Hi All,
As I am working on Symantec Endpoint Protection 12.1.since more than year, I went through different issues on Symantec Manager and client and most important different Viruses, Worms and Trojans. Here I am sharing some best practices which I have learned during such threat incident management.
Virus
A computer virus is a program designed to harm or cause harm on an infected computer. Its spreads through e-mail attachments, portable devices, websites containing malicious scripts and file downloads.
Worm
This program is very similar to a virus and has the ability to self-replicate leading to negative effects on your computer.
Trojans
Trojans can illegally trace important login details of users online. For example E-Banking is very common among users, therefore, vulnerability of tracing your login details whenever your PC is working without any strong powerful antivirus installed.
To manage any Threat/ attack, you should approach below points
ü Identify the attack (Type of attack- virus, worms, Trojan or attack)
ü Detecting the infection (Source of attack and destination details)
ü Recover from the attack (Remediation, scanning, backup and restore)
Immediate response there are some basic steps you should take whenever you suspect your Environment has become infected with a new virus.
Symantec recommended the below Virus removal and troubleshooting steps when any virus outbreaks happened in your network or on machines
Responding to threats and virus infection involves the following:
- Step 1. Identify the threat and attack vectors
- Step 2. Identify the infected computers
- Step 3. Quarantine the infected computers
- Step 4. Clean the infected computers
- Step 5. Post-op and prevent recurrence
- Additional resources and information
Once Virus incidents is observed or reported please follow below steps in order to remediate, the procedure considered with Symantec Endpoint protection environment
- Identify the machine or source of threat /attack like Host name, IP address, Location etc.
- Isolate from all network except provide remote access to you for investigation
- Verify whether system has Symantec antivirus client is properly installed and healthy
- Verify the virus and other definitions are updated or not, if not then please update asap
- Verify all the logs in Symantec client ->View Logs
o Control
o Packet
o Risk
o Security
o System
o Traffic
- If Risk has been identified and logged , you can trace the threat and submit to Symantec support else research further to get removal steps
- If no threat found then Run SymHelp and Norton Power Eraser tool on Server and Workstation respectively.
- This tool needs to be run with Threat scanning or load point analysis mode in order to identify boot level viruses, root kits etc which antivirus unable to scan.
- Boot level scanning with above tool required reboot and at the end it provided scan result of identified threats. You can remove threat by selecting the threat among
- In case of attack, investigate whether attack happened from inbound or outbound. If inbound then block external public IP source to inside. If outbound then block inside any to external public (C2C) malicious server.
Firewall Rules:
Inbound: block any (source) to 202.45.20.6 (Destination -Outside)
Outbound: block 202.45.20.6 (source) to any (Destination -inside)
Handle Virus & Malicious Code Outbreak
Attackers are now attacks that are destructive and motivated for financial gain, Ransom ware, and Crypto wall are one of the best examples nowadays you might heard. Ransom ware, Crypto wall kind of virus will put you into trouble where you will helpless as these viruses will encrypt your important data and will asked to pay money to decrypt it.
However, there is no such thing as full proof protection in the world of information security. Now organization must have to develop a robust information security incident policy so that Security team would able to manage better
Virus an incident response process should have three main stages: "Planning, Preparation, Response and Aftermath". The "Response" Stage consists of the following five steps:
- Install Antivirus Software on every system
- Ensure Virus definition is up to date and maintain at least above 90 % compliance for Workstations and 99 % for servers
- Enable host based firewall and network firewall like Symantec SEP having NTP (firewall & IPS)
- Filter all email traffic for spam and suspicious email like Symantec Messaging gateway has
- Educate all users to be careful while opening any external suspicious emails
- Put some control to Scan the content on Internet download
- Don’t run unknown programs, validate digital signature of software’s and ensure it
- Implement Vulnerability management to discover the vulnerability in perimeter
- Do schedule regular backup of critical machines so that it can restored if badly infected with dangerous viruses like ransom ware or Crypto wall
- Developed Information security policy which can guide the user
- Developed virus incident management SOP to handle the situation once virus infection reported
- Restrict end user with limited access so that user will not able to make any change into system which leads machine vulnerable to any attack
References:
http://typeslist.com/different-types-of-computer-v...
https://support.symantec.com/en_US/article.TECH122466.html
https://www-secure.symantec.com/connect/articles/introduction-incident-handling
Hope this article will greatly help you to understand and manage Virus incident management. Feel free to share your feedback.