Educause Security Discussion mailing list archives
Re: viruses that have been cleaned or quarantined
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 22 Jun 2017 13:46:44 -0400
This is a touchy subject in some cases, and I think there is a certain amount of subjectivity that needs to be brought into context. If the infection was contained before it was able to launch/take hold (i.e. AV prevented a file from being downloaded, or accessed after download), then "cleaning" is somewhat of a mis-nomer. remove the infected file, and you're all set. On the flip side, if the process has executed, then nuke the machine from orbit, and rebuild it. Don't connect it to any networks, don't recover data, assume that it is dirty, and will contaminate anything else it touches. (While it is nice to run utilities such as DBAN from a USB Drive, this is one case where I suggest a burned CD, and a USB cd/dvd drive if needed) I've had cases where I had to give people the bad news that their data was lost. I found the key in those discussions is to make it easy for them to have server-side storage that is backed up regularly. Frank On Thu, Jun 22, 2017 at 8:13 AM, Garmon, Joel <garmonjs () wfu edu> wrote:
Very good thread. There is another nuance that I consider in reviewing AV alerts -- was it caught in a real time scan (meaning the first time the file was downloaded or used and stopped before executing) or in a periodic scan (daily or weekly scan which means the virus has been on the system for a while and already executed) We also have special groups for departments that handle PII and have alerts set up so we know when any virus hits these groups. We review every alert associated with PII. This is a team effort between security, service desk, and desktop support.. Thank you, Joel Garmon Director Information Security Wake Forest University 336-758-2972 <(336)%20758-2972> http://infosec.wfu.edu/ On Wed, Jun 21, 2017 at 4:52 PM, Kevin Wilcox <wilcoxkm () appstate edu> wrote:On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:If your virus scanner has cleaned or quarantined a virus/malware/etc.,doyou do any additional scanning or followup on the endpoint? I know virus definitions, though up to date, may potentially just be catching a virus that have lived on the machine for several months and had only beenrecentlyidentified. Do you trust that "cleaned" means it took care of any damage that had been done, if any?Chelsie - I see no difference between AV and IDS. The idea that AV can "clean" a system is one that I'd like to see eradicated. That's not to say that it's impossible - just that it takes known-good cryptographic hash values for every file on the system, a trusted off-system scanning agent and good alerting when something changes. That's before having the same thing in place for registry hives, the ability to detect/audit ADSs, etc. If AV alerts on anything, and I can't otherwise determine it's a false positive, it's a re-image of the system. Again, AV alerts are treated the same as IDS alerts. There are some exceptions where it's profile removal/recreation but generally speaking that's insufficient for most of our environment. One massive hole to that approach - we backup data, re-image and restore. If something is hiding in one of the backed-up files, it comes back on the newly-built system. It's certainly not perfect and needs some work but I've done too many forensic examinations of systems to trust that AV can do anything beyond alerting on 25% of the stuff that's out there. kmw
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
- Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
- Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
- Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)