Learn how to remove viruses on a network or troubleshoot and respond to active security threats.
Troubleshooting and responding to threats and viruses on a network involves the following:
Additional resources and information
To contain and eliminate a threat, you must know all of the threats that are present on the computer, and what the threats were designed to do. You must also understand which methods the threats use to propagate throughout the network.
To identify the threats, follow the instructions under the condition that applies, based on whether or not you have identified infected or suspicious files.
Symantec Endpoint Protection (SEP) detects a threat, and you need additional information about the threat; or, Endpoint Protection does NOT detect a threat, but you have identified a suspect file that you believe to be malicious.
Symantec Security Response can identify all known malicious files. In the event that additional information is required, submit the file to Symantec Security Response for further research. If the file is a new malicious file, Symantec Security Response can create virus definitions to detect it.
Network scanning allows Auto-Protect to scan files the computer accesses from remote computers. This helps prevent malware from spreading, and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.
Endpoint Protection does not detect a threat and you need to determine which files are infected, if any.
The Symantec Diagnostic Tool (SymDiag) collects technical diagnostic data for many Symantec products. The Threat Analysis Scan in SymDiag lets you determine the risk level of files that are launched automatically on your computer.
Increasing the heuristic level allows Symantec Endpoint Protection to detect more threats based on their behavior.
Network scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.
Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.
Once you have identified the threat, you must determine if other computers are infected.
You can use the Endpoint Protection Manager to identify infected computers (see Using Endpoint Protection Manager reports and logs to identify infected computers for details), but there are circumstances that may require additional methods.
Monitor DNS server logs or perimeter firewall logs for the external IP address or URL the threat is using for communication. This should reveal which computers may be infected.
Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment.
After you have identified a threat and you understand how the threat spreads, you have to prevent the threat from spreading through the network.
It is critical that you remove the compromised computer from the network or add it to a "quarantine network." Otherwise, the threat will spread as it infects other computers on the network.
Physically unplug the network cable from the infected computer and disable all wireless connections.
On occasion, a compromised computer is mission-critical and cannot be isolated from the network. In some cases, depending on the infection, these can be isolated in so-called quarantine networks with some heavily restricted network access. Naturally, this only works for cases where the threat's activity does not coincide with the functions needed by the compromised computer.
The quarantine network itself is a carefully configured subnet designed to restrict the traffic that the threat needs to propagate to other computers. This will allow the infected computer some restricted form of use.
Due to business need, you may not be able to quarantine some infected systems or remove them from the network. You may need to configure special rules to allow them to function within their current subnet and still prevent the threat from spreading. This may include any combination of the following actions depending on the attack vector used by the threat.
Caution: This action carries with it a high degree of risk. Seriously evaluate the risk before you follow these steps. Learn more in Step 5.
Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment.
With the threat isolated to individual computers, you can remove the threat and reverse its side effects. As you take the steps outlined in this section, you should assess the following:
Backdoors and rootkits
Before proceeding with a disinfection of a compromised computer, it is important to consider the level of compromise when a backdoor or a rootkit is present. These malicious code subclasses allow threat writers to gain access and hide their malicious files and activities.
In both cases, determining the extent of the damage done to a computer is difficult and may increase the difficulty of removing all malicious functions from the computer. Under such circumstances, it is often less time consuming to re-image the operating system and restore needed data from clean backups.
In order to remove the malicious files from the computer, you must stop any processes used by the threat. There are three primary options for doing this.
The simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed, the scan should be able to remove the threat in most cases without incident. If the threat is a worm or Trojan, you can manually remove the files.
Caution: Do not attempt manual removal of file infectors; it is impossible to determine which files are infected and which are not. The added complexity of threats leaves it possible to overlook something when you attempt manual removal.
Threats can make a number of changes to a computer in addition to installing files. Threats can also lower security settings and reduce system functionality based on changes to the computer's configuration.
In many cases, Endpoint Protection can restore these settings to the default security setting. Some cases require you to confirm settings or restore them manually after removing a threat. You can further adjust these settings to suit the needs of the network.
There may additional cases where Symantec software cannot reverse the changes because we are unable to determine the previous setting.
Threats create or modify registry entries that perform functions ranging from loading the threat when the operating system starts to granting Internet access through the Windows Firewall.
Leaving these entries unchanged after the threat has been removed may cause error messages to appear as the computer boots or when using the computer. In some cases, this may prevent the user from logging in after they restart the computer.
Remove or restore any registry items added by the threat to the computer's default setting or, if possible, to a more secure setting. You can do this manually, with a script, or with a Group Policy Object.
Threats may use several system files used by the operating system. When cleaning a computer, check the following items for signs of modification:
After you have successfully cleaned a computer, Symantec recommends one final safety check: an antivirus scan with the latest definitions. If the scan comes back clean, reconnect the computer back to the production network.
Note: Connect only a few computers at a time to ensure that you have properly remediated the threat and that no secondary symptoms present themselves.
Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.
After you have removed the threat, you should perform the following:
Some people believe that security and usability are inversely proportionate to each other, with an increase in security increasing the steps needed to perform a task. Ease-of-use, while more efficient, can open security holes that make it easier for threats to spread. Weak points in a network are usually those technologies that make computers more accessible and user-friendly.
Under normal circumstances and best practices, threats cannot re-infect a protected hard drive without security software detecting the threat. If this seems to happen, re-examine the system and security software configuration. Also, review the following security weak points and ensure that you have closed common attack vectors.
Malicious code can exploit vulnerabilities due to software flaws. You can repair flaws and prevent security incidents using patches provided by the software vendor.
You should have a Patch and Configuration Management Policy in place for your network to test new patches and roll them out to client computers.
AutoPlay is a Windows feature that enables users to choose which program opens or plays files from CDs, DVDs, and removable drives such as USB. This feature has become one of the largest attack vectors in the enterprise environment.
While removable drives may provide an initial source of infection, most network drives also use AutoPlay. AutoPlay allows threats to attack from a network drive as soon as a user maps the drive. Companies design antivirus software to scan the local hard drive; therefore, the threat can attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.
To protect your network, you should disable AutoPlay. You can do this on individual computers, push this to client computers using the Group Policy editor, configure a policy in Endpoint Protection, or entirely disable the external media ports on the computer from within the BIOS.
Caution: A known Windows vulnerability may turn on AutoPlay unless you apply specific Windows patches.
Access to all network shares should require a strong password not easily guessed. "Open shares" are network shares that allow the inherited permissions from the user to validate access. Open shares do not require additional authentication, which allows threats to spread very fast. Because of this, you should minimize the use of open shares as much as possible. When they are essential to business continuity, open shares should be restricted to use write and execute privileges.
If a user only needs to obtain files from a source, grant them read access. For added security, you can limit write access for users needing file transfer capabilities to a "temporary" storage folder on a file server, which you set to clear semi-regularly. Limit execution permissions to administrators or power users who have such a need.
Symantec also recommends disabling or limiting access to other types of shares:
The problem with the aforementioned shares is that regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network.
Once the user logs in, their rights and permissions are implicit -- the door has been unlocked. Anything accessible through the user’s account will also be accessible to anything that impersonates the account.
While not as prevalent, attackers still use email attachments to spread malicious code. Most mail servers provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.
Investing in antispam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end-users, and thus the network as a whole.
Perimeter firewalls are critical to protecting the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to managing today's threat landscape.
Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real-time. Many client-side firewalls today provide these features.
An educated end-user is a safer one. Ensure that your users understand the basics of safe computing, such as the following:
Even after you complete all tasks, you need to prepare for the worst-case scenario. Draft a plan that details how to respond to a potential outbreak, and assign tasks and responsibilities to members of your emergency response team.
When drafting a response plan, ask, and answer the following questions:
Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.
Symantec Security Response encourages all users and administrators to adhere to the following basic security best practices:
Use rapid release virus definitions when facing an outbreak or when Technical Support or Symantec Security Response suggests its use. The primary focus of these detection signatures is the rapid detection of newly emerging threats.
Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, the rapid release virus definitions may pose some risks such as a higher potential for false positives. Rapid release virus definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released approximately once per hour.
Learn how to update Endpoint Protection Manager with rapid release virus definitions so that it can update clients as they check in.
If you believe that a threat has infected a file and Endpoint Protection has not detected the threat, submit the suspicious file to Symantec Security Response.
Customers making submissions to Security Response are encouraged to create a support case at the same time. This will allow the support representative to confirm that you have submitted to the correct queue, which will dramatically affect the ability of Symantec Security Response to provide a timely response.