This solution contains additional recommendations for removing persistent virus or malware detection after managing virus outbreaks in OSCE.
If persistent malware or virus detection occurs after managing virus outbreaks for OSCE, follow the procedures below:
Download the latest Trend Micro Anti-Threat Tool Kit (ATTK), a new malware support tool to replace System Information Collector (SIC). Use ATTK for malware-related problems. Refer to this KB article for more information: Using the Trend Micro Anti-Threat Toolkit to analyze malware issues and clean infections.
In addition to running ATTK, do the following:
- Collect the DCT Logs from the OSCE client directory under the report folder of machines with cleanup problems.
- Collect the Virus Logs from the OSCE server, for the last 7 days, for all scan types, in .CSV format.
- Collect the Firewall Logs from the OfficeScan server, for the last 7 days.
Include the following data when escalating the problem to the Technical Support or Anti-Malware team:
- All the above-mentioned files.
- Information on the antivirus version, build number, scan engine, pattern, DCS versions, etc. or a snapshot of the Help > About page on the infected client machines.
- Detailed symptoms of the infections and action taken by the antivirus.
- Details on any cleanup attempts made by the customer.
If the files requested after ATTK log analysis are not found or are unable to be copied or moved, do any of the following:
- Use Command Prompt to search for the particular file. If the file is not found in the target folder, go to the folder and use this command:
attrib -shar try copying the file now
- You may boot the system in Safe Mode, then try copying the file.
- Try terminating the process using Task Manager or Process Explorer, then copy the file.
To copy using Task Manager:
- Open Windows Task Manager:
- On Windows 95, 98, and ME, press CTRL+ALT+DELETE.
- On Windows NT, 2000, XP, 2003, and above, press CTRL+SHIFT+ESC.
- Click the Processes tab.
- In the list of running programs, locate the process, select the process, then click either End Task or the End Process, depending on the Windows version you are using.
- Close Task Manager, then open it again to check if the process has been terminated.
You may now try to copy or move the file.
To copy or rename malware files using Recovery Console, which is applicable for Windows NT, 2000, XP, and Server 2003 systems:
- Insert the Windows Installation CD in the CD-ROM.
- Press the Restart button of your machine.
- When prompted, press any key to boot from the CD.
- When prompted on the Main Menu, type "r" to enter the Recovery Console.
- Type the drive that contains Windows, then press Enter.
- Type the following:
- "copy %system%\<file name=""> c:\<file name1="">" and press Enter (file name1=suspected file)
- "Ren %system%\<file name=""> <file name1="">" and press Enter
%System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.
After rebooting the client machine, you should be able retrieve copied/renamed file.
To do cleanup:
- After deploying the solution, make sure that all machines are scanned and that all infection sources (check virus logs) are scanned and cleaned.
- Enable daily scheduled scanning on all machines in case of a large number of network infections.
- Reset the virus count every day to verify that the infection levels are coming down.
- Identify the infection sources from the virus scan logs and scan or clean them individually (you may disconnect these system from the network until cleaned).
It is always recommended to configure OSCE for malware protection. Aside from configuring OSCE, you may also want to implement the following:
- Controls on the network such as:
- Block access of unprotected systems on the network.
- Block access of unpatched systems on the network.
- Restrict internet access to malicious or unproductive sites using URL filtering.
- Use technologies like WEB Reputation to automatically block access to malicious / suspected web sites.
- Disable full access to shared folders or make it read only, or, at least, add a complex password protection to the shared folders.
- Use stronger passwords for network shares with a minimum length of eight and alpha numeric characters.
- Restrict access to USB drives from the BIOS or using Active Directory.
- Disable the Autorun feature on all the systems on the network.
Removable drives are the one most popular mode of propagation for all recent malwares found in the wild. If complete disable of USB is not possible, you may optionally disable the autorun feature on all the systems to prevent the automatic copy of malicious files to local drive from USB.
You may deploy it using the group policy to all users:
- Click Start > Run and type "gpedit.msc".
- Click OK. The Group Policy window will open.
- In the left pane, double-click Administrative Templates.
- In the right panel, double-click System.
- Scroll down the list and double-click Turn Off Autoplay.
- In the Turn Off Autoplay Properties window, select Enabled.
- From the dropdown next to Turn Off Autoplay on, select All drives.
- Click OK.
- Exit Group Policy by selecting File, then choosing Exit from the menu.
You can also choose to edit the registry directly:Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.
- Open the Registry Editor.
- Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- Modify the value of the "NoDriveTypeAutoRun" key. The base value will be set to Hexadecimal or if not, set it.
- Set the value to "95".
- Close the Registry Editor.
- Restart your computer for the changes to take effect.
- For users who do not use script based applications, disable all known scripting capability in their browser (IE). This can be done using group policies again.
- For domino/mail server administrator, advise them to make the e-mail settings HTML attachments as to optional view. This is because HTML base mails are heavy and also, if HTML is primary view and the html sent are malicious, then it can lead to a series of other infections.
- Maintain a proper inventory of all network systems and ensure these systems especially the FTP servers, file servers used for sharing/mapping folders for users have an antivirus installed and are properly hardened. You may refer to the hardening documents for relevant Operating Systems to do so.
- Avoid the default installation. Do not install services that are not needed to run on the system.
- Avoid configuring multiple vulnerable services on one single box (e.g. Microsoft IIS Server, Microsoft SQL Server, FTP Server, Mail Server, DNS Server and file servers). This will allow you to apply patches only on systems that are subjected to newly reported vulnerabilities and cut down overall number of patches required. This gives you the ability to set up filters on routing and switching devices and create different security zones based on services and protocols that systems run.