Virus Response Plan

Gurus,

Most of you MVPs, Helpdesk and System Engineer types most likely work in
large private corporations, or some level of state or government. That
said, do any of you have a virus response plan in place such that when your
central Virus monitoring system (be it the Symantec System Center Alert
Management Console or whatever) sends out a virus alert that a machine has
been compromised such that the virus could not be removed or quarantined
then an IT incident-responder (be it a helpdesk or field technician) hits
the floor, finds the workstation and executes a written set of procedures to
clean the virus or wipe the machine and re-load the OS.

I am looking for whatever someone has written up so that I can get a
head-start on this writing assignment my manager has dumped on me. :-)

--
Spin

Spin wrote:
> Gurus,
>
> Most of you MVPs, Helpdesk and System Engineer types most likely work
> in large private corporations, or some level of state or government.
> That said, do any of you have a virus response plan in place such
> that when your central Virus monitoring system (be it the Symantec
> System Center Alert Management Console or whatever) sends out a virus
> alert that a machine has been compromised such that the virus could
> not be removed or quarantined then an IT incident-responder (be it a
> helpdesk or field technician) hits the floor, finds the workstation
> and executes a written set of procedures to clean the virus or wipe
> the machine and re-load the OS.
> I am looking for whatever someone has written up so that I can get a
> head-start on this writing assignment my manager has dumped on me.

Nothing special in place for my site. A report of a virus infection is
classed as a top priority urgent helpdesk call and will be looked at
straight away, but other than that we don't have any special script for
doing anything from then on, it's very rare we have a virus actually do
anything on our network and even rarer that our AV scanner can't cope with
it automatically.

As that's so rare, we felt anything that got to that stage ought to be
properly assessed and our actions decided by understanding the problem. It
is no good just blindly leaping about in a panic or like robots with a
script, wiping an infected computer without understanding how and why it
became infected. What if it's just the first report of an infection on
your server, or of an email-born virus that your email scanners aren't
configured to pick up.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".

<DIV>&quot;Spin&quot; &lt;(E-Mail Removed)&gt; wrote in message
news:(E-Mail Removed)...</DIV>> Gurus,
>
> Most of you MVPs, Helpdesk and System Engineer types most likely work in
> large private corporations, or some level of state or government. That
> said, do any of you have a virus response plan in place such that when
> your central Virus monitoring system (be it the Symantec System Center
> Alert Management Console or whatever) sends out a virus alert that a
> machine has been compromised such that the virus could not be removed or
> quarantined then an IT incident-responder (be it a helpdesk or field
> technician) hits the floor, finds the workstation and executes a written
> set of procedures to clean the virus or wipe the machine and re-load the
> OS.
>
> I am looking for whatever someone has written up so that I can get a
> head-start on this writing assignment my manager has dumped on me. :-)
>
> --
> Spin
>
>

I would have to agree with Robert here (although I'm not in a corporate
environment-- just a home user). From the things I've read in the past, the
first thing is to disconnect the suspect computer from the rest of the
network (to prevent the virus from spreading any further then it has) and
then analyze it. Not just remove it. If it's just one that your scanner
missed, check to make sure that the AV has the latest definitions and that
it's functioning. If it's new, then you may want to submit a sample to
sites like VirusTotal or you AV's security response center (or virus
submission).


--
Patrick Dickey.

smile... someone out there cares deeply for you.
http://www.microsoft.com/protect
http://update.microsoft.com
http://www.pats-computer-solutions.com

Unless you are 100% certain that the computer infected is the only one,
the best practice might be to shut the network down and check it out
carefully. Make sure that all the servers are secure first and then add
systems back as they are swept.

Our network is set up with a GB switch that has all the servers and the
other 10/100 switches plugged into it. This allows us to isolate the
clusters of machines and verify that they are virus free before allowing
them back onto the network.

Having said that, the best policy is to prevent viruses. We have
Symantec AV Corporate Edition running on every server and PC with real
time protection on all user PCs as well as server folders that users can
access. We scan every machine daily and update virus signatures every 4
hours. We also have our incoming and outgoing e-mails scanned by a
service (Message Labs). Since we did that, our Exchange AV scanner has
not recorded a single infected e-mail (almost 2 years now).....

Being that we

Regards,
Hank Arnold

Patrick Dickey wrote:
>
>
> <DIV>&quot;Spin&quot; &lt;(E-Mail Removed)&gt; wrote in message
> news:(E-Mail Removed)...</DIV>> Gurus,
>>
>> Most of you MVPs, Helpdesk and System Engineer types most likely work
>> in large private corporations, or some level of state or government.
>> That said, do any of you have a virus response plan in place such that
>> when your central Virus monitoring system (be it the Symantec System
>> Center Alert Management Console or whatever) sends out a virus alert
>> that a machine has been compromised such that the virus could not be
>> removed or quarantined then an IT incident-responder (be it a helpdesk
>> or field technician) hits the floor, finds the workstation and
>> executes a written set of procedures to clean the virus or wipe the
>> machine and re-load the OS.
>>
>> I am looking for whatever someone has written up so that I can get a
>> head-start on this writing assignment my manager has dumped on me. :-)
>>
>> --
>> Spin
>>
>>
>
> I would have to agree with Robert here (although I'm not in a corporate
> environment-- just a home user). From the things I've read in the past,
> the first thing is to disconnect the suspect computer from the rest of
> the network (to prevent the virus from spreading any further then it
> has) and then analyze it. Not just remove it. If it's just one that
> your scanner missed, check to make sure that the AV has the latest
> definitions and that it's functioning. If it's new, then you may want
> to submit a sample to sites like VirusTotal or you AV's security
> response center (or virus submission).
>
>