Troubleshooting viruses with Symantec AntiVirus 10.x and earlier

Article:TECH102085  |  Created: 2007-01-10  |  Updated: 2012-01-04  |  Article URL http://www.symantec.com/docs/TECH102085
Article Type
Technical Solution


Environment

Issue



You would like a basic understanding of how to troubleshoot a virus infection with Symantec AntiVirus 10.x and earlier.

 


Solution




 



Note: This document is optimized for SAV 10.x and earlier. For information on troubleshooting virus infections with Symantec Endpoint Protection 11.x and later, read the document Best practices for responding to active threats on a network.
 




Overview
Troubleshooting a virus infection is comprised of the following steps:
 

  1. Identify the Threat
  2. Identify the Computers Infected
  3. Quarantine the Computers Infected
  4. Clean the Computers Infected
  5. Determine Infection Vector and Prevent Recurrence



1. Identify the Threat
In order for an outbreak to be dealt with it is important to know what the threat is and what it is capable of. It is also important that we know all of the threats that may be present on the computer as well.
Identification may be done in the following ways.
 

    A. Submit suspected file to Symantec Security Response (see load points)
    B. Virus detection with current virus definitions.

Preliminary automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly alert you to sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com and this step does not replace the need to submit files to Symantec Security Response.

Do not rely on file names to identify a threat. Many threats use the same file name but may have completely different characteristics and attack vectors.


2. Identify the Computers Infected
Once the threat is identified it is necessary to identify what computers are infected.
 

    A. If the threat has been identified, the easiest way to identify the infected computers is to update the entire network with virus definitions that will detect the threat and then to run a scan. This may be done through a scheduled scan or a virus sweep.
    B. A network audit may also be used to determine what computers may not have anti-virus installed and up to date.
    C. A check of the firewall logs for any computers generating a lot of network traffic on the port or ports used by the threat, may also be a way to detect infected computers.
    D. A check of the threat logs can also give you the source files coming from another infected computer.


3. Quarantine the Computers Infected
Quarantining the infected computers is important to prevent the further spread of the infection and to prevent the threat from continuing to affect the computers remotely, either through open shares or unpatched vulnerabilities.

There are several ways to quarantine affected computers:
 

    A. Generally the best way to quarantine an infected computer is to remove it from the network physically. This would involve manually removing the connection to the network and internet.
    B. In some case, completely removing a computer from a network is not possible. Some customers, depending on the infection, have created quarantine subnets that have very restricted communications. This has given their infected users some limited productivity and still allows remote management.



WARNING: This may take preparation, and should only be done once the infection vectors are well mapped out and the proper preventions are put into place

4. Clean the Computers Infected – Virus Removal
Once the computers are removed from the network and updated with current definitions, the virus should be removed and the changes affected by the threat reversed. Here are the steps to clean a virus once virus definitions are up to date.
 

    A. Stop the viral process, or boot the computer to a state where the process is not loading:
      i. End the task - some threats may prevent this.
      ii. Start Windows in Safe Mode or Safe Mode Command Prompt only
      iii. Newer versions of Symantec AntiVirus (version 10) and Symantec Endpoint Protection may be able to stop the process as part of a full system scan.

    B. Remove the viral files:
      i. Full system scan – Recommended
      ii. Manually remove the files by finding and deleting them
      iii. Check if there is a removal tool available for the particular threat variant.

    C. Reverse the changes to system settings. It is important to make changes to the registry before rebooting the computer. Many viruses change boot setting so the user may be unable to log in once the virus is removed, if the registry changes are not undone.
      i. Undo Registry Changes
      ii. Undo changes to the following files – if necessary
        1. hosts
        2. win.ini
        3. sfc.dll – may need to be replaced with new copy
        4. Anti-virus and Firewall programs – may need to be reinstalled.

    D. Reboot the computer into normal mode, before connecting it back to the network. This is to determine that no additional viruses are detected and the cleaning was successful.

    E. If a rootkit or backdoor is detected it maybe necessary to re-image the computer to ensure security of the network.


5. Determine Infection Vector and Prevent Recurrence
This last step is often overlooked but may be considered the most important. Most network wide infections use two methods to propagate:
A. Known vulnerabilities: These are generally OS vulnerabilities, but may also include other software vulnerabilities that allow code to be remotely executed on the computer.
B. Open Shares: Because viruses often load at start up they may be running with the current user's credentials. This means that any share that a user can reach without providing a user name and password is vulnerable to this type of attack. This includes the Admin$ and IPC$ shares.

- To ensure security of the network going forward the Administrator password may need to be changed with a new “strong” password.
- Only after computers are patched and cleaned should they be reintroduced to the production network.









 




Legacy ID



2007011014341948


Article URL http://www.symantec.com/docs/TECH102085


Terms of use for this information are found in Legal Notices