Virus removal and troubleshooting on a network

Article:TECH122466  |  Created: 2010-01-15  |  Updated: 2014-10-16  |  Article URL http://www.symantec.com/docs/TECH122466
Article Type
Technical Solution


Issue



You need to respond to active security threats on a network, or review virus removal and troubleshooting best practices.


Solution



Contents

Responding to threats and virus infection involves the following:

For more information on the terms used in this document, please refer to the Symantec Security Response glossary.

Step 1: Identify the threat and attack vectors

To contain and eliminate a threat, you must know all of the threats that are present on the computer and what they are designed to do. You must also understand which methods they use to propagate throughout the network.

To identify the threats, follow the instructions under the condition that applies.

You have identified infected or suspicious files

Symantec Endpoint Protection (SEP) detects a threat, and you need additional information about the threat; or, SEP does NOT detect a threat, but you have identified a suspect file that you believe to be malicious.

1. Submit the file to Symantec Security Response.

Symantec Security Response can identify all known malicious files. In the event that additional information is required, submitting the file to Symantec Security Response allows further research to be carried out. If the file is a new malicious file, Symantec Security Response can create virus definitions to detect it.

2. Submit the file to Symantec’s Threat Expert.

Symantec’s Threat Expert performs automated threat analysis can be performed for some types of threats. Submitting files can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall.

Note: Symantec support does not provide troubleshooting for Threat Expert, and this step does not replace the need to submit files to Symantec Security Response.

3. Configure Auto-Protect to allow network scanning.

Network scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading, and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.

 

You have NOT identified any infected or suspicious files

Symantec Endpoint Protection (SEP) does not detect a threat, and you need to determine what, if any, files are infected.

1. SymHelp - Check common load points for threats

Symantec Help (SymHelp) collects technical diagnostic data for many Symantec products. The Threat Analysis Scan (previously called Load Point Analysis) in SymHelp allows you to determine the risk level of files that are launched automatically on your computer.

2. Heuristics - Increase the heuristic level of your Symantec Antivirus program

Increasing the heuristic level allows Symantec AntiVirus to detect more threats based on their behavior.

3. Network Scanning - Configure Auto-Protect to allow network scanning

Network scanning allows Auto-Protect to scan files that the computer accesses from remote computers. This helps prevent malware from spreading, and can result in identification of the threat in cases when Auto-Protect is not functioning on an infected computer.

 

Additional resources within SEP for identifying the threat and its behaviors

SEP employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Basic steps:

Advanced steps:

Step 2: Identify the infected computers

Once you have identified the threat, you must determine if other computers are infected.

You can use the SEP management console to identify infected computers, but there are circumstances that may require additional methods.

BEST: Update virus definitions with a signature file that is confirmed to detect the variant of the threat you are dealing with.

  1. Download and install the correct virus definitions on a single infected client and scan the computer to make sure detection and remediation is working correctly.
  2. Configure Auto-Protect to allow network scanning.
  3. Deploy virus definitions to the entire affected network.
  4. Scan ALL computers to determine which computers are infected.

    Note: The scan may clean most of the infected computers.
     
  5. Quarantine computers where the scan could not remediate the threat.
 

Good: If virus definitions are not available for the threat, or if parts of the network are not protected by SEP, then use other means to identify possible infected computers.

If Threat Expert was able to find what external IP address or URL the threat is using for communication, monitoring perimeter firewall logs should reveal which computers may be infected.

 

Tips for identifying the infected computers

SEP employs additional tools to help troubleshoot, contain, and remediate threats within an enterprise environment.

Step 3: Quarantine the infected computers

Once you have identified a threat and understand how it spreads, you have to prevent it from spreading through the network.

It is critical that you remove the compromised computer from the network or add it to a "quarantine network". Otherwise the threat will spread as it infects other computers on the network.

BEST: Remove the infected computer from the network

Physically unplug the network cable from the infected computer and disable all wireless connections.

 

Good: Move the infected computer to a quarantine network

On occasion a compromised computer is mission-critical and cannot be isolated from the network. In some cases, depending on the infection, these can be isolated in so-called quarantine networks with some heavily restricted network access. Naturally this only works for cases where the threat's activity does not coincide with the functions needed by the compromised computer.

The quarantine network itself is a carefully configured subnet designed to restrict the traffic that the threat needs to propagate to other computers. This will allow the infected computer some restricted form of use.

  • You must know how to create subnets or VLANs and configure your network devices to restrict traffic
  • You must know how the threat spreads.
 

Exception: When removal from the network or quarantine is not possible

Due to business need, you may not be able to quarantine some infected systems or remove them from the network. You may need to configure special rules to allow them to function within their current subnet and still prevent the threat from spreading. This may include any combination of the following depending on the attack vector used by the threat.

Caution: This carries with it a degree of risk that should be considered before it is attempted. There is additional information on this topic in Step 5.

  • Close any open shares.
  • Require users to re-authenticate when connecting to file servers.
  • Disable the Windows AutoPlay feature. This can be done through registry keys, Group Policy Object, or an Application and Device Control Policy.
  • Restrict the use of writable USB drives. This can be done through registry keys, Group Policy Object, or an Application and Device Control Policy.
  • Make executables on network drives read-only.
 

Additional resources within SEP for quarantining infected computers

SEP employs additional tools to help troubleshoot, contain and remediate threats within an enterprise environment.

Step 4: Clean the infected computers

With the threat isolated to individual computers, you can remove the threat and reverse its side effects. As you take the steps outlined in this section, you should assess the following:

  • Would it be more cost-effective to "start from scratch" (e.g. to freshly rebuild or reinstall a compromised computer)?
  • Can threats be easily removed from a computer by running an antivirus scan, or are additional tasks required?
  • Were any system changes made on the infected computers? If so, can and should you revert those changes?
  • When is it safe to add the computers back to the network?

Backdoors and rootkits

Before proceeding with a disinfection of a compromised computer, it is important to consider the level of compromise when a backdoor or a rootkit is present. These malicious code subclasses allow threat writers to gain access and hide their malicious files and activities.

In both cases, determining the extent of the damage done to a computer is difficult and may increase the difficulty of removing all malicious functions from the computer. Under such circumstances it is often less time consuming to re-image the operating system and restore needed data from clean backups.

1. Stop the viral process

In order to remove the malicious files from the computer, you must stop any processes used by the threat. There are three primary options for doing this.

  • Antivirus scan - You can manually run a scan, likely the easiest option, which should stop and detect malicious processes as it scans the computer.

    To run a scan in the client: on the Status page, next to Virus and Spyware Protection, click Options > Run Active Scan.
  • Safe mode - Restart the computer in Safe Mode to prevent the majority of threats from loading. You can then manually remove the malicious files or run a scan.
  • Fixtools - Symantec, on occasion, creates fixtools to help with threat removal. If one is available, it will be mentioned in the threat write-up on the Symantec Security Response website.
 

2. Remove the malicious files

The simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed the scan should be able to remove the threat in most cases without incident. If the threat is a worm or Trojan, you can manually remove the files.

Caution: The complexity of threats leaves the possibility for you to overlook something when attempting a manual removal. Do not attempt manual removal with file infectors as it is not possible to manually determine which files are infected and which are not.

 

3. Restore changes made by the threat

Threats can make a number of changes to a computer in addition to installing files. Threats can also lower security settings and reduce system functionality based on changes to the computer's configuration.

In many cases SEP can restore these settings to the default secure setting. You can further adjust these settings to suit the needs of the network.

There are cases where you will need to confirm settings or restore them manually after removing a threat. There may be cases where Symantec software cannot undo the change because it is unable to determine the previous setting.

 

4. Check for registry changes

Threats create or modify registry entries that perform functions ranging from loading the threat when the operating system starts to granting Internet access through Windows Firewall.

Leaving these entries unchanged after the threat has been removed may cause error messages to appear as the computer boots or when using the computer. In some cases, this may prevent the user from logging in after they restart the computer.

Any items that the threat adds to the registry should be removed or restored to the computer's default setting or, if possible, to a more secure setting. This can be done manually, with a script, or with a Group Policy Object.

 

5. Check system files and software

There are a number of system files used by the operating system that threats may use. The following items should be checked for signs of modification when a computer is cleaned:

  • Windows hosts file - The Windows hosts file maps domain names to IP addresses locally, as opposed to querying a DNS server. Threats may modify this file to redirect a user to a malicious website, or away from security websites such as www.symantec.com.

    If the threat adds entries in the hosts file, you can comment them out. If this does not impact network functionality, these entries are likely unnecessary and you can safely remove them.
     
  • Antivirus software - Some threats specifically target the antivirus software installed on the computer. If successful, this can lead to the antivirus software not alerting on the threat or not being able to update its definitions.

    If this has happened to a compromised computer, verify the integrity of the antivirus software and reinstall if necessary.
 

6. Reintroduce computers to the network

Once a computer has been successfully cleaned, one last safety check is recommended: run a final antivirus scan with the latest definitions. If the scan comes back clean, reconnect the computer back into the production network.

It is important to connect only a few computers at a time to make sure that the threat has been remediated properly and that no secondary symptoms present themselves.

 

Additional tips for cleaning infected computers with SEP

SEP employs additional tools to help troubleshoot, contain, and remediate threats within an Enterprise environment.

Application and Device Control

Step 5: Post-op and prevent recurrence

Incident review and network audit

After you have removed the threat, you should perform the following:

  • Review the incident and make necessary changes in internal processes and procedures to avoid this type of attack in the future.
  • Perform a network audit with your security team to determine how the threat entered the network. Understanding the threat's attack vectors from Step 1 will come in handy.
  • Implement security measures to prevent another incident.

Some people believe that security and usability are inversely proportionate to each other, with an increase in security increasing the steps needed to perform a task. Ease-of-use, while more efficient, can open security holes that make it easier for threats to spread. Weak points in a network are usually those technologies that make computers more accessible and user-friendly.

 

The myth of reinfection

Under normal circumstances and best practices, threats cannot reinfect a protected hard drive without security software detecting the threat. If this seems to happen, re-examine the system and security software configuration. Also review the following security weak points and ensure that you have closed common attack vectors.

Patching vulnerabilities

Malicious code can exploit vulnerabilities due to software flaws. You can repair flaws and prevent security incidents using patches provided by the software vendor.

You should have a Patch and Configuration Management Policy in place for your network to test new patches and roll them out to client computers.

  • Patching plans should focus not just on operating systems and browser add-ons, but on all deployed software.
  • Regularly catalogue software installed on computers, from office utilities to databases and web server applications, and check for updates.
  • Regularly audit internally developed code for security holes and fix them as soon as possible.
  • Regularly check appliances such as routers and printers for software updates and patch them quickly.

Windows AutoPlay (AutoRun)

AutoPlay is a Windows feature that enables users to choose which program opens or plays files from CDs, DVDs and removable drives such as USB. This feature has become one of the largest attack vectors in the enterprise environment.

While removable drives may provide an initial source of infection through the use of AutoPlay, most network drives are designed to use this functionality too. This allows threats to attack from a network drive as soon as the drive is mapped. Since antivirus software is designed to scan the local hard drive, the threat will be able to attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

To protect your network, you should disable AutoPlay. This can be done on individual computers, pushed out to client computers using the Group Policy editor, configured by a policy in SEP, or by disabling the external media ports on the computer entirely from within the BIOS. There is also a known Windows vulnerability within the AutoPlay feature that may re-enable it unless specific Windows patches are applied.

Network shares

Access to all network shares should require a strong password not easily guessed. "Open shares" are network shares that allow the inherited permissions from the user to validate access. Open shares do not require additional authentication, which allows threats to spread very fast. Because of this, you should minimize the use of open shares as much as possible. When they are absolutely essential to business continuity, open shares should be restricted to use write and execute privileges.

If a user only needs to obtain files from a source, grant them read access. For added security, you can limit write access for users needing file transfer capabilities to a "temporary" storage folder on a file server, which is cleared semi-regularly. Limit execution permissions to administrators or power users who have such a need.

Disabling or limiting access to two other types of share is also recommended:

  • Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group.
  • Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user is logged in, the rights and permissions are implicit -- the door has been unlocked. Anything accessible through the user’s account will also be accessible to anything that impersonates the account.

Network share best practices

  • Do not auto-map network shares, instead supply a desktop icon to allow users access to the drive as needed.
  • Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
  • Be sure to log off once the task is completed.
  • For most day to day duties, use a more restrictive account.

Email

Email attachments, while perhaps not as prevalent today, are still used to spread malicious code. Most email servers provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in antispam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end users, and thus the network as a whole.

Firewalls and other tools

Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to manage today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real time. Many client-side firewalls today provide these features.

User education

An educated end user is a safer one. Ensure that your users understand the basics of safe computing, such as the following:

  • Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
  • Do not open unexpected email attachments from known or unknown sources.
  • Do not click on unknown URLs.
  • Scan software downloaded from the Internet before installing it.
  • Provide your users with documentation, internal training, or periodic seminars on computer security so that they can learn more about the topic.
 

Emergency response team and plans

Even after you complete all tasks, you need to prepare for the worst case scenario. Draft a plan that details how to respond to a potential outbreak, and assigns tasks and responsibilities to members of your emergency response team.

When drafting a response plan, ask and answer the following questions:

  • How quickly will alerts be generated if there's something on the network?
  • Will administrators be available to deal with the threat?
  • How easy is it to reroute traffic and services on the network?
  • Can compromised computers be isolated quickly before they infect other computers?

Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

 

Basic security best practices

Symantec Security Response encourages all users and administrators to adhere to the following basic security best practices:

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, all incoming connections should be denied and only approved services should be offered to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have fewer avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure email servers to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If Bluetooth is required, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.

Additional resources and information

Rapid release virus definitions

Use rapid release virus definitions when facing an outbreak or when Technical Support or Symantec Security Response suggests its use. The primary focus of these detection signatures is the rapid detection of newly emerging threats.

Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, the rapid release virus definitions may pose some risks such as a higher potential for false positives.Rapid release virus definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released approximately once per hour.

Learn how to update SEP Manager with rapid release virus definitions so that it can update clients as they check in.

 

Virus submissions to Symantec

If you believe that a host is infected with a malware file not detected by SEP, submit the file to Symantec Security Response.

Corporate customers

Corporate customers making submissions to Security Response are encouraged to create a support case at the same time. This will allow the support representative to confirm that you have submitted to the correct queue, which will dramatically impact the ability of Symantec Security Response to provide a timely response.

Consumer customers

Retail submissions (any submission made to any queue that does not have a valid customer ID associated with it) are only subjected to automated analysis. Files that cannot have a "known clean" or "known malicious" verdict provided by the automated system will be "filed for later analysis", but essentially Symantec Security Response does not manually look at these files unless a massive number of submissions of the same file is observed, or a corporate submission of the file is made.




Legacy ID



2010011510455048


Article URL http://www.symantec.com/docs/TECH122466


Terms of use for this information are found in Legal Notices