by Shaun Bertrand | Security Practice Lead | Creative Breakthroughs, Inc.
We have been involved in security for 13 years. Over the last 2 years, we have seen more successful virus outbreaks with more detrimental effects than ever before. This is due to a true dynamic shift in the threat landscape. Better coded viruses using encryption techniques, random-pseudo code, profit-driven attacks, as well as team oriented assaults, are just some of the reasons for this shift. We have also seen a vast number of posts lately with cases of infection wherein the customer has no idea what to do.
Products like SEP do an absolutely phenomenal job at preventing these new threats. PTP/NTP simply rock. However, we know that unfortunately, not everyone is running SEP. This article provides a generalized review of what to do when infected with a virus. It’s not meant to dissect the granular characteristics of a particular virus and it’s removal procedures, rather it’s designed to illustrate at a 30,000 foot level what steps should be taken to address most any virus.
First and foremost, remain calm. The first step in any virus outbreak is to thoroughly assess the situation before making any unplanned decisions.
Next, we need to know what we’re dealing with. Identification of the virus should be our primary focus. Generally, identification of the virus deployed is not a problem using anti-virus (AV) software and should be your first method used. After identifying the virus, gather some preliminary research on it. Understand all of the characteristics of the virus you possibly can.
Using a site like Symantec’s Security Response is a great resource. http://www.symantec.com/security_response/index.jsp. It outlines the precise variables of the virus, and also gives detailed removal procedures.
Next, work to understand what existing countermeasures you have available to prevent some of the virus’s effects. AV, Firewall, IDS, GPO settings, etc. This will be useful in designing your remediation plan.
Some viruses have more dramatic effects on your network than do others. Knowing absolutely everything the virus does from the top down is essential.
Now that we know everything about the virus, we can design an efficient remediation plan to not only prevent the virus from propagating, but also to remove the virus from the infected hosts. Designing your remediation plan starts with prioritization. You need to prioritize your steps, based on what impact the virus is having on your network.
Maybe the virus propagation is causing such a wide spread Denial of Service on your network that it’s completely prevented the organization from doing business. In this case, you would want to prioritize the tasks around the propagation variables causing this outage, to restore business functionality.
Prioritize your remediation tasks based on some of the following variables…
Consider all the different countermeasures available in your situation. If you know a trait of the virus is to attempt to connect to particular external hosts, consider blocking those hosts at the firewall. If you realize the virus is using open network shares to spread, consider temporarily disabling these shares. If the virus propagates on a particular TCP/UDP port, consider ACL’s or firewall rules to temporarily disable these ports.
At this stage we need to understand what we can do to remove the virus from the infected hosts. Reviewing the Symantec Security Response website, for your specific virus, will ensure you are following the specific removal tasks required. In most cases, AV software, such as SAV/SEP, will have the capability to perform these operations. It is the first step in any removal process and, in most cases, the most efficient and effective method for removal. With some of the more prevalent viruses, security firms will create explicit removal tools. This will allow you to automate some of the tasks involved with removing the virus and any remnants.
Some of the more advanced viruses may require additional removal strategies, such as deleting registry keys, deleting files, and in the worst case, re-imaging the host. When applicable, utilize your existing resources to perform these tasks. Often times, GPO’s can be used to remove remnants of the virus, or to utilize a script to perform specific operations.
One of the most common faults with deploying the remediation plan is a lack of testing. Before rolling out any specific strategies, test them thoroughly to ensure your mitigation techniques do not cause a bigger headache than what you’re already dealing with. Documenting your specific tasks is also important, so you can evaluate the effectiveness of your procedures, and it will act as a contingency to revert back to the previous baseline in case of any adverse affects.
Implementing the remediation plan should be a phased approach, when possible. Utilizing a phased approach will allow you to evaluate the strength of each unique remediation task. However in some cases you will need to deploy these tasks in an aggressive manner to combat the potential intrusive characteristics of the virus.
Often times your remediation tasks may involve:
Part of the remediation plan should also address how the hosts became infected in the first place, and to mitigate this risk. Often times it’s as simple as not having anti-virus software, out of date anti-virus software, or the absence of the latest security patches for your operating system and applications. Realize that procedures should have already been established and in place to address these risks.
There are typically many variables associated with remediation. Attempting to manage the many different tasks can sometimes be a challenge in of itself. Creating a remediation plan and utilizing a prioritized approach will help increase the probability of success.
Following up with your remediation tasks will be an ongoing objective to ensure your procedures are working. Conducting recurring anti-virus scans should also be of top priority. Keep an eye out for new variants by keeping a close watch on AV/IDS/Firewall logs, or any other traits from the virus you can monitor for. As an example, you can use SEP to create notifications that will alert you when a virus has been identified.
If you think it’s as simple as executing the remediation plan to remove all of your risks, think again. Now you need to work to make sure something like this doesn’t happen again. Once you’ve identified how the virus infected the hosts, you need to eliminate that risk, or reduce the likelihood of it happening again.
Develop a standard out of the remediation plan to ensure these risks will no longer pose such a significant threat. Work to provide proactive security updates to both operating systems, and applications. Continue to assess the risk to your organization through vulnerability assessments, audits, and internal reviews.
The primary solution to address the threats viruses pose to our assets is a properly configured SEP deployment. SEP has the capability to protect us against the vast amount of trojans, viruses, and the many other forms of malware out there today. It’s still just as important to recognize the other elements of virus risk, by proactively ensuring you are following best practice security guidelines.
 |
 |
 |
