Learn how to remove viruses on a network or troubleshoot and respond to active security threats.

Troubleshooting and responding to threats and viruses on a network involves the following:

1. Step 1. Identify the threat and attack vectors
2. Step 2. Identify the infected computers
3. Step 3. Quarantine the infected computers
4. Step 4. Clean the infected computers
5. Step 5. Post-op and prevent a recurrence

Additional resources and information

Step 1. Identify the threat and attack vectors

To contain and eliminate a threat, you must know all of the threats that are present on the computer, and what the threats were designed to do. You must also understand which methods the threats use to propagate throughout the network.

To identify the threats, follow the instructions under the condition that applies, based on whether or not you have identified infected or suspicious files.

You have identified infected or suspicious files

Symantec Endpoint Protection (SEP) detects a threat, and you need additional information about the threat; or, Endpoint Protection does NOT detect a threat, but you have identified a suspect file that you believe to be malicious.

1. Submit the file to Symantec Security Response

Symantec Security Response can identify all known malicious files. In the event that additional information is required, submit the file to Symantec Security Response for further research. If the file is a new malicious file, Symantec Security Response can create virus definitions to detect it.

2. Configure Auto-Protect to allow network scanning

Network scanning allows Auto-Protect to scan files the computer accesses from remote computers. This helps prevent malware from spreading, and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.

You have NOT identified any infected or suspicious files

Endpoint Protection does not detect a threat and you need to determine which files are infected, if any.

1. SymDiag - Check common load points for threats

The Symantec Diagnostic Tool (SymDiag) collects technical diagnostic data for many Symantec products. The Threat Analysis Scan in SymDiag lets you determine the risk level of files that are launched automatically on your computer.

2. Heuristics - Increase the heuristic level of your Symantec Endpoint Protection program

Increasing the heuristic level allows Symantec Endpoint Protection to detect more threats based on their behavior.

3. Network Scanning - Configure Auto-Protect to allow network scanning

Network scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.

Additional resources within Endpoint Protection for identifying the threat and its behaviors

Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Basic steps:

• Deploy Intrusion Prevention System (IPS) with default settings (low impact)
• Increase the sensitivity of Proactive Threat Protection

Advanced steps:

• Use Application and Device Control to log activity to common loading points for threats
• Use Application and Device Control to monitor or block a file based on MD5

Step 2. Identify the infected computers

Once you have identified the threat, you must determine if other computers are infected.

You can use the Endpoint Protection Manager to identify infected computers (see Using Endpoint Protection Manager reports and logs to identify infected computers for details), but there are circumstances that may require additional methods.

(Recommended) Update virus definitions with a signature file that detects the variant of the threat

1. Download and install the correct virus definitions on a single infected client.
2. Scan the computer to make sure that detection and remediation are working correctly.
3. Configure Auto-Protect to allow network scanning.
4. Deploy virus definitions to the entire affected network.
5. Scan ALL computers to determine which computers are infected.
   
   Note: The scan may clean most of the infected computers.
    
6. Quarantine computers where the scan cannot remediate the threat.

(Good) If virus definitions are not available for the threat, or if parts of the network are not protected by Endpoint Protection, then use other means to identify possible infected computers.

Monitor DNS server logs or perimeter firewall logs for the external IP address or URL the threat is using for communication.  This should reveal which computers may be infected.

Tips for identifying infected computers

Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment.

• Use Application and Device Control to monitor or block a file based on MD5

Step 3. Quarantine the infected computers

After you have identified a threat and you understand how the threat spreads, you have to prevent the threat from spreading through the network.

It is critical that you remove the compromised computer from the network or add it to a "quarantine network." Otherwise, the threat will spread as it infects other computers on the network.

(Recommended) Remove the infected computer from the network

Physically unplug the network cable from the infected computer and disable all wireless connections.

(Good) Move the infected computer to a quarantine network

On occasion, a compromised computer is mission-critical and cannot be isolated from the network. In some cases, depending on the infection, these can be isolated in so-called quarantine networks with some heavily restricted network access. Naturally, this only works for cases where the threat's activity does not coincide with the functions needed by the compromised computer.

The quarantine network itself is a carefully configured subnet designed to restrict the traffic that the threat needs to propagate to other computers. This will allow the infected computer some restricted form of use.

• You must know how to create subnets or VLANs and configure your network devices to restrict traffic
• You must know how the threat spreads.

(Exception) When removal from the network or quarantine is not possible

Due to business need, you may not be able to quarantine some infected systems or remove them from the network. You may need to configure special rules to allow them to function within their current subnet and still prevent the threat from spreading. This may include any combination of the following actions depending on the attack vector used by the threat.

 Caution: This action carries with it a high degree of risk. Seriously evaluate the risk before you follow these steps. Learn more in Step 5.

• Close any open shares.
• Require users to re-authenticate when connecting to file servers.
• Disable the Windows AutoPlay feature. This can be done through registry keys, Group Policy Object, or an Application and Device Control Policy.
• Restrict the use of writable USB drives. This can be done through registry keys, Group Policy Object, or an Application and Device Control Policy.
• Make executables on network drives read-only.

Additional resources within Endpoint Protection for quarantining infected computers

Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment.

• Use Application and Device Control in Endpoint Protection (Endpoint Protection) to block activity in common loading points for threats.
• Create custom firewall rules to prevent the threat from spreading.
• Move the infected clients to a "quarantine" client group.

Step 4. Clean the infected computers

With the threat isolated to individual computers, you can remove the threat and reverse its side effects. As you take the steps outlined in this section, you should assess the following:

• Is it more cost-effective to freshly rebuild or reinstall a compromised computer?
• Can you easily remove the threat from the computer by running an antivirus scan, or are additional tasks required?
• Did the threat make any system changes on the infected computers? If so, should you revert those changes?
• When is it safe to add the computers back to the network?

Backdoors and rootkits

Before proceeding with a disinfection of a compromised computer, it is important to consider the level of compromise when a backdoor or a rootkit is present. These malicious code subclasses allow threat writers to gain access and hide their malicious files and activities.

In both cases, determining the extent of the damage done to a computer is difficult and may increase the difficulty of removing all malicious functions from the computer. Under such circumstances, it is often less time consuming to re-image the operating system and restore needed data from clean backups.

1. Stop the viral process

In order to remove the malicious files from the computer, you must stop any processes used by the threat. There are three primary options for doing this.

• Antivirus scan - You can manually run a scan, likely the easiest option, which should stop and detect malicious processes as it scans the computer.
  To run a scan in the client, on the Status page, next to Virus and Spyware Protection, click Options > Run Active Scan.
• Safe mode - Restart the computer in Safe Mode to prevent the majority of threats from loading. You can then manually remove the malicious files or run a scan.
• Power Eraser - You can run Power Eraser to analyze and detect persistent threats on a single computer or a small group of computers. 

2. Remove the malicious files

The simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed, the scan should be able to remove the threat in most cases without incident. If the threat is a worm or Trojan, you can manually remove the files.

Caution: Do not attempt manual removal of file infectors; it is impossible to determine which files are infected and which are not. The added complexity of threats leaves it possible to overlook something when you attempt manual removal.

3. Restore changes made by the threat

Threats can make a number of changes to a computer in addition to installing files. Threats can also lower security settings and reduce system functionality based on changes to the computer's configuration.

In many cases, Endpoint Protection can restore these settings to the default security setting. Some cases require you to confirm settings or restore them manually after removing a threat. You can further adjust these settings to suit the needs of the network.

There may additional cases where Symantec software cannot reverse the changes because we are unable to determine the previous setting.

4. Check for registry changes

Threats create or modify registry entries that perform functions ranging from loading the threat when the operating system starts to granting Internet access through the Windows Firewall.

Leaving these entries unchanged after the threat has been removed may cause error messages to appear as the computer boots or when using the computer. In some cases, this may prevent the user from logging in after they restart the computer.

Remove or restore any registry items added by the threat to the computer's default setting or, if possible, to a more secure setting. You can do this manually, with a script, or with a Group Policy Object.

5. Check system files and software

Threats may use several system files used by the operating system. When cleaning a computer, check the following items for signs of modification:

• Windows hosts file - The Windows hosts file maps domain names to IP addresses locally, as opposed to querying a DNS server. Threats may modify this file to redirect a user to a malicious website, or away from security websites such as www[.]<symantec>[.]com.
  If the threat adds entries in the hosts file, you can comment them out. If this does not affect network functionality, these entries are likely unnecessary and you can safely remove them.
• Antivirus software - Some threats specifically target the antivirus software installed on the computer. If successful, this can lead to the antivirus software not alerting on the threat or not being able to update its definitions.
  If this has happened to a compromised computer, verify the integrity of the antivirus software and reinstall it if necessary.

6. Reintroduce computers to the network

After you have successfully cleaned a computer, Symantec recommends one final safety check: an antivirus scan with the latest definitions. If the scan comes back clean, reconnect the computer back to the production network.

Note: Connect only a few computers at a time to ensure that you have properly remediated the threat and that no secondary symptoms present themselves.

Additional tips for cleaning infected computers with Endpoint Protection

Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

• Use Application and Device Control to manage Windows AutoPlay
• Create a quarantine client group
• Create a rule that will block or log Browser Helper Objects

Step 5. Post-op and prevent a recurrence

Incident review and network audit

After you have removed the threat, you should perform the following:

• Review the incident and make necessary changes in internal processes and procedures to avoid this type of attack in the future.
• Perform a network audit with your security team to determine how the threat entered the network. Understanding the threat's attack vectors from Step 1 will come in handy.
• Implement security measures to prevent another incident.

Some people believe that security and usability are inversely proportionate to each other, with an increase in security increasing the steps needed to perform a task. Ease-of-use, while more efficient, can open security holes that make it easier for threats to spread. Weak points in a network are usually those technologies that make computers more accessible and user-friendly.

The myth of re-infection

Under normal circumstances and best practices, threats cannot re-infect a protected hard drive without security software detecting the threat. If this seems to happen, re-examine the system and security software configuration. Also, review the following security weak points and ensure that you have closed common attack vectors.

Patching vulnerabilities

Malicious code can exploit vulnerabilities due to software flaws. You can repair flaws and prevent security incidents using patches provided by the software vendor.

You should have a Patch and Configuration Management Policy in place for your network to test new patches and roll them out to client computers.

• Patching plans should focus not just on operating systems and browser add-ons, but also on all deployed software.
• Regularly catalog software installed on computers, from office utilities to databases and web server applications, and check for updates.
• Regularly audit internally developed code for security holes and fix them as soon as possible.
• Regularly check appliances such as routers and printers for software updates and patch them quickly.

Windows AutoPlay (AutoRun)

AutoPlay is a Windows feature that enables users to choose which program opens or plays files from CDs, DVDs, and removable drives such as USB. This feature has become one of the largest attack vectors in the enterprise environment.

While removable drives may provide an initial source of infection, most network drives also use AutoPlay. AutoPlay allows threats to attack from a network drive as soon as a user maps the drive. Companies design antivirus software to scan the local hard drive; therefore, the threat can attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

To protect your network, you should disable AutoPlay. You can do this on individual computers, push this to client computers using the Group Policy editor, configure a policy in Endpoint Protection, or entirely disable the external media ports on the computer from within the BIOS.

Caution: A known Windows vulnerability may turn on AutoPlay unless you apply specific Windows patches.

Network shares

Access to all network shares should require a strong password not easily guessed. "Open shares" are network shares that allow the inherited permissions from the user to validate access. Open shares do not require additional authentication, which allows threats to spread very fast. Because of this, you should minimize the use of open shares as much as possible. When they are essential to business continuity, open shares should be restricted to use write and execute privileges.

If a user only needs to obtain files from a source, grant them read access. For added security, you can limit write access for users needing file transfer capabilities to a "temporary" storage folder on a file server, which you set to clear semi-regularly. Limit execution permissions to administrators or power users who have such a need.

Symantec also recommends disabling or limiting access to other types of shares:

• Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group.
• Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network.

Once the user logs in, their rights and permissions are implicit -- the door has been unlocked. Anything accessible through the user’s account will also be accessible to anything that impersonates the account.

Network share best practices

• Do not auto-map network shares; instead, supply a desktop icon to allow users access to the drive as needed.
• Do not log on using an account with elevated privileges (such as the domain or local Admin) unless necessary to perform a certain task.
• Be sure to log off once the task is completed.
• Use a more restrictive account for most day-to-day duties.

Email

While not as prevalent, attackers still use email attachments to spread malicious code. Most mail servers provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in antispam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end-users, and thus the network as a whole.

Firewalls and other tools

Perimeter firewalls are critical to protecting the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to managing today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real-time. Many client-side firewalls today provide these features.

User education

An educated end-user is a safer one. Ensure that your users understand the basics of safe computing, such as the following:

• Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
• Do not open unexpected email attachments from known or unknown sources.
• Do not click on unknown URLs.
• Scan software downloaded from the Internet before installing it.
• Provide your users with documentation, internal training, or periodic seminars on computer security so that they can learn more about the topic.

Emergency response team and plans

Even after you complete all tasks, you need to prepare for the worst-case scenario. Draft a plan that details how to respond to a potential outbreak, and assign tasks and responsibilities to members of your emergency response team.

When drafting a response plan, ask, and answer the following questions:

• How quickly will systems generate alerts if there is something on the network?
• Will administrators be available to deal with the threat?
• How easy is it to reroute traffic and services on the network?
• Can compromised computers be isolated quickly before they infect other computers?

Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

Basic security best practices

Symantec Security Response encourages all users and administrators to adhere to the following basic security best practices:

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, deny all incoming connections, and only offer approved services to the outside world.
• Enforce a password policy. A complex password makes it difficult to crack password files on compromised computers and prevents or limits damage when a threat does compromise a computer.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access to folders that users must share, only to user accounts with strong passwords.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If you remove these services, threats have fewer avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure mail servers to block or remove email that contains file attachments that attackers commonly use to spread threats, such as .vbs, .bat, .exe, .pif, and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train users not to open attachments unless they are expecting them. In addition, users should not execute software that they download from the Internet unless the user has first scanned the file for viruses.
• Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, users should turn it off. If Bluetooth is required, you should ensure that the device's visibility is set to "Hidden" so that other Bluetooth devices cannot scan it. If device pairing is required, ensure that all devices are set to "Unauthorized," requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.

Additional resources and information

Rapid release virus definitions

Use rapid release virus definitions when facing an outbreak or when Technical Support or Symantec Security Response suggests its use. The primary focus of these detection signatures is the rapid detection of newly emerging threats.

Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, the rapid release virus definitions may pose some risks such as a higher potential for false positives. Rapid release virus definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released approximately once per hour.

Learn how to update Endpoint Protection Manager with rapid release virus definitions so that it can update clients as they check in.

Virus submissions to Symantec

If you believe that a threat has infected a file and Endpoint Protection has not detected the threat, submit the suspicious file to Symantec Security Response.

Customers

Customers making submissions to Security Response are encouraged to create a support case at the same time. This will allow the support representative to confirm that you have submitted to the correct queue, which will dramatically affect the ability of Symantec Security Response to provide a timely response.