Endpoint Protection

 View Only
Expand all | Collapse all

What do you do when an infection is found?

  • 1.  What do you do when an infection is found?

    Posted Mar 05, 2009 09:11 PM

    My organization is having discussions on what action, if any, to take when Endpoint detects and alerts on a new virus found.  For instance "Joe User" is surfing along and stumbles upon a site with AV 2009 or other attack/malware.  EndPoint does its job and quarantines the drive by installer from the internet temp files and sends an alert.  Currently when we receive this alert we ask the user to disconnect from the network, verify their definitions are up to date, and then run a full system scan on their PC to verify everything is found and removed.  Depending on the malware/attack type, its age, full system scan results, and how common it is we will then either reimage the PC or reconnect it to the network and allow the user to continue using it.   The opposing idea being tossed around is to trust the security tools we have and as long as it alerts and quarantines, deletes, or blocks the attack/malware take no further action unless it continues.  We are in a highly regulated industry; however, to my knowledge there is not guidance around this. My question is what do you do and/or recommend?



  • 2.  RE: What do you do when an infection is found?

    Posted Mar 05, 2009 09:14 PM

    I think as long as symantec can contain the virus it's ok. But for example if the actions are left alone, access denied, then you to look on the issue, multiple virus infections in short time frame (5 - 10 mins) should also be addressed



  • 3.  RE: What do you do when an infection is found?

    Posted Mar 06, 2009 05:10 AM

    When we see a virus infection we first analayse the virus detection result. If it is a harmless virus that has already been cleaned we do nothing further. 

    If it is a more persistent version we manually check the pc. We let the user reboot the pc and make a full system scan. If the virus is gone we do nothing further.

    Some viruses reinstalls themselves or are hidden in system restore or similar. If the virus is difficult to remove we sometimes use special virus removal tools or if that does not work reimage the machine. 



  • 4.  RE: What do you do when an infection is found?

    Posted Mar 06, 2009 11:11 AM

    Yup - what max there said.

    Depends - if it was something relatively benign, we check the log and if it was "deleted" we move on.

    Other things, less benign (and those fake AV apps are anything BUT benign! Registry and file corruption abound!) or other than "deleted" we run an update content and scan command and force a reboot at the end, then rescan.

    Been through a couple of those fake AV apps and a rootkit, and the latter is NOT something to be taken lightly!



  • 5.  RE: What do you do when an infection is found?

    Posted Mar 06, 2009 12:45 PM

    not terribly different than what was already said but:

    Incident happens
    alert shows up about 5-10 minut later due to lag
    We verify the report against the filesystem, if it says Deleted we make sure it is deleted.  in the event of Temp files I purge the directory.  They're temporary after all

    After that we always run a full disk scan and allow the user to continue running.  In the event of an outbreak or multiple computers reporting the same we would either quarentine the segment of the network (store/branch/remote office whatever terminology fits) to address, and so on.

     

     



  • 6.  RE: What do you do when an infection is found?

    Posted Mar 06, 2009 01:24 PM

    If Endpoint catches something that hasn't been executed yet (like an e-mail attachment that is a virus), I do not worry about it too much. I have a scan run in the background and have the user continue their work.

     

    If Endpoint catches something that has already executed, then I reboot the PC into safe mode, disable system restore, and run scans until nothing is reported. I then reboot and after checking task manager to make sure nothing somehow slipped through, I let the user work while a final background scan is run.



  • 7.  RE: What do you do when an infection is found?

    Posted Mar 09, 2009 06:16 PM

    Sounds like we are all on the same page.  It's always good to know what others are doing.



  • 8.  RE: What do you do when an infection is found?

    Posted Mar 09, 2009 11:13 PM

    I am just concerned as to where is the source of the infection for example if there is a virus outbreak, can we have this info?



  • 9.  RE: What do you do when an infection is found?

    Posted Oct 25, 2009 03:12 PM
    in my case, my SEP now catches all varients of this thing, but cannot or doesn't s eem to  want to remove it.
    currently,  it is popping up as  xxxx.exe in the windows\temp directory. xxxx  being four letters, randomly created.


  • 10.  RE: What do you do when an infection is found?

    Posted Oct 25, 2009 03:25 PM


    Download the latestest virus defntion from ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/

    and run a full scan in safe mode

    The 5 Steps of Virus Troubleshooting

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948



  • 11.  RE: What do you do when an infection is found?

    Posted Oct 25, 2009 11:47 PM
    You should follow what prachand said, but you should also open up a new thread if you expect alot of help from other users. If you open a new thread then you are the thread owner which lets you do things like: post logs, post screenshotes, mark which answer was the solution. This thread you posted on is very old and is completely off topic for your question. You would be much better off making your own thread.

    Cheers
    Grant