Malware outbreaks have been in the news lately. Entire companies crippled by serious malware infections. They have paid ransoms to hackers in order to get their data back and their systems online.
Of course, you need to have good antivirus, firewall, and spam filtering solutions in place in order to prevent infections in the first place. But just one careless click by a user could spell disaster for your network. So, we recommend that you take some time now to put together a procedure for handling malware infections. Covering these key areas will save you valuable time should an infection happen on your network.
Antivirus alerting and reporting
While this isn’t a remediation step per se, it’s important to have a system in place that can quickly alert you to a potential infection -- rather than waiting for a user to call you with a “my computer is acting funny”.
Most enterprise antivirus systems have configurable alerting and reporting. Make sure you set these up -- and have them sent somewhere where you will see them. Also, look at alerting thresholds, so you don’t receive too many “false positives”. Which could cause you to ignore a real alert. For example, have it send an alert only if it cannot remediate an infection on its own. Or raise an alarm if you find the same type of malware on more than one computer on your network, or on the same computer multiple times. This way, you’ll be able to respond quickly to real, actionable malware alerts that need your attention.
Isolate the computer from the network
If you’ve confirmed an infection on a computer, just go ahead and pull the plug. Worms will often begin scanning the network for other computers to infect. Cryptolocker-type ransomware will quickly get to work destroying files on any and all network shares it can find. So just go ahead and pull the network cable, until you can figure out what type of infection you have and how to fix it.
Determine scope of malware infection
This is a good time to begin your “investigation”. Talk to the user to see if you can determine a source for the infection. If it was an email attachment, check with other users to make sure they didn’t open it. Check your AV console to see if there are any other instances of this malware on your network. And check any file servers that the user accesses in order to determine any file damages or infections -- if so, be sure to isolate the infection before restoring data.
Protect or recover data
If you determine that any shared data was damaged or infected, it’s time to start restoring from backup. Be sure that your short-term backups are still intact, and that your servers aren’t infected. But if you have a good backup solution in place, this should be relatively painless.
Remediate the workstation
Next, you’ll need to get the infected workstation back up and running. Depending on the severity of the infection, you may be able to clean up the workstation using some standard tools. (More on that in the next article!) However, it’s often best to have a procedure in place to start with a fresh install of Windows -- which is the safest route, especially after a severe infection.
Post-mortem and user training
After a malware infection is cleaned up and the damage has been undone, take the opportunity to do a post-mortem. Fnd out what happened, and how it can be prevented in the future.
You can interview the user (in a non-accusatory way) to determine where the infection came from. Use that information to review your defenses -- is there a solution that would have prevented the infection? It’s also a good opportunity for some user training -- reminding everyone not to click strange attachments, ignore security prompts, etc., while somewhat tedious, can be helpful in the aftermath of a particularly serious infection.
By taking just a bit of time to get your malware response procedure in place now, you can save valuable time should an infection hit your network.