webimmune so there is a chance it will get better removal /detection in the DATs
                      • 8. RE: Best practices : Virus/malware detected, what do you do ?
                        SergeM
                        Hi,


                        I do something similar, now about "how long the scans take", it depends on the scanned systems. On most systems here (fairly recent and powerfull CPU) it takes about 2h at 30% CPU. However, there are some systems, where it takes more than 5h.
                        I say "30% CPU" because we do this during work hours sad There's a policy here to shutdown machines after working hours (during the night). To bad because that would be perfect for scans. There is an impact of users and we try to reduce it to the minimum.

                        As for events, for the moment, I do this for every (unexplained *) "detected and not handled" event but also when a machine shows multiple/recurrent infection.

                        On many/most machines/services we do a weekly full scan no matter what. I'd like to generalise this to all systems, but there that

                        cheers
                        serge


                        (*) unexplained, because often, then "not handled" event is due to someone inserting an infected CD... in these cases, I try to rely on my instinct :rolleyes:
                        • 9. Undetected infections
                          SergeM
                          I forgot to mention that some infections are not detected by the AV.
                          We check the FW logs for systems that do unusual network traffic, connect to unusual websites or at undue hours (e.g. a user's PC trying to connect to some known malware site at night).
                          For these suspicious activities, we also do more thorough controls.

                          Again, a big question and issue here is to find out where the infection comes from... did the user get the virus in a mail? from a document ?
                          Did other users get the same mail (and go undetected)? Did other users get similar mails/documents, from the same source... etc.
                          How long did it take until the infection was detected? (IOW how long was the malware free to act undetecte?)

                          (Guess where my headaches come from?)
                          S