Whether you're trying to prevent a malware infection or contain a virus or worm that's already weaving its way through your Windows systems, site expert Kevin Beaver offers tips to help you get control of the problem in this two-part series. Part one below outlines steps you can take to contain malware. Part two will explain how to prevent outbreaks from the get-go.
Contain that malware
When the time comes for a worm, virus or other malicious software to spread throughout your network, you must be able to react quickly to minimize the outbreak and the damage it can cause. If such a problem does occur, here are some tips on how you can help stop the "bleeding."
Disconnect from the network
If the system(s) you suspect are infected are not business-critical, you can simply disconnect them from the network. This won't necessarily prevent any local damage, but it will keep the malware contained. Even if the system(s) are business critical, it may behoove you to fix the current problem rather than leave the system on the network. This is a business decision that must be made on a per-system basis and documented in your incident response plan before an attack like this occurs (more on this below).
Power down
The safest thing to do may be to power down the system. This can clear malware, such as worms, out of memory and possibly clean things up. However, there's always a chance that powering down or rebooting could do more damage to the system. If possible, I recommend researching the attack first if you have anything to go on -- look for errors, well-defined behaviors, antivirus software warnings, suspicious log file entries, etc. Check Google, Microsoft and other vendor sites to see if someone else has had the problem and what the fix is.
Use your network analyzer
If you're not sure which system(s) are infected, the quickest and easiest way to find out what's going on from a network perspective is to fire up your network analyzer. You'll need to have access to a monitor or span port on an Ethernet switch to do this, so it's good to know where to go in advance. Once you connect your analyzer to the network, you don't necessarily have to capture all packets. Instead, if your analyzer supports it, let it run in monitor mode so it can get a higher-level view of what's going on -- protocols in use, network errors, top talkers, suspicious communications to other systems, etc. This is by far the best way to go about tracking down the problem areas.
Clean up
Once you track down the problem, it's time for clean up. Depending on the recommended fix you get from Microsoft, your antivirus vendors or other vendors, clean up will likely consist of a new cleaning tool, a signature update, deleting certain files, or editing the Windows registry.
Stay tuned for the next tip in this series on preventing malware outbreaks.
About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has over 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.
More information from SearchWindowsSecurity.com
Tip: Configure Group Policy to prevent attacks
Windows Security Clinic: You've been hacked! Now what?
Windows Security Clinic: Got spyware? Clean it up
