[Malicious code series] 4. Isolation, deletion, and recovery

Information Source: risingCommunityAuthor: hotboy

MaliciousCodeThe importance of signs is important to properly classify them as they will spread to systems on other computers. In general, the basic analysis of malicious code can determine which type of malicious code is intruded, so that it is easy to determine the possible actions of the malicious code. In most cases, network administrators do not necessarily know the number of computers infected with the Intranet, but they can determine whether the infected scale is a large range of infections or only a few systems are infected.

4. Isolation, deletion, and recovery

In addition to the general instructions described above, this section provides detailed suggestions for blocking malicious code and collecting and processing infected source clues.

4.1 select an appropriate Blocking Policy

Because malicious code is characterized by concealment, reproduction, and fast propagation, a timely blocking of malicious code can prevent its spread and cause greater damage. If the infected system is not very important, it should be disconnected from the physical connection of the network as soon as possible. If the infected system plays an important role, it is recommended that you do not disconnect the physical connection unless the security risk of maintaining the physical connection is far beyond the importance of the system. If you encounter the following malicious code, you need to take other measures:

* Use the measures mentioned above: when a system is infected, it is very likely to infect other systems. Therefore, when setting a blocking policy, you must prevent viruses from spreading to other systems.

* Identify and isolate infected hosts: the alarm system of anti-virus software is a good source of messages, but not every virus can be detected by anti-virus software. Therefore, the administrator needs to use other methods to find the infection information.

For example:
-Check whether a trojan is on the listening port through port scanning.
-Use anti-virus scanning and killing tools to identify specific viruses
-Check the mail server, firewall, and even the logs of a specific host to determine whether there is virus intrusion.
-Set intrusion detection software for networks and hosts to identify possible virus activities
-Check whether a running process is a legal process

* Send samples of unknown viruses to the anti-virus manufacturer: Sometimes, anti-virus software cannot identify infected malicious code, malicious Code cannot be isolated to prevent the spread of malicious code without being upgraded by the anti-virus vendor. In this case, the user should submit a sample of malicious code to the anti-virus vendor.

* Virus emails are blocked by setting the mail server and client: Many mail systems can manually block emails with malicious code by blocking specific topics, attachment names, or other standards. Although this method is not very secure and effective, this method is the best way to deal with known viruses when there is no matching anti-virus pattern.

* Blocked access: If malicious code sends a virus email to the outside or tries to connect to the outside, the administrator should block the IP address or service of the external host that has been infected with the system and tried to connect to the outside host.

* Shut down the email server: in the case of malicious code that is particularly damaging, it is assumed that a large number of hosts in the Intranet are infected and the virus is trying to spread through mail. At this time, the mail server may have been completely paralyzed by virus emails sent from hundreds of computers on the Intranet. In this case, it is necessary to disable the email server to prevent the virus from spreading out.

* Disconnect the LAN from the Internet: the LAN may be paralyzed in the event of extremely serious worm attacks. Sometimes the problem is serious. The Internet worm can also completely paralyze the gateway connecting the LAN to the Internet. In general, it is recommended that you disconnect the LAN from the Internet if the local area network is unable to contact the Internet because of worms, in this way, the system in the LAN will not be attacked by Internet Worms. For example, if the LAN has been infected by worms, this can also prevent the worms from infecting other network systems and cause network congestion.

To identify infected hosts and vulnerable hosts in the LAN, complex dynamic operations are required. If all the computers on the network are on and connected to the network, it is easier to clear malicious code. However, in actual situations, the infected host may not be started, migrated to another network, or the computer is on, but the user has left the office. Although a vulnerable host is disabled when the user is not present, it is likely to be infected with viruses as soon as it is started. Determining infected and vulnerable hosts cannot rely solely on our participation. In any case, organizations or organizations do not have enough manpower and time to manually check each host, especially when many people use mobile computers or remotely work at home using computer terminals connected to work units. In the case of large-scale malicious code outbreaks, organizations or organizations must carefully consider these situations to adopt the most effective blocking policy.

4.2 collection and handling of Infection Source clues

Although it is possible to collect these clues, this is not very useful because malicious code can be automatically transmitted or transmitted by infected users. Therefore, it is very difficult and time-consuming to determine the source of the virus. However, virus samples are useful in some cases for future tests.

4.3 division and recovery

anti-virus software can effectively identify and clear malicious code, even though some infected files cannot be cleared (these files can be deleted or overwritten with uninfected backup files; the infected program can be uninstalled and reinstalled with a Program .). In this way, even if the virus steals administrator-level permissions for its operator, it will not be able to execute the operator's subsequent commands. In this case, you can use uninfected backup files to recover the system or reinstall the system. Measures should be taken to protect the system from being easily infected with the same malicious code.