Virus isolation, deletion and recovery _ network security

It is important to rank them appropriately based on the importance of the signs of malicious code, as they propagate to other computers ' systems. In general, a basic analysis of malicious code can determine which malicious code is invading, making it easy to determine what action the malicious code might take. In most cases, network managers do not necessarily know the exact number of infected computers in the intranet, but they can determine whether the size of the infection is widespread or that only a few systems are infected.

4, isolation, deletion and recovery

In addition to the general guidance described above, this section provides detailed advice on the blocking of malicious code as well as the collection and processing of source leads for infection.

4.1 Choosing the appropriate blocking strategy

Because the malicious code has concealment and propagation, fast propagation and other characteristics, so the timely blocking of malicious code can prevent it spread, resulting in greater damage. If the infected system is not important, you should disconnect it from the network as soon as possible. If the affected system plays an important role, it is recommended that you do not break the physical connection casually unless the security risk of maintaining a physical connection is far beyond the importance of the system. If you encounter the malicious code situation mentioned below, you will need to take additional steps:

* Use the measures mentioned in the previous section: When a system is infected, it is very likely to infect other systems, so when setting the blockade strategy must prevent the virus from spreading to other systems.

* Identify and isolate infected hosts: Anti-Virus software's alarm system is a good source of information, but not every virus can be detected by anti-virus software. So administrators also need other means to find infection information.

For example:
-Scan through the port to see if there is a trojan on the listening port
-Use anti-virus scans and kill tools to clear specific viruses
-Determine if there is a virus intrusion by looking at the mail server, firewall, or even the log of a specific host
-Set up network and host intrusion detection software to identify possible virus activity
-Review whether a running process is a legitimate process

* Send a sample of unknown virus to anti-virus vendors: Sometimes, anti-virus software does not recognize infected malicious code, users do not upgrade the signature through the anti-virus vendor will not be able to isolate malicious code to prevent it from spreading. In this case, the user should submit a sample of malicious code to the anti-virus vendor.

* Block virus messages by setting up mail servers and clients: Many messaging systems can be manually set to block specific topics, attachment names, or other criteria to block messages with malicious code. Although this approach is not very safe and effective, this approach is the best way to deal with a known virus that will come when there is no matching anti-virus signature.

* Blocking outgoing access: If malicious code sends a virus message externally or attempts to connect externally, the administrator should block the IP address or service of the external host that the infected system is trying to connect to

* Shut down the mail server: When you encounter a particularly serious malicious code, assume that there are already a large number of hosts in the intranet are infected, and the virus is trying to spread through the mail. At this point, the mail server may have been in the intranet of hundreds of computers sent to the virus mail completely paralyzed. In this case, it is necessary to shut down the mail server and prevent the virus from spreading outward.

* Disconnect the LAN from the Internet: The local area network may become paralyzed when a very severe worm attack is encountered. Sometimes the situation is serious, the worm of the net can also make the LAN and Internet connection gateway completely paralyzed. This is generally the case, especially if the LAN has been disconnected from the Internet because the worm is completely inaccessible, so that the local area network can be protected from being attacked by an extranet worm, such as a local area network that has been infected with worms, This can also prevent worms from infecting other network systems and causing network congestion.

Identifying the infected and vulnerable hosts in the LAN requires complex dynamic operations. If all the computers on the network are open and connected to the Web, it will be relatively easy to clear the malicious code. However, the actual situation may exist the infected host did not boot, or migrated to other networks, or the computer is open, but the use of people have left the office and so on. A vulnerable host may be infected as soon as it is switched on, although it is turned off while the user is away. Identifying the infected and vulnerable hosts cannot depend solely on our involvement. In any case, the unit or organization does not have enough manpower and time to manually check each host, especially if there are many people using a mobile computer or at home using a computer terminal connected to the work unit for a long distance work. In the event of a large-scale malicious code explosion, the organization or unit must carefully consider these situations, thus adopting the most effective blocking strategy.

4.2 Source of infection and the collection and processing of clues

Although it is possible to gather these clues, this is not very useful because malicious code can be propagated either automatically or through infected users. Therefore, the identification of the source of the virus is very difficult and time-consuming work. However, collecting virus samples for future tests can be useful in some cases.

4.3 Killing and recovery

Anti-virus software can effectively authenticate and clear malicious code, although some infected files cannot be purged (these files can be deleted or overwritten with an uninfected backup file; For a program, the infected program can unload loads.) ）。 In this way, even if the virus steals the administrator-level privileges for its manipulator, it will not be able to execute the following instructions from the operator, in which case the user can recover the system or reinstall it with an uninfected backup file. Measures should then be taken to protect the system from being easily infected by the same malicious code.