Virus Incident Management (draft-v-0.1)

Hmm, recently, there was an outbreak at our client, interestingly, there wasn’t any procedures brought up by our clients or ourselves, so i took a little time to write this. Hopefully some find it useful. Its a bits and pieces of various guides out there, only more , ahem, human…
Key success factors:

  • Right tools
  • Right people
  • Right process

Key process

  1. Identify & Investigate
  2. Isolate
  3. Rectify
  4. Recover
  5. Recommend

NOTE: There are sub processes that should kick in at every stage within this guide.Identify and Investigate

  • Identify the validity of the threat. Classify the threat.
  • Assess the impact from a business and technical point of view
  • Identify infected sources through many methods like Antivirus management consoles, Network analysis tools, IDS/IPS tools, Network logs/activities analysis, 3rd party centralized identification tools,
  • Identify and familiarize with the various threats currently being faced
    • Understand and investigate the cause of the virus attack
      • For mitigation
      • Legal reasons
    • Determine if the attack was targeted or not for forensic analysis
    • Create an image of one infected machine(s) for forensics and proof (preferably the first infected system)
      • Do not alter this system
      • Ensure system level operations won’t overwrite the infections
  • Identify owners or managers of these infected sources, helpdesk, security personnel and other help you can get
  • Identify and existing processes or procedures that can help to access information and resources within the organization
  • Identify and setup a incident management committee which should include
  • Technical engineers
  • Internal administrators and MIS
  • Top management support is also desirable


  • Internal & external containment – Ensure those infected sources are isolated from further re-infections and infecting other sources. Unhook them from the network if necessary. Ensure to have authoritative support (e.g. Top management, department heads, head of operations)
  • It is also possible to isolate these sources using network tools such as routers, switches or firewalls. Other tools include personal firewalls, antivirus programs with firewall function etc.
    • E.g. block access of the protocol/port being used by the threat to propagate
  • Separate and classify high, medium and low threat and risk machines and act on them accordingly
  • Isolation can be a continuous process and should


  • Obtain the virus signature and fix tools from your antivirus vendor.
  • Test the fix in your virus signatures staging lab, if you have one; otherwise, on non-critical systems in your production environment. This includes testing any repair tools that must be run before using the updated virus signatures.
  • Develop a workable method for deploying the repair-and-fix process.
  • Create a plan detailing how you will repair the damage and deploy fixes, where you will start and how the process will proceed. Validate this plan with all affected teams and your antivirus vendor. Plan to first clean all infected perimeter and email servers and update their virus signatures.
  • Distribute the fix to all workstations and servers in your environment.
  • Isolate systems that require repair.
  • Run all required fix tools on all infected systems to remove the virus or disable it.
  • Scan all systems with the updated virus signatures to remove all infected files.
  • Eliminate all temporary and suspicious files, including hidden directories and files.
  • Remove or alter configuration information used for the functionality of the virus or that might allow the virus to reappear.
  • Remove configuration information that may cause system failures.
  • Search for newly mounted partitions created by the virus and eliminate them.
  • Search for missing log partitions and restore.
  • Search for added or altered user accounts and remove or restore.
  • Restore changed or deleted files.
  • Depending on the risks, determine methodology for each levels like e.g.
    • High – Reformatting may be required
    • Medium – Intensive scanning from more than one AV product, run tools, keep machine on surveillance (Eg. Network monitoring tools, IDS, IPS)
    • Low –Intensive scanning using a single AV product
  • Certify by labeling each cleaned / un-cleanable sources, report to control center of cleaned and un-cleanable sources periodically or in a agreeable fashion (e.g. report by floor, department)


  • Create a recovery plan for each type of threat
  • Restore and recover high and medium risk machines
  • Apply network and operating system fixes and patches
  • Restore data from backup if required


  • Every incident should be a learning and a learning plan should be developed to mitigate future threats
    • Modify policies if required
    • Identify need for training if required (Administrators and Users)
    • Identify need for new products/solutions
  • Include enforcement as part of the security policy. Systems that violate policy can be disabled automatically and the people who thwart policy can be sanctioned through HR policies.
  • Create incident response procedures and put together a virus response team.
  • Clarify or adjust the reporting structure and communications processes within the technology departments and among the teams, to simplify infection response processes.
  • Educate upper management on the importance of proactive virus protection.
  • Require backup servers for all critical files.
  • Products to look at;
    • Install antivirus solutions to filter email, Internet and network traffic and local file access.
    • Implement centrally managed antivirus software to control configurations and keep virus signatures current.
    • Install both host-based and network-based intrusion detection technology. Host-based intrusion detection can detect viruses that the antivirus software may miss. Network-based, intrusion-detection technology helps determine the spread of the infection. Newer network intrusion prevention technology can even help stop the spread of the infection.
    • Install security management software to monitor policy adherence and system patching.
    • Simplify the network topology so it can be easily segmented during a virus infestation.
    • Install email content filtering technology to block email based on strings of text in the subject line or the body of the message.
    • Implement desktop firewall software to block the spread of a virus through specific ports. Desktop firewalls are especially important with the advent of VPN and wireless solutions.
  • Create enforcement like which ties down to disciplinary action from management
    • Prevent users from disabling antivirus software.
    • Limit the allowable file extensions for email attachments.
    • Implement a process in order to keep system patches up to date.
    • Institute technology or processes to verify that antivirus software is running and up to date.
    • Lock down workstations to limit regular users’ ability to modify their systems.
    • Disable the Windows Scripting Host, as it is not often needed by users and provides a known propagation method. You may also want to remove scripting in Outlook and Internet Explorer.
    • Disable the ability to access external IM systems, news groups, email servers or other externally controlled communication platforms.