Who would want to hear that his or her network is affected? We doubt if there would be anyone would want to. Whatever their designation may be, users know such situations cost time and money to resolve. Determining where  to start can be equally frustrating, especially while eradicating a threat. Not all threats behave similarly. Some even update themselves,changing their behavior partway through a disinfection procedure. To make matters more complicated, one may hear references to “viruses” or “worms” and these will be used interchangeably with “threats”.

Fortunately, there is an easier way to approach threat removal in large networks. A number of basic measures have to be taken to clean up a network and prevent or limit possible reoccurrence. The steps involved are:

• Identify the threat
• Identify the compromised computer
• Isolate the compromised computers
• Clean the compromised computers
• Prevent reoccurrence
• Identify the threat

If  users are aware of  threats on their computers or network, the next step is to identify it and assess the damage caused. The first thing to do is run an antivirus scan. A majority of threats will be uncovered by doing so.

If the scan results are negative and one still suspects that a threat is present, checking the load points on the computer  is another  technique  to look  for potentially suspicious files. A load point is a location within an operating system where software is loaded when the computer starts up or when a program is run.

For example, this is how the Instant Messaging program always starts when users log on. Threats often use load points just as legitimate programs do, loading themselves into memory to perform malicious actions.

There are tools available for enterprises that can quickly scan a computer’s load points which can later be analysed. Once the threat has been identified, it’s time to determine the breadth of the infection within the network by identifying all compromised computers.

Identify the compromised computers

After determining which threat is present on the network, the next step is to pinpoint which computers are compromised. The simplest way to do this is to run a complete virus scan on all computers. When the scan is completed, a review of the scan results and threat logs will provide information to begin a tally of the computers compro mised.

It may also be necessary to perform a network audit to determine if there is any computer with malfunctioning or missing antivirus software. Another source of information is firewall logs, which reveal any computers that are generating a lot of network traffic when they shouldn’t be. Certain threats attempt to connect to other computers in the network and any such attempts or unexpected
connections may be logged in the firewall logs.

Isolate the compromised computers

Once the compromised computers have been identified, it is important that, whenever possible, they are taken off the network while being cleaned. One of the main classes of threats—worms—spread by “hopping” from one computer to another. It is critical to remove a compromised computer from the network before it infects others.

Sometimes however a compromised computer is mission-critical and cannot be isolated. Depending on the infection, these can be isolated in “quarantine” networks with heavily restricted network access. Naturally this only works when the threat’s activity doesn’t coincide with the necessary functions needed by the compromised computer.

It is also a good idea to perform another network scan once all compromised computers have been removed just to ensure that the threat has not compromised another computer while identified computers were being taken off the network.

Clean the compromised computers

• Assess if it would be more cost-effective to rebuild or reinstall a compro  mised computer.
• Assess if threats can be easily removed by running an antivirus scan, or if additional tasks          have to be performed.
• Assess if system changes were made on infected computers and how to reverse them.
• Assess when it is safe to add the computers back to the network.

Back doors or rootkits: Before proceeding with disinfection, it is important to consider if a back door or a rootkit is present. These malicious code subclasses allow threat writers to gain undetected access and hide their malicious files, respectively. Under both these circumstances, it is often less time-consuming to start from scratch by reimaging the operating system and restoring data from clean backups.

Stop the viral process: To remove malicious files from the computer, any processes used by the threat must be stopped beforehand. It can be done through an antivirus scan. The task can be terminated by opening the task manager and end the malicious process. Some threats may prevent users from doing this, in which case they will need to try one of  the other options. Restarting the computer in safe mode will prevent most threats from loading as the operating system loads. Users can then manually remove the malicious files or running an antivirus scan.

Remove the malicious files: The simplest way to remove the threat is to run a full system scan of the compromised computer. With the latest definitions installed, the scan should be able to remove the threat in most cases without incident.

The files can also be removed manually, but this can be time-consuming, and will work if one knows the names and locations of all files created by the threat. Hence it is not necessarily recommended it as it runs the risk of being overlooked.

Restore changes made by the threat: There are a number of changes that a threat makes to a computer beyond just dropping files. Quite often security settings are lowered and system functionality reduced based on changes to the computer’s configuration. In many cases the right antivirus program can restore these items to a predetermined, secure setting. One can then adjust these settings further to suit the needs of their network. One may sometimes need to manually confirm or restore various system settings after removing a threat.

Antivirus software: Some threats target the computer’s antivirus software. If successful, this can lead to the software not alerting on the threat or not being able to update its definitions. If this has happened, software may need reinstallation.

Reintroducing computers to the network: Once a computer has been cleaned, a final antivirus scan with the latest definitions should be done before it is reintroduced to the network.

Post-op: prevent reoccurrence

Once  the  threat has been removed,it is important to conduct a network audit to determine how the threat got in, and then put security measures in place to prevent reoccurrence.

Some security weak-points are:
Patching: Vulnerabilities are software flaws that can be exploited by malicious code and can be repaired by applying  “patches”.  Appliances, such as routers and printers, should also be checked for software updates and patched quickly.

Network shares: Network shares facilitate easy transfer of files, though if unprotected they could allow threats to spread. First, access to all network shares should require a strong password, not easily guessed or “cracked”. Not only does this limit access by potential threats, it also safeguards the information from being viewed by unintended users.

Write and execute privileges on network shares should also be restricted. For added security, write access for users needing file-trans fer capabilities can be limited to a “temporary” storage folder on a file server, which is cleared semi-regularly.

So, the best practices in this regard are three-fold:

• Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
• Be sure to log off  once the task is completed.
• For day-to-day duties, use a more restrictive account.

Email: Email attachments are still used to spread malicious code. Limiting the types of files that are valid as attachments handicaps many threats’ ability to spread.

Education: An educated end user is a safer end user. Basic measures include: not sharing passwords or storing them in easily accessible locations, not clicking on unknown URLs, not opening unexpected attachments and finally, scanning software downloaded from the Internet before installing it.

Firewalls and other tools: Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of  entry. Client fire  walls add an extra layer of  security by protecting individual computers from malicious behavior, such as Denial of  Service attacks.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity, and in many cases allow users to stop offending traffic  in real-time. Many client-side firewalls provide these features.

A semi-regular penetration test is also recommended to evaluate network security. This allows users to plug weak points in the network.

Emergency response plan: After these tasks are complete,it is a good idea to be prepared for the worst. Draft a plan for how you will respond to a potential outbreak. How quickly will you know if there’s something on the network? Are administrators available to deal with it? How easy is it to reroute traffic and services on your net  work? Can you quickly isolate compromised computers before they affect others? Having plans for these things makes dealing with unpleasant situations much easier.

Conclusion
While removing a threat and locking down a network is time-consuming and often costly, there is good news in all of  this. Most real-world threats today use time-tested methods for spreading malicious code. They work solely because many organisations leave security holes in their network. Following sound security policies and practices drastically reduces the chances of  an outbreak. Due diligence and monitoring from a security standpoint will free up IT resources and budget spent on cleanup for other,more enjoyable projects.