Virus Response Plan

S

Spin

Gurus,

Most of you MVPs, Helpdesk and System Engineer types most likely work in
large private corporations, or some level of state or government. That
said, do any of you have a virus response plan in place such that when your
central Virus monitoring system (be it the Symantec System Center Alert
Management Console or whatever) sends out a virus alert that a machine has
been compromised such that the virus could not be removed or quarantined
then an IT incident-responder (be it a helpdesk or field technician) hits
the floor, finds the workstation and executes a written set of procedures to
clean the virus or wipe the machine and re-load the OS.

I am looking for whatever someone has written up so that I can get a
head-start on this writing assignment my manager has dumped on me. :)
 
R

Robert Moir

Spin said:
Gurus,

Most of you MVPs, Helpdesk and System Engineer types most likely work
in large private corporations, or some level of state or government.
That said, do any of you have a virus response plan in place such
that when your central Virus monitoring system (be it the Symantec
System Center Alert Management Console or whatever) sends out a virus
alert that a machine has been compromised such that the virus could
not be removed or quarantined then an IT incident-responder (be it a
helpdesk or field technician) hits the floor, finds the workstation
and executes a written set of procedures to clean the virus or wipe
the machine and re-load the OS.
I am looking for whatever someone has written up so that I can get a
head-start on this writing assignment my manager has dumped on me.
Click to expand...

Nothing special in place for my site. A report of a virus infection is
classed as a top priority urgent helpdesk call and will be looked at
straight away, but other than that we don't have any special script for
doing anything from then on, it's very rare we have a virus actually do
anything on our network and even rarer that our AV scanner can't cope with
it automatically.

As that's so rare, we felt anything that got to that stage ought to be
properly assessed and our actions decided by understanding the problem. It
is no good just blindly leaping about in a panic or like robots with a
script, wiping an infected computer without understanding how and why it
became infected. What if it's just the first report of an infection on
your server, or of an email-born virus that your email scanners aren't
configured to pick up.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".
 
P

Patrick Dickey

Most of you MVPs, Helpdesk and System Engineer types most likely work in
large private corporations, or some level of state or government. That
said, do any of you have a virus response plan in place such that when
your central Virus monitoring system (be it the Symantec System Center
Alert Management Console or whatever) sends out a virus alert that a
machine has been compromised such that the virus could not be removed or
quarantined then an IT incident-responder (be it a helpdesk or field
technician) hits the floor, finds the workstation and executes a written
set of procedures to clean the virus or wipe the machine and re-load the
OS.

I am looking for whatever someone has written up so that I can get a
head-start on this writing assignment my manager has dumped on me. :)
Click to expand...

I would have to agree with Robert here (although I'm not in a corporate
environment-- just a home user). From the things I've read in the past, the
first thing is to disconnect the suspect computer from the rest of the
network (to prevent the virus from spreading any further then it has) and
then analyze it. Not just remove it. If it's just one that your scanner
missed, check to make sure that the AV has the latest definitions and that
it's functioning. If it's new, then you may want to submit a sample to
sites like VirusTotal or you AV's security response center (or virus
submission).


--
Patrick Dickey.

smile... someone out there cares deeply for you.
http://www.microsoft.com/protect
http://update.microsoft.com
http://www.pats-computer-solutions.com
 
H

Hank Arnold

Unless you are 100% certain that the computer infected is the only one,
the best practice might be to shut the network down and check it out
carefully. Make sure that all the servers are secure first and then add
systems back as they are swept.

Our network is set up with a GB switch that has all the servers and the
other 10/100 switches plugged into it. This allows us to isolate the
clusters of machines and verify that they are virus free before allowing
them back onto the network.

Having said that, the best policy is to prevent viruses. We have
Symantec AV Corporate Edition running on every server and PC with real
time protection on all user PCs as well as server folders that users can
access. We scan every machine daily and update virus signatures every 4
hours. We also have our incoming and outgoing e-mails scanned by a
service (Message Labs). Since we did that, our Exchange AV scanner has
not recorded a single infected e-mail (almost 2 years now).....

Being that we

Regards,
Hank Arnold
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

The Aftermath of the Deadly Win32/Sality Virus 1
open source SW and virus protection 2
Coronavirus Cure 12
BearWare Comprehensive Security Plan 32
No FAT or FAT32 access 3
Stealth virus?? 2
BearWare Comprehensive Security Plan 0
anybody ever had a problem with download.com or avg? 5

Top