Know the recommended steps to control malware infections during a virus outbreak.
To control the malware infection:
- Update the Officescan server and clients/agents with the latest scan engine, virus pattern and Damage Cleanup Template (DCT). To know more about the correct Virus Pattern, Scan Engine, and other tools that can be used to control a particular malware, visit the Virus and Threat Help page and use the Search for Malware Information section.
- If you have Windows XP clients/agents, disable the System Restore option.
- Delete all the Temporary Internet Files.
- Make sure that all Officescan clients/agents and servers have the latest Microsoft Security Patches.
- Deploy the OfficeScan Outbreak Prevention Policy (OPP) to deny the creation of known dropped files by viruses. To know more about Outbreak Prevention configuration, refer to the product documentation.
- During outbreak scenarios, block the following filenames. These are commonly used by most malware and their dropped files:
- desktop_.ini
- _desktop.ini
- autorun.inf
- gamesetup.exe
- new folder.exe
- regsvr.exe
- scvhost.exe
- spoolsvc.exe
- blastclnnn.exe
- killdog.exe
- scvshosts.exe
- Deploying the OPP protects your program files. You may also deny write access to the following folders:
- C:\program files\internet explorer (Protection from - browser hijacker)
- C:\windows\system32\drivers (Protection from - Root kits)
- C:\windows\system32\drivers\host (Protected from - DNS poisoning / browser redirection)
- C:\WINDOWS\Downloaded Program Files (Protection from - plug-in)
This will prevent the write capability of the malware but you can still open and run the programs properly since they use only read mode. Please test this with the application used in your network. This will work for your applications as long as the data is not being saved at the same folder as the application.
- Using OPP on the OfficeScan console, block Ports commonly used by Trojan program.
- You may choose to delete some ports to block by selecting them in this list if blocking any of them hampers any genuine application running on your systems.
- Lock down the OfficeScan client/agent by setting Clients/Agents Security to High. This will prevent users without admin privileges from writing to the OfficeScan program folder and hence, prevent the OfficeScan client/agent from getting infected.
For OfficeScan 10.6 and below:
- On the OfficeScan web console go to Client management > Privileges and Other Settings > Other Settings.
- Under Client Security Settings, select High and then click Apply to All Clients. Note: You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
- Restart the OfficeScan master service for the changes to take effect.
For OfficeScan 11.0/XG:
- Go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings.
- Under OfficeScan Agent Security Settings, select High and click Apply to All Agents. You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
- Restart the OfficeScan master service for the changes to take effect.
- Enable the Web Reputation feature on gateways (IWSS) and desktop (OfficeScan) products to prevent access to known / suspected malicious websites.
- Enable URL filtering on the gateway (IWSS) to prevent users from visiting unproductive websites that can potentially host malicious files.
- Enable Intellitrap on gateway (IMSS) and desktop (OfficeScan) products to enable generic detection of packers used by malicious files.
- Enable IDS through OfficeScan firewall settings.
- Enable mapped drive scanning specially during outbreaks of malware that spread using shared/mapped folders.
- Enable the All scannable files option for Real-time scan. You may select the Intelliscan option for Manual and Scheduled Scan.
For additional assistance, contact Trend Micro Technical Support.