Best Practices for Troubleshooting Viruses on a Network

Article:TECH122466  |  Created: 2010-01-15  |  Updated: 2014-01-10  |  Article URL http://www.symantec.com/docs/TECH122466
Article Type
Technical Solution


Issue



You need to know the best practices for responding to active threats on a network.


Solution



Responding to a virus infection comprises the following five steps:

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers
    Step 4. Clean the Computers Infected
    Step 5. Post-op: Prevent Recurrence

 

Step 1. Identify the Threat and Attack Vectors

In order for a threat to be contained and eliminated, you must first know what the threat is and what it is designed to do. It is also important to know all of the threats that may be present on the computer, as well as knowing what methods the threats may be using to propagate throughout the network.

To identify the threat or threats, follow the instructions under the condition that applies.

    Symantec Endpoint Protection is already detecting the threat, but additional information is needed about the threat; or, Symantec Endpoint Protection is NOT detecting a threat, but a suspect file has been identified that is believed to be malicious.
    • Submit the file to Symantec Security Response.
      Symantec Security Response can identify all known malicious files. In the event that additional information is required, submitting the file to Security Response allows further research to be carried out. If the file is a new malicious file, Security Response can create virus definitions to detect it.
      Contact Technical Support for the appropriate submission site.
    • Submit the file to Threat Expert (owned by Symantec).
      Automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com, and this step does not replace the need to submit files to Symantec Security Response.
    • Configure Auto-Protect to allow network scanning.
      Network scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading.

    The Symantec Endpoint Protection product is NOT detecting a threat, and assistance is needed to identify suspect files to send to Symantec Security Response to verify malicious intent and provide detection.

 

Resources within Symantec Endpoint Protection for identifying the threat and its behaviors:
Symantec Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Basic steps:

Advanced steps:

 

 

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers
    Step 4. Clean the Computers Infected
    Step 5. Post-op: Prevent Recurrence

 

Step 2. Identify the Infected Computers

Once the threat(s) have been identified, it is important to understand which computers are infected with the malicious files, and how many uninfected computers could be affected by the infected computers' behavior. This is usually done from within the Endpoint Protection management console, but there are circumstances that may require additional methods for identifying infected computers.

Best: Update virus definitions with a signature file that is confirmed to detect the variant of the threat you are dealing with.

  1. Download and install the correct virus definitions on a single infected client and scan the computer to make sure detection and remediation is working correctly.
  2. Configure Auto-Protect to allow network scanning.
  3. Deploy the virus definitions out to the entire affected network.
  4. Scan ALL computers and determine what computers are infected and what computers are not. (Note: The scan may clean many/most of the infected computers.)
  5. Computers where the scan could not remediate the threat should be quarantined (see Step 3. Quarantine the Infected Computers).


Good: If virus definitions are not yet available for the threat, or if parts of the network are not protected by Symantec Endpoint Protection, then other means should be used to identify the suspect infected computers.
If Threat Expert was able to find what external IP or URL the threat is using for communication, monitoring perimeter firewall logs should reveal which computers may be infected.

Symantec Endpoint Protection Tips for Identifying the Infected Computers:
Symantec Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Application and Device Control:

 

 

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers
    Step 4. Clean the Infected Computers
    Step 5. Post-op: Prevent Recurrence

 

Step 3. Quarantine the Infected Computers

Once a threat has been identified, and you understand how it spreads, the next step is to prevent the threat from spreading. Both worms and viruses spread by using various techniques to move through a network. Whenever possible, compromised computers should be removed from the network while being remediated.

It is critical to remove a computer from the network or to add it to a "quarantine network" once it is a known as a compromised computer—it is likely that the threat in question will infect other computers on the network, and thus continue to spread.

On occasion a compromised computer is mission-critical and cannot be isolated from the network. In some cases, depending on the infection, these can be isolated in so-called quarantine networks with some heavily restricted network access. Naturally this only works for cases where the threat's activity does not coincide with the functions needed by the compromised computer.

Best: Remove the infected computer from the network. Physically unplug the network cable and disable all wireless connections.

Good: Move the infected computer to a carefully configured subnet designed to restrict the traffic that the threat needs to propagate to other computers. This will allow the device some restricted form of use.

  • You must know how to create subnets or VLANs and configure your network devices to restrict traffic
  • You must know how the threat spreads.

 

Exceptions: Some infected systems may not be able to be removed from the environment or quarantined, due to business need. Special rules may need to be configured to allow them to function within their current subnet and still prevent the threat from spreading. This may include any combination of the following depending on the attack vector used by the threat.

    Note: This carries with it a degree of risk that should be considered before it is attempted. There is additional information on this topic in Step 5. Determine Infection Vector and Prevent Recurrence.

    To minimize risks without removing a computer from the network
    • Close any open shares.
    • Require users to re-authenticate when connecting to file servers.
    • Disable Windows "AutoPlay" feature.
      This can be done through registry keys, GPO, or SEP Application and Device Control.
    • Restrict the use of writable USB drives.
      This can be done through registry keys, GPO, or SEP Application and Device Control.
    • Make executables on network drives "Read-Only".

 

Additional resources within Symantec Endpoint Protection for quarantining infected computers:
Symantec Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

 

 

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers
    Step 4. Clean the Infected Computers
    Step 5. Post-op: Prevent Recurrence

 

Step 4. Clean the Infected Computers

With the threat isolated to individual computers, the threat can be removed and the side effects it caused can be reversed.The following steps contain detailed information that should be taken by your Security Team to:

  • Assess whether it would be more cost-effective to "start from scratch" — to freshly rebuild or reinstall a compromised computer.
  • Assess whether any threats found can be easily removed from a computer by running an antivirus scan, or if additional tasks will need to be performed before or afterwards.
  • Assess whether any system changes were made on infected computers and how to revert those changes.
  • Assess when it is safe to add the computers back to the network.


Note: Backdoors or rootkits
Before proceeding with a disinfection of a compromised computer, it is important to consider the level of compromise when a backdoor or a rootkit is present. These malicious code subclasses allow threat writers to gain access, and to hide their malicious files and activities. In both cases, determining the extent of the damage done to a computer is difficult and may increase the difficulty of removing all malicious functions from the computer. Under such circumstances it is often less time consuming to re-image the operating system and restore needed data from clean backups.

  1. Stop the viral process
    In order to remove the malicious files from the computer, any processes used by the threat must be stopped beforehand. There are three primary options for doing this.
    1. Antivirus scan
      This is perhaps the easiest option. If you have Symantec AntiVirus 10 or Symantec Endpoint Protection installed on the computer, the AntiVirus software should be able to stop and detect malicious processes while it scans the computer.
    2. Safe Mode
      Restarting the computer in Safe Mode will prevent the vast majority of threats from loading as the operating system loads. You can then proceed with manually removing the malicious files or running an antivirus scan.
    3. Tools
      While most of the capability of a fixtool is deployed in AntiVirus definitions for Symantec AntiVirus 10 or Symantec Endpoint Protection, Symantec, on occasion, creates fixtools. If a tool is available, it will be mentioned in the write-up for the threat on the Security Response Web site.

     
  2. Remove the malicious files
    The simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed the scan should be able to remove the threat in most cases without incident. If the threat is a worm or Trojan, the files can be removed manually. The complexity of threats today leaves the possibility for something to be overlooked when attempting a manual removal. Do not attempt this with file infectors as it is not possible to manually determine which files are infected and which are not.
     
  3. Restore changes made by the threat
    There are often a number of changes that a threat makes to a computer in addition to installing files. Quite often, security settings are lowered by the threat and the system functionality is reduced based on changes to the computer's configuration. In many cases your Symantec Endpoint Protection program can restore these items to the default secure setting. These settings can be adjusted further to suit the needs of the network. There are cases where the settings will need confirmation or they will need to be restored manually after removing a threat, and there may be some cases where the Symantec software will not undo the change because it is unable to determine the previous setting.
     
  4. Check for registry changes
    More often than not, threats create or modify registry entries on a computer, which provide functionality ranging from loading the program when the operating system starts to granting internet access through the Windows Firewall. Leaving these items unchanged after the threat has been removed may cause error messages to appear while the computer boots or when using the computer. In some cases, it may prevent the user from logging in when the computer is restarted.

    Any items added to the registry should be removed or restored to the computer's default setting or, if possible, to a more secure setting. This can be done manually, with a script, or with a GPO.
     
  5. Check system files
    There are a number of system files used by the operating system that threats may use. The following items should be checked for signs of modification when a computer is cleaned:
    1. Hosts File
      This file is used to store certain internet locations locally, as opposed to querying a DNS server. Threats may modify this file in order to redirect a user to a malicious web page or away from security sites, such as www.symantec.com. If there are entries in the hosts file that may have been added by the threat, they can be commented out. If network functionality is not impacted, these items are likely unnecessary, and they can be safely removed.
       
    2. Antivirus software
      Some threats specifically target the antivirus software installed on the computer. If successful, this can lead to the antivirus software not alerting on the threat or not being able to update its definitions. If this has happened to a compromised computer, verify the integrity of the AntiVirus software and reinstall if necessary.

     
  6. Reintroduce computers to the network
    Once a computer has been successfully cleaned, one last safety check is recommended: run a final antivirus scan with the latest definitions. If the scan comes back clean, reconnect the computer back into the production network. It is important to connect only a few computers at a time to make sure that the threat has been remediated properly and that no secondary symptoms present themselves.

 

 

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers
    Step 4. Clean the Infected Computers
    Step 5. Post-op: Prevent Recurrence

 

Step 5. Post-op: Prevent Recurrence

Once the outbreak is resolved, it is time for one of the most important steps: review the incident and make necessary changes in internal processes and procedures to avoid this type of attack in the future. The Security Team should perform a network audit to determine how the threat entered the network and then put security measures in place to prevent it from happening again. This is another place where knowing the threat's attack vectors from Step 1 will come in handy.

It is also important to realize that some of the weak points are actually technologies that make computers more accessible and user friendly to end users. It is often noted that Security and Availability are often inversely proportionate to each other. An increase in security can increase steps needed to perform a task. However, ease-of-use, while more efficient, often opens security holes that make it easy for threats to spread.


To help prevent another infection, the following article on Symantec's Connect forums will be of interest: The Day After: Necessary Steps after a Virus Outbreak

 

The Myth of Reinfection

Under normal circumstances and best practices, it is not possible for a threat to "re-infect" a protected hard drive without antivirus detecting the threat. If this seems to be happening it is a good idea to re-examine the system and antivirus software configurations, and confirm that the infection vector(s) have been closed.

The following sections contain information on security weak points and common attack vectors, and provides suggestions on how to close these vectors.

 

Patching vulnerabilities

Vulnerabilities are computer software flaws that can be exploited by malicious code. These vulnerabilities can be repaired by applying patches provided by the software vendor. In today's network environment, regular patching is a requirement. Every network should have a Patch and Configuration Management Policy for testing new patches and rolling them out to client computers. Patching plans should focus not just on operating systems and browser add-ons, but all deployed software. Any software installed on a computer should be regularly checked for updates—from office utilities to databases to web server applications. All software should be cataloged and regularly checked for updates. Internally developed code should be regularly audited for security holes and fixed as soon as possible. Appliances such as routers and printers should also be checked for software updates and patched quickly. This can be a lot to manage, but it is vitally important in preventing security incidents.

 

AutoPlay (AutoRun)

Autoplay is a functionality in Windows that allows files to automatically be opened or "played". This feature is useful to launch installation files and other applications from CDs and USB flash drives, but over the last few years has become one of the largest attack vectors in the enterprise environment. While USBs may provide an initial source of infection through the use of AutoPlay, most network drives are designed to use this functionality too. This allows threats to attack from a network drive as soon as the drive is mapped. Since antivirus software is designed to scan the local hard drive, the threat will be able to attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

In order to protect your network, disabling AutoPlay is the recommended course of action. This can be done on individual computers, pushed out to client computers using the Group Policy editor, configured by a policy in Symantec Endpoint Protection, or accomplished by disabling the external media ports on the computer entirely from within the BIOS. There is also a known Windows vulnerability within the autoplay feature that may re-enable it unless Windows patches are applied.

 

Network shares

First and foremost, access to all network shares should require a strong password not easily guessed. "Open Shares" are network shares that allow the inherited permissions from the user to validate access. These do not require an additional authentication and therefore allow threats to spread very fast. Open shares should be minimized as much as possible, and when they are absolutely essential to business continuity, write and execute privileges should be restricted.

If a user only needs to obtain files from a source, they should only be granted read access. For added security, write access for users needing file-transfer capabilities can be limited to a "temporary" storage folder on a file server, which is cleared semi-regularly. In terms of execution permissions, limit this access to administrators or power users who have such need. Disabling or limiting access to two other share-types is also recommended: Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group; Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that, regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user is logged in, the rights and permissions are implicit -- the door has been unlocked. Anything that user account has access to will be accessible to anything that impersonates the account.

The best practices in this regard are:

  • Do not auto-map network shares, instead supply a desktop icon to allow users access to the drive as needed.
  • Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
  • Be sure to log off once the task is completed.
  • For most day to day duties, use a more restrictive account.

 

Email

Email attachments, while perhaps not as prevalent as in years past, are still used to spread malicious code today. Most email servers currently on the market provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in AntiSpam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end users, and thus the network as a whole.

 

Education

An educated end user is a safer end user. Ensure that your users understand the basics of safe computing, such as the following:

  • Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
  • Do not open unexpected email attachments from known or unknown sources.
  • Do not click on unknown URLs.
  • Scan software downloaded from the Internet before installing it.
  • Having documentation, internal training, or periodic seminars on computer security available gives your users options for learning more about the topic.

 

Firewalls and other tools

Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to manage today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real time. Many client-side firewalls today provide these features.

 

Emergency Response Team and Plans

Even after all these tasks are complete, it is still a good idea to be prepared in case of the worst. Draft a plan how to respond to a potential outbreak and assign tasks and responsibilities to members of an Emergency response team. How quickly will an alert be generated if there's something on the network? Will there be administrators available to deal with it? How easy is it to reroute traffic and services on the network? Can compromised computers be isolated quickly before they affect other computers? Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

 

Symantec Endpoint Protection Tips for Cleaning Infected Computers:

Symantec Endpoint Protection employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Application and Device Control

 

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security best practices:

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, all incoming connections should be denied and only approved services should be offered to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have fewer avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure email servers to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If Bluetooth is required, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.


For further information on the terms used in this document, please refer to the Security Response glossary.

 

Additional Resources and Information:

Rapid Release Definitions

Use Rapid Release definitions when facing an outbreak or when Technical Support/Security Response suggests its use. Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these detection signatures is the rapid detection of newly emerging threats. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, the Rapid Release virus definitions may pose some risks such as a higher potential for false positives. Rapid release definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released approximately once per hour.

Rapid Release Definitions can be obtained from http://www.symantec.com/avcenter/rapidrelease.download.html or 
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence

An additional support page describing how to update Symantec Endpoint Protection Manager with the Rapid Release definitions so that it can update clients as they check in:
http://www.symantec.com/business/support/index?page=content&id=TECH102607&locale=en_US

 

Virus Submissions to Symantec

If you believe that a host is infected with a malware file not detected by Symantec Endpoint Protection, submit the file to Symantec Security Response using the instructions in How to Use the Web Submission Process.

Corporate customers making submissions to Security Response are encouraged to create a support case at the same time. This will allow the Support representative to confirm that the customer has submitted to the correct queue and will dramatically impact the ability of Security Response to provide a timely response.

Retail submissions (any submission made to any queue that does not have a valid customer ID associated with it) are only subjected to automated analysis. Files that cannot have a "known clean" or "known malicious" verdict provided by the automated system will be "filed for later analysis", but essentially Security Response does not manually look at these files unless a massive number of submissions of the same file is observed, or a corporate submission of the file is made.

 

 




Legacy ID



2010011510455048


Article URL http://www.symantec.com/docs/TECH122466


Terms of use for this information are found in Legal Notices