Video Screencast Help
Security Community Blog

Here is my list of steps to find malicious files, infected files etc etc. Please feel free to add or advise

Created: 14 Mar 2014 • 8 comments
The Conquistador's picture
+5 5 Votes
Login to vote

Checklist for scanning suspicious files
1.    Disconnect any drive mappings and check to see if the PC has any shared folders
2.    Stop the shares if they are present, they can be reestablished if necessary after cleanup
3.    Take the PC OFF the network
4.    Check disk space, lack of disk space can cause multiple issues
5.    Check to see if any users have local admin rights, if they do, remove them
6.    Check the “Run” Key in the registry for any suspicious entries (Check on HKEY_LOCAL_MACHINE AND     HKEY_CURRENT_USER
    Delete any suspicious entries from
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
7.    Check for old windows user profiles, check with the current user before deletion of old profiles
8.    Check the C:\ProgramData (Hidden folder) for any suspicious entries
9.    If you can, clear C:\TEMP and C:\Windows\temp
10.    Clear content from C:\Users\Username\AppData\Local\Temp
11.    Clear content in %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files
12.    Check the control panel for any suspicious programs or toolbars (Yahoo, Ask, etc)
13.    Remove all toolbars or suspicious programs, verify with the user of the validity of the program
14.    Check and verify versions and definitions are up to date on Malwarebytes and SEP
15.    Check the SEP Client for suspicious entries
16.    Run a full scan with SEP, then Run a full scan with Malwarebytes and remove suspicious entries
17.    Select the “View Quarantine” section, if there is anything check to see what it is and verify with the user    (s) if it can be removed.
18.    Restart the PC after scanning is complete.
19.    It would be highly advisable to run a Load Point Analysis and submit the output file to Symantec Support.
    Suspicious files can be submitted to Symantec through the following link.

20. I will use NPE as a last resort, I am wondering if I should use it as a PRIMARY resort

https://submit.symantec.com/websubmit/retail.cgi
Do not submit a file with a .exe extension, rename it to something like .zip or .rtf
To open a support case, user the following link.

https://my.symantec.com/webapp/faces/login;jsessionid=kD5pTYtLVGQp1tT6YGNPnJ1RDP1J63M72VYQG51KplzHFSq7vcpC!852198726?_afrLoop=762864225321000&_afrWindowMode=0&_afrWindowId=null#%40%3F_afrWindowId%3Dnull%26_afrLoop%3D762864225321000%26ct%3Dus%26lg%3Den%26_afrWindowMode%3D0%26_adf.ctrl-state%3Dlinjnbbce_4

 

Comments 8 CommentsJump to latest comment

Rafeeq's picture

Thanks for the Blog, 

just in case if someone is looking for load points

Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003

http://www.symantec.com/business/support/index?page=content&id=TECH99331
+1
Login to vote
Ch@gGynelL_12's picture

Good Job! But sometimes worms and viruses disable the registry and folders access so it is better to run first the advanced scanner of Symantec, NPE..

+1
Login to vote
The Conquistador's picture

Agreed, it's a first resort, not a last. It's just hard to do it on pc's in remote locations.

0
Login to vote
ajhay.siingh's picture

HI Bryan and other Experts,

Thanks for this info. Also pls share the steps and links , the process to find malware and how to detect with malware infected system in manual process. file mon, process monitor tool etc.

A. How can I find if any system is infected with adware, malware or any type of trojan etc ?

B. To Identify the source of spreading threats system? some best process.

pls share some useful links.

 

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

0
Login to vote
Mick2009's picture

Hi Bryan,

"Thumbs up" for me!  There's some good info in the points, above. The one main change I would recommend would be to run a full SEP scan before NPE is run or anything is manually removed.  If certian keys or files of a threat are removed manually, then SEP's ERASER components may not be triggered against that threat and the other parts of the threat may be left behind. (ERASER scripts should get rid of the whole thing.)

Another tip: IPS logs can be an excellent pointer toward malicious files which are making unwanted network traffic.

Here's the best official Symantec article to guide admins through dtection and removal:

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

And here's an article on what to do AFTER the malware has been found and removed:

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Thanks once again!

Mick
 

With thanks and best regards,

Mick

0
Login to vote