Do Not Panic!
What to do during an Outbreak
Useful links for analysis
Analysis is an important part of Incident Response and Handling. A lot of companies have a policy to reimage a system if it gets infected. While this may save you time you may be missing out on important information like, what were the bad guys trying to accomplish and did they achieve their goal? You may also miss out on important information that if acted upon could prevent similar threats from occurring. Below are some tools from Symantec and
other parties that will help you understand the proper steps in handling an outbreak and analysis of undetected threats.
Malware Identifier v1.1
This is a great starting point if your company doesn’t have a documented Incident and Handling and Response Plan. The Malware Identifier provides access to a decision tree designed to help in the post infection clean-up and post infection activity to secure a system better into the future. The decision tree includes step by step instructions on handling an infection and also links for further research.
ThreatExpert
Although it may not look like it Threat Expert is a Symantec owned site. After I discover a zero day threat with the load point analysis tool that is part of the SEP Support Tool I will submit any suspicious files here.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.
In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias.
Anubis
Similar to Threat Expert Anubis will allow you to submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. Anubis will also give you a pcap file. If your zero day threat propagates over the network you can use this information to modify SEP or Network Firewall or IPS policies to stop an outbreak in its tracks.
VirusTotal
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.
Antivirus is getting easier and easier to evade. SEP 12.1 addresses this issue with Insight but some companies may not be able to take advantage of this technology at this point. Virus Total will scan a file or URL against approximately 40 different Antivirus vendors.
Best Practices
Security Response Best Practices for Stopping Malware and Other Threats
Best practices for troubleshooting viruses on a network
How to submit a sample to Symantec
After initial analysis you may need to submit an unknown threat to Symantec Security Response. It is important you submit the threat to the page with the approprate level of support. Only submit files that can execute. Do not submit more than 9 files at a time. If this is an outbreak situation call support and make sure they have appropraiate information.
Submit a virus to Security Response – Basic support
Submit a virus to Security Response – Platinum Support
Visit the Endpoint SWAT Group
To access all of the content available in the Endpoint SWAT group, visit Endpoint SWAT.