1. First things first – Isolate the threat and notify relevant persons!
If anyone in your organization suspects a malware incident, first step is to isolate the threat by performing one of the following actions:
- Disconnecting the individual system or portion of the network. (Recommended)
- Switching off the system to prevent further spread of the malware. Note that using this method might make it harder to gather evidence.
- Leaving the system switched on and connected to the network to allow help desk personnel to remotely troubleshoot the system. However, leaving the system connected might infect shares/other machines and upload data or download other malware.
Based on initial assessment, notify relevant persons of a possible malware incident.
2. Confirm the infection.
Gather all possible information to confirm whether the infection actually exists. The infection could be an isolated incident affecting a single system, an outbreak affecting multiple systems, or even a false alarm. Therefore, it is imperative that confirmation of infection is obtained before taking any further steps.
3. Clean, Restore or Rebuild the system.
Depending on the level of infection decide whether to clean, restore system state, or rebuild the system and perform the appropriate action. If performing a rebuild, determine the risk to the data stored and make a backup of the system to preserve a snapshot of the state prior to re-installation. This is useful in case you forget to copy something you later need, and for evidential purposes (please note, if backups are made with the infected operating system running, the malware may continue to infect or destroy the data). If performing cleaning, follow the steps below:
- Identify and kill malicious processes.
- Identify and delete malicious autorun entries.
- Reboot and repeat the previous steps.
- Delete associated files and folders.
- Run a full scan with your installed antivirus product.
- If disinfection is applied successfully, connect to the network again. If possible, connect to a separate network first to verify everything is indeed back to normal or not. Perform an online scan with another antivirus product than the one you have installed.
Malware may be a result of insider breach. If you are concerned that the malware is introduced by an insider, refer to the Insider Breach section.