Re: viruses that have been cleaned or quarantined

[Frank Barton <bartonf () HUSSON EDU>]

This is a touchy subject in some cases, and I think there is a certain
amount of subjectivity that needs to be brought into context.

If the infection was contained before it was able to launch/take hold (i.e.
AV prevented a file from being downloaded, or accessed after download),
then "cleaning" is somewhat of a mis-nomer. remove the infected file, and
you're all set.

On the flip side, if the process has executed, then nuke the machine from
orbit, and rebuild it. Don't connect it to any networks, don't recover
data, assume that it is dirty, and will contaminate anything else it
touches. (While it is nice to run utilities such as DBAN from a USB Drive,
this is one case where I suggest a burned CD, and a USB cd/dvd drive if
needed)

I've had cases where I had to give people the bad news that their data was
lost. I found the key in those discussions is to make it easy for them to
have server-side storage that is backed up regularly.

Frank

On Thu, Jun 22, 2017 at 8:13 AM, Garmon, Joel <garmonjs () wfu edu> wrote:

> Very good thread.
>
> There is another nuance that I consider in reviewing AV alerts -- was it
> caught in a real time scan (meaning the first time the file was downloaded
> or used and stopped before executing) or in a periodic scan (daily or
> weekly scan which means the virus has been on the system for a while and
> already executed)
>
> We also have special groups for departments that handle PII and have
> alerts set up so we know when any virus hits these groups.  We review every
> alert associated with PII.  This is a team effort between security, service
> desk, and desktop support..
>
>
> Thank you,
>
> Joel Garmon
> Director Information Security
> Wake Forest University
> 336-758-2972 <(336)%20758-2972>
>
> http://infosec.wfu.edu/
>
>
> On Wed, Jun 21, 2017 at 4:52 PM, Kevin Wilcox <wilcoxkm () appstate edu>
> wrote:
>
> > On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:
> >
> > > If your virus scanner has cleaned or quarantined a virus/malware/etc.,
> > do
> > > you do any additional scanning or followup on the endpoint? I know virus
> > > definitions, though up to date, may potentially just be catching a virus
> > > that have lived on the machine for several months and had only been
> > recently
> > > identified. Do you trust that "cleaned" means it took care of any damage
> > > that had been done, if any?
> >
> > Chelsie -
> >
> > I see no difference between AV and IDS. The idea that AV can "clean" a
> > system is one that I'd like to see eradicated.
> >
> > That's not to say that it's impossible - just that it takes known-good
> > cryptographic hash values for every file on the system, a trusted
> > off-system scanning agent and good alerting when something changes.
> > That's before having the same thing in place for registry hives, the
> > ability to detect/audit ADSs, etc.
> >
> > If AV alerts on anything, and I can't otherwise determine it's a false
> > positive, it's a re-image of the system. Again, AV alerts are treated
> > the same as IDS alerts. There are some exceptions where it's profile
> > removal/recreation but generally speaking that's insufficient for most
> > of our environment.
> >
> > One massive hole to that approach - we backup data, re-image and
> > restore. If something is hiding in one of the backed-up files, it
> > comes back on the newly-built system.
> >
> > It's certainly not perfect and needs some work but I've done too many
> > forensic examinations of systems to trust that AV can do anything
> > beyond alerting on 25% of the stuff that's out there.
> >
> > kmw


-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University