[Malicious code series] 2. Cleanup preparation

Information Source: risingCommunityAuthor: hotboy

Ii. malicious removalCodePreparations

This section provides guidance on the preparation for preventing and solving malicious code.

1. Preparations for solving malicious code

* Alert users for malicious code: This includes giving users a certain understanding of the virus code reproduction and infection symptoms. Give a lecture to help users understand the dangers of malicious code.

* Read the virus notice from the antivirus software vendor: An email agreed with the antivirus software vendor to obtain the latest virus information in a timely manner.

* Set up a host-based Intrusion Detection System on the problematic HOST: the host-based intrusion detection system can detect malicious code by setting changes and system execution changes, integrity test-based file DetectionProgramIdentifies infected components in the system.

To prevent connections between the Trojan server and the client, some organizations or organizations will set their own gateways to block ports normally used by Trojans. However, this method does not work very well. Because Trojans can use hundreds of ports, and some Trojans can use any port. Some Trojans can use the same port as legitimate services. These Trojans cannot be prevented by blocking ports. Some organizations or organizations have implemented incorrect port blocking policies, so that some legitimate services are blocked. The requirements for filtering device storage for each Trojan will also increase. Generally, only when a trojan invades the network of a unit or organization can they block the port used by the Trojan.

2. Prevention of malicious code

* Use of anti-virus software: anti-virus software is essential to prevent virus attacks and reduce virus damage. All computers in the organization or organization should install anti-virus software and promptly upgrade to prevent the loss of protection against new viruses. Antivirus software should also be used in programs that transmit viruses, such as email, file transfer tools, and real-time communication tools. Anti-virus software should be configured for regular scanning and real-time scanning of file downloads, opens, and executions. In addition, anti-virus software should be set to disinfect and isolate infected files. In addition to scanning viruses, worms, and Trojans, some anti-virus software also scans HTML, ActiveX, JavaScript, and mobile code to see if they contain malicious code components.

* Blocking suspicious files: sets the email server and client to block emails with suspicious attachments. For example, the attachment extension is associated with malicious code (for example :. PIF ,. vbs), or emails with a composite extension (for example, .txt.vbs,.htm.exe ).

* Restrict the use of unnecessary files with transmission capabilities, such as point-to-point transmission files, music shared files, real-time communication files, and IRC clients and servers. These programs are often used to spread malicious code.

* Educating users to safely process email attachments: Generally, anti-virus software should be set to scan attachments before opening email attachments, users should also be careful not to easily open suspicious or untitled attachments. The user should also note that, if you do not know the source of the email, it must be virus-free. Because some viruses can automatically search for email addresses from the system and use the account of the sender to send emails with viruses, the sender may not know at this time. You should also know that attachments must not be opened (for example, .bat,.com,.exe,. pif,. vbs ). Although user training can reduce the possibility and severity of malicious code infection, organizations or organizations must be careful with the virus intrusion caused by user errors.

* Avoid open network sharing: many viruses are spread through insecure shared files running on the host. If a computer in an organization or organization is infected, it can quickly spread the virus to hundreds of thousands of computers in the Organization through insecure network sharing. Therefore, organizations or organizations should regularly check their networks for shared resources and ensure that users can securely share data. In addition, a gateway should be set to prevent the use of NetBIOS port information to access the gateway. In this way, not only can the Internet host directly infect the Intranet host through network sharing, but also can prevent the Intranet virus from spreading through network sharing.

* Use the security mechanism of Web browsers to restrict Mobile Code: All Web browsers have security settings to prevent ActiveX and mobile code controls with different origins from being downloaded and run in the local system. Organizations or organizations can establish network security policies to identify the sources of Mobile Code (such as Intranet servers and Internet servers ).

* Set the mail client to make it safer: You should set all the mail clients in the organization or organization to avoid virus infection inadvertently. For example, the email client should be set to an attachment that cannot be automatically run.

3. Detection and Analysis

Because malicious code can be spread through many channels, we can also find them through many signs and signs.