 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
#1
08-18-2006, 10:23 PM
|
Virus Response Plan
Gurus,
Most of you MVPs, Helpdesk and System Engineer types most likely work in large private corporations, or some level of state or government. That said, do any of you have a virus response plan in place such that when your central Virus monitoring system (be it the Symantec System Center Alert Management Console or whatever) sends out a virus alert that a machine has been compromised such that the virus could not be removed or quarantined then an IT incident-responder (be it a helpdesk or field technician) hits the floor, finds the workstation and executes a written set of procedures to clean the virus or wipe the machine and re-load the OS. I am looking for whatever someone has written up so that I can get a head-start on this writing assignment my manager has dumped on me. :-) -- Spin Spin 
|
|
#2
08-19-2006, 12:23 AM
|
|||
|
|||
|
Re: Virus Response Plan
Spin wrote:
> Gurus, > > Most of you MVPs, Helpdesk and System Engineer types most likely work > in large private corporations, or some level of state or government. > That said, do any of you have a virus response plan in place such > that when your central Virus monitoring system (be it the Symantec > System Center Alert Management Console or whatever) sends out a virus > alert that a machine has been compromised such that the virus could > not be removed or quarantined then an IT incident-responder (be it a > helpdesk or field technician) hits the floor, finds the workstation > and executes a written set of procedures to clean the virus or wipe > the machine and re-load the OS. > I am looking for whatever someone has written up so that I can get a > head-start on this writing assignment my manager has dumped on me. Nothing special in place for my site. A report of a virus infection is classed as a top priority urgent helpdesk call and will be looked at straight away, but other than that we don't have any special script for doing anything from then on, it's very rare we have a virus actually do anything on our network and even rarer that our AV scanner can't cope with it automatically. As that's so rare, we felt anything that got to that stage ought to be properly assessed and our actions decided by understanding the problem. It is no good just blindly leaping about in a panic or like robots with a script, wiping an infected computer without understanding how and why it became infected. What if it's just the first report of an infection on your server, or of an email-born virus that your email scanners aren't configured to pick up. -- -- Rob Moir, Microsoft MVP for Security Blog Site - http://www.robertmoir.com Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html I'm always surprised at "professionals" who STILL have to be asked: "Have you checked (event viewer / syslog)".
|
|
#3
08-19-2006, 01:41 AM
|
|||
|
|||
|
Re: Virus Response Plan
<DIV>"Spin" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...</DIV>> Gurus, > > Most of you MVPs, Helpdesk and System Engineer types most likely work in > large private corporations, or some level of state or government. That > said, do any of you have a virus response plan in place such that when > your central Virus monitoring system (be it the Symantec System Center > Alert Management Console or whatever) sends out a virus alert that a > machine has been compromised such that the virus could not be removed or > quarantined then an IT incident-responder (be it a helpdesk or field > technician) hits the floor, finds the workstation and executes a written > set of procedures to clean the virus or wipe the machine and re-load the > OS. > > I am looking for whatever someone has written up so that I can get a > head-start on this writing assignment my manager has dumped on me. :-) > > -- > Spin > > I would have to agree with Robert here (although I'm not in a corporate environment-- just a home user). From the things I've read in the past, the first thing is to disconnect the suspect computer from the rest of the network (to prevent the virus from spreading any further then it has) and then analyze it. Not just remove it. If it's just one that your scanner missed, check to make sure that the AV has the latest definitions and that it's functioning. If it's new, then you may want to submit a sample to sites like VirusTotal or you AV's security response center (or virus submission). -- Patrick Dickey. smile... someone out there cares deeply for you. http://www.microsoft.com/protect http://update.microsoft.com http://www.pats-computer-solutions.com
|
|
#4
08-20-2006, 10:16 AM
|
|||
|
|||
|
Re: Virus Response Plan
Unless you are 100% certain that the computer infected is the only one,
the best practice might be to shut the network down and check it out carefully. Make sure that all the servers are secure first and then add systems back as they are swept. Our network is set up with a GB switch that has all the servers and the other 10/100 switches plugged into it. This allows us to isolate the clusters of machines and verify that they are virus free before allowing them back onto the network. Having said that, the best policy is to prevent viruses. We have Symantec AV Corporate Edition running on every server and PC with real time protection on all user PCs as well as server folders that users can access. We scan every machine daily and update virus signatures every 4 hours. We also have our incoming and outgoing e-mails scanned by a service (Message Labs). Since we did that, our Exchange AV scanner has not recorded a single infected e-mail (almost 2 years now)..... Being that we Regards, Hank Arnold Patrick Dickey wrote: > > > <DIV>"Spin" <(E-Mail Removed)> wrote in message > news:(E-Mail Removed)...</DIV>> Gurus, >> >> Most of you MVPs, Helpdesk and System Engineer types most likely work >> in large private corporations, or some level of state or government. >> That said, do any of you have a virus response plan in place such that >> when your central Virus monitoring system (be it the Symantec System >> Center Alert Management Console or whatever) sends out a virus alert >> that a machine has been compromised such that the virus could not be >> removed or quarantined then an IT incident-responder (be it a helpdesk >> or field technician) hits the floor, finds the workstation and >> executes a written set of procedures to clean the virus or wipe the >> machine and re-load the OS. >> >> I am looking for whatever someone has written up so that I can get a >> head-start on this writing assignment my manager has dumped on me. :-) >> >> -- >> Spin >> >> > > I would have to agree with Robert here (although I'm not in a corporate > environment-- just a home user). From the things I've read in the past, > the first thing is to disconnect the suspect computer from the rest of > the network (to prevent the virus from spreading any further then it > has) and then analyze it. Not just remove it. If it's just one that > your scanner missed, check to make sure that the AV has the latest > definitions and that it's functioning. If it's new, then you may want > to submit a sample to sites like VirusTotal or you AV's security > response center (or virus submission). > >
|
 |
| Tags |
| plan, response, virus |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
