How to do Zero-Day malware remediation remotely
A Zero-Day virus is defined as, "a previously-unknown computer virus or other malware for which specific antivirus software signatures are not yet available." Everybody has their different tricks and techniques when it comes to dealing with Zero-Day remediation. This is what I do when someone calls me suspecting they are infected on my network.
1. You’ll need a copy of the PSLIST tool from the Sysinternals or PSTools Suite. From a command prompt launch: PSLIST -s \\computer-name or PSLIST \\computer-name
- Note: Drop the -s to see a static view of the processes but keep in mind that some malware only stays visible for seconds or will constantly change it's port numbers.
- Note #2: You hit ESC to exit the -s mode
2. Examine the list of running processes to see if any unusual processes exist. Keep in mind that malware can hook into or spoof to appears as legimitate processes.
3. If you run across one that doesn’t look familiar, you can investigate it by querying the process name in a web search engine (google, yahoo, etc). If nothing shows up on that process then it is suspect but keep in mind it could also be a custom application.
4. Once you find the malicious process, UNC to the PC and search the computers filesystem for the name of the process.
5. Once you locate it on the hard drive, add it to an archive file (zip, rar, etc) and copy that to your Desktop. You archive it to ensure you don’t accidentally launch it and infect your own PC. Submit the archive file to http://www.virustotal.com to see if it’s a known virus by any of the major antivirus vendors.
6. If the process is found to be malicious, then kill the process on the users system (explained in step 7) and delete the file on THEIR system (not the one you copied to yours!!!!!!). You need to keep the file so it can be submitted to Symantec and then test the new definition file can clean it when they give it to you. Also, it’s worth holding onto for awhile in case it happened to be a legitimate program (which I’ve yet to see).
7. To kill the process remotely, you need the PSKILL utility and the Process ID (PID) from the list from Step 2.
8. From a command prompt: PSKILL –t \\computer-name PID#
9. Verify that the Process has stopped then delete the file. If it turns out the file is still needed, you have a copy zipped up on your system from step
10. Submit it to Symantec by filling out this form on Symantec's website. If Virustotal.com indicates it’s a known virus to other Antivirus companies then I include that information in the Symptoms field at the bottom of the web form.
11. After submitting it, print out the page with the submission details and tracking number. There's no way to look this information up again until the email notification arrives in your inbox. Remember to hold onto your copy the malware until Symantec has created a definition file to detect and eliminate it.
12. Once the new definition file arrives, scan the archive file with SEP to ensure it correctly catches and removes the file from the ZIP. If SEP still fails to clean it, open a ticket with Symantec.