[Malicious code series] 5. Main steps and summary for handling malicious code

Source: rising community Author: hotboy

Detection and Analysis

1. Determine the processing sequence based on the specific situation.
1.1 Identify infected devices and resources and predict which devices and resources will be infected
1.2 evaluate the current and potential impact of malicious code from a technical perspective
1.3 select appropriate units based on network matrix priorities based on technical impact and affected resources
2. Send a virus notice to relevant personnel in the LAN and relevant organizations or organizations on the Internet.

Block, remove, and restore

3. blocking malicious code
3.1 identify the infected system
3.2 disconnect the connection between the infected system and the network
3.3 fix vulnerabilities that may be exploited by malicious code
3.4 If possible, blocking the transmission of malicious code
4. Remove malicious code
4.1 disinfect, isolate, delete, and overwrite infected files
4.2 patch vulnerabilities of other systems in the LAN
5. Recovery
5.1 determine that the function of the infected system resumes normal
5.2 if possible, monitor the system to find out whether there are any malicious code-related actions

Post-processing work
6. Make an event Memorandum
7. Study Seminar

The following is a summary of the key suggestions for processing malicious code:

* Improve your vigilance against malicious code: we should understand the breeding methods and signs of infection of malicious code. Improve your vigilance against malicious code. Know how to securely process email attachments to reduce the possibility of virus infection.

* Read the anti-virus report: the anti-virus reports the latest virus in a timely manner.

* Set up host-based Intrusion Detection Systems for important core hosts and install file integrity detection tools: Host-Based Intrusion Detection Systems and file integrity detection tools can detect signs of malicious code, for example, changes in settings and execution files.

* Use anti-virus software and regularly upgrade the latest virus pattern: Install anti-virus software on all hosts and devices that may pass malicious code. Set anti-virus software to detect, clear, or isolate files infected by malicious code. All anti-virus software should ensure regular updates to the latest virus pattern so that it can detect the latest virus.

* Set software blocking to support files: Suspicious files that may carry malicious code should be blocked, such as files with extensions that may be virus-related and files with a composite extension.

* Avoid open network sharing: many worms spread through insecure network sharing. An infected file can be quickly infected with hundreds of thousands of computers through insecure network sharing.

* Block malicious code as quickly as possible: to prevent the spread of malicious code and cause more damage due to its concealment and the ability to quickly spread it across systems, you must block it as soon as possible. For a system, it is to disconnect it from the network as soon as possible. For organizations or organizations, malicious code must be blocked on the email server or the service should be suspended to prevent the spread of malicious code.