Step 4: System Recovery
After collecting the information required for the attack and understanding its complete nature, you can start to delete malware from the infected computer and recover any corrupted data.
Key: Even if you have installed anti-virus software that can identify and clean up malware attacks from your computer, Microsoft recommends that you invest a certain amount of energy to determine the date and time of the infection and how the infection occurs. Without this information, it is difficult to determine which systems, backup media, or removable media may be exposed to attacks.
How to complete this process depends largely on the nature of special malware attacks. However, you can use the following advanced procedure to ensure full data and computer system recovery:
1. |
Restore lost or damaged data. |
2. |
Delete or clear infected files. |
3. |
Check that the computer system does not contain malware. |
4. |
Reconnect the computer system to the network. |
Identifying that the system does not contain malware is a key step that should not be ignored. Many malware threats are not detected for a long time. In addition, the backup image or System Restore point may contain infected system files, which may cause other infections (if the infected backup image is the recovery source ). For these reasons, the date and time of the first instance of the malware attack must be determined as much as possible. After setting the timestamp as the benchmark, you can determine the date of the backup image to determine whether any of the images contains the same malware damage.
Cleaning or rebuilding?
You can select either of the two methods to restore the system. The first option is to clean up the system, which revokes the damage to each system in sequence based on the known features of the attack. The second option is usually called rebuilding or rebuilding the system. However, it is not a simple option to decide which option to use.
Only when you are sure that all the elements of the attack have been reliably recorded and the cleaning process will successfully repair each element of the attack, you should choose to clean up the system. Antivirus vendors generally provide the required documents, but it may take several days for the vendor to fully understand the nature of the attack. Cleaning the system is usually the first choice because it can restore the system to a clean state while keeping the application and data unchanged. Compared with rebuilding a system, this method can usually restore normal operations more quickly. However, if you do not analyze the malicious code in detail, the cleanup system may not completely delete the malicious software.
The main risk of clearing the system is that it may not discover or record unrecorded elements of initial infections or possibly secondary infections or attacks, as a result, your system is still infected or vulnerable to attacks by a malicious software mechanism. Because of this risk, many organizations choose to only rebuild their infected systems to ensure they do not have malware.
Microsoft recommends that you rebuild the system whenever the system is attacked where a backdoor or Rootkit is installed. For more information about these types of attacks, see Chapter 1 "malware threats" in this Guide ". Various components of these types of attacks are difficult to reliably detect. Therefore, these attacks usually occur again after they are eliminated. These attacks are typically used to enable unauthorized access to damaged systems so that they can initiate other attacks on the system to upgrade their privileges or install their own software. For these reasons, the only way to ensure that computer systems do not have such malware attacks is to rebuild them through trusted media and configure them to fix vulnerable vulnerabilities, in the case of missing security updates or weak user passwords.
This process also requires careful capturing and measuring of all necessary user data from the infected system, modifying any corrupted data, and scanning it to ensure that the data does not contain any malware, finally, clean data is restored to the new system.
To recreate the system, you also need to reinstall all previously available applications on the system, and then correctly configure each application. Therefore, reconstruction can minimize infections or attacks, but it is usually a much larger task than cleaning up.
The primary consideration for selecting the option to use on the system depends on your confidence in the option to completely eliminate and resolve the infection or attack. Compared with ensuring system integrity and stability, the shutdown time required for restoration is a secondary consideration.
Table 4.3: Advantages and Disadvantages of system cleaning and Reconstruction
Clear |
Reconstruction |
Simple process (if the cleanup tool is available ). |
More complex procedures, especially if backup and recovery solutions are not installed before infection. |
Only a few steps are required to ensure that the data is clean. |
Many steps are required to capture, back up, clean up, scan, and restore data. |
Compared with rebuilding the entire system, the deletion tool requires less resources. |
The reconstruction process may take a lot of time and resources to complete. |
The system is still at risk of infection. |
If you have fully restored data from clean media and management, the risk of the system being infected is very small. |
Note: If you choose to clean up the infected system, the management and legal team of the Organization should perform risk analysis, to determine whether they are willing to bear the greater risk of future attacks when some malicious code is lost during the cleaning process.
System cleanup
If the malicious software attacks and behaviors are well documented and the cleaning process is tested and proved, system cleaning should also be considered as a feasible option. Steps that can be fully documented from Microsoft or anti-virus vendors (which can be followed by administrators) or automatic tools used to clean up infections in the system. Both of these options can be used to carefully cancel each operation performed during the infection process and restore the system to its original running state. These processes can only be used to clean up major viruses or worms and are generally valid only a few days after the initial malware infection.
Note: because many malware attacks are released in batches (for example, MyDoom @ A and MyDoom @ B), you must only use the cleaning process or tool to clean up specific versions of malware in the system.
If the automatic tool cannot clean up the malware to be processed, the basic steps for manual Cleanup from the system include:
1. |
Terminate the execution of malware. Any processes related to running malware and any automatic run entries or scheduled tasks associated with the deleted malware must be terminated. |
2. |
Delete the introduced malware file. This step will require a detailed analysis of the files on the host's hard drive to determine which files are affected by malware. |
3. |
Applying the latest security updates or patches can mitigate the hazards of the vulnerabilities exploited by the initial attack. In this step, you may need to restart and access the Windows Update Web site to ensure all security updates of the application. |
4. |
Change any password that may have been damaged (domain password or local password), or a weak and easily guessed password. For instructions on how to set Strong Passwords, see the Strong Passwords page on Microsoft.com. The URL is: Www.microsoft.com/resources/documentation/ WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp (English ). |
5. |
Undo any system changes introduced by malware |