I’ve been involved in security for roughly 12 to 13 years now. I can honestly say that over the last 2 years, I have seen more successful virus outbreaks with more detrimental effects than ever before. I personally believe this is a result of a true dynamic shift in the threat landscape. Better coded viruses using encryption techniques, random-pseudo code, profit-driven attacks, as well as team oriented assaults, are just some of the reasons we are seeing this shift. I have also seen a vast amount of posts here lately with cases of infection and the person has no idea what to do.
Products like SEP do an absolute phenomenal job at preventing these new threats. PTP/NTP simply rock. However, we know that unfortunately, not everyone is running SEP. This article is meant to provide a generalized review of what to do when you’re infected with a virus. It’s not meant to dissect the granular characteristics of a particular virus and it’s removal procedures, rather it’s designed to show you the 30,000 foot view of what steps you need to take to address most any virus.
We will follow a 4 step approach. Assess, Design, Deploy, and Examine
1. Assess the situation
First and foremost, remain calm. The first step in any virus outbreak is to thoroughly assess the situation before making any rash decisions.
Next, we need to know what we’re dealing with. Identification of the virus should be our primary focus. Generally, identification of the virus is usually not a problem using anti-virus (AV) software and should be your first method used. After identifying the virus, start some preliminary research on it. Understand all of the characteristics of the virus you possibly can.
a. How did the host become infected?
- Outdated Security Patches
- No AV software
- Outdated AV defs
- Other mechanisms
b. How does it spread?
c. What changes does it make to the compromised host?
d. Does the virus pose an immediate threat to the confidentiality, availability or integrity of company resources and data?
Using a site like Symantec’s Security Response is a great resource. http://www.symantec.com/security_response/index.jsp. It will outline the precise variables of the virus, and also give detailed removal procedures.
Work next to understand what existing countermeasures you have to prevent some of the virus’s effects. AV, Firewall, IDS, GPO settings, etc. This will be useful in designing your remediation plan.
Some viruses have more dramatic effects on your network than others. Knowing absolutely everything the virus does from the top down is essential.
2. Design the Remediation Plan
Now that we know everything about the virus, we can design an efficient remediation plan to not only prevent the virus from propagating, but also to remove the virus from the infected hosts. Designing your remediation plan starts with prioritization. You need to prioritize your steps, based on what effects the virus is causing on your network.
Maybe the virus propagation is causing such a wide spread Denial of Service on your network that it’s completely prevented the organization from doing business. In this case, you would want to prioritize the tasks around the propagation variables causing this outage, to restore business functionality.
Prioritize your remediation tasks based on some of the following variables…
- Virus’s risk to the organization
- Complexity of the remediation task
- Value and effectiveness of the remediation task
Think about all the different countermeasures you can deploy in these situations. If you know a trait of the virus is to attempt to connect to particular external hosts, consider blocking those hosts at the firewall. If you realize the virus is using open network shares to spread, consider temporarily disabling these shares. If the virus propagates on a particular TCP/UDP port, consider ACL’s or firewall rules to temporarily disable these ports.
At this stage we need to understand what we can do to remove the virus from the infected hosts. Reviewing the Symantec Security Response website, for your specific virus, will ensure you are following the specific removal tasks required to remove the virus. In most cases, AV software, such as SAV/SEP, will have the capability to perform these operations. It is indeed the first step in any removal process and in most cases the most efficient and effective methodology for removal. With some of the more popular viruses, security firms will create explicit removal tools. This will allow you to automate some of the tasks involved with removing the virus and any remnants.
Some of the more advanced viruses may require additional removal strategies, such as deleting registry keys, deleting files, and in the worst case, re-imaging the host. When applicable, utilize your existing resources to perform these tasks. Often times, GPO’s can be used to remove remnants of the virus, or to utilize a script to perform specific operations.
3. Deploy the Remediation Plan
One of the most common faults with deploying the remediation plan is a lack of testing. Before rolling out any specific strategies, test them thoroughly to ensure your mitigation techniques do not cause a bigger headache than what you’re already dealing with. Documenting your specific tasks is also important, so you can evaluate the effectiveness of your procedures, and it will act as a contingency to revert back to the previous baseline in case of any adverse affects.
Implementing the remediation plan should be a phased approach, when possible. Utilizing a phased approach will allow you to evaluate the strength of each unique remediation task. However in some cases you will need to deploy these tasks in an aggressive manner to combat the potential intrusive characteristics of the virus.
Often times your remediation tasks may involve:
• Installing AV software
• Updating definitions
• Analyzing why definitions didn’t get updated
• Updating security patches for OS and applications
• Creating unique controls or changes to prevent the virus from propagating
• Virus removal procedures
• GPO’s, scripts, removal tools, etc.
• Forensics follow up (identifying the source of infection)
Part of the remediation plan should also address how the hosts became infected in the first place, and to mitigate this risk. Often times it’s as simple as not having anti-virus software, out of date anti-virus software, or by not having the latest security patches installed for your operating system and applications. Realize that procedures should have already been established and in place to address these risks.
There are usually many variables associated with remediation. Attempting to manage the many different tasks can sometimes be a challenge in of itself. Creating a remediation plan and utilizing a prioritized approach will help increase your odds of success.
Following up with your remediation tasks will be an ongoing objective to ensure your procedures are working. Conducting recurring anti-virus scans should also be of top priority. Keep an eye out for new variants by keeping a close watch on AV/IDS/Firewall logs, or any other traits from the virus you can monitor for. As an example, you can use SEP to create notifications that will alert you when a virus has been identified.
If you think it’s as simple as executing the remediation plan to remove all of your risks, think again. Now you need to work to make sure something like this doesn’t happen again. Once you’ve identified how the virus infected the hosts, you need to eliminate that risk, or reduce the likelihood of it happening again.
Develop a standard out of the remediation plan to ensure these risks will no longer pose such a significant threat. Work to provide proactive security updates to both operating systems, and applications. Continue to assess the risk to your organization through vulnerability assessments, audits, and internal reviews.
The primary solution to address the threats viruses pose to our assets is a properly configured SEP deployment. SEP has the capability to protect us against the vast amount of trojans, viruses, and the many other forms of malware out there today. It’s still just as important to recognize the other elements of virus risk, by proactively ensuring you are following best practice security guidelines.