Educause Security Discussion mailing list archives
Re: Helpdesk malware "first responder" tools, techniques, processes
From: Lecarla Christian <lchristian () COLORADO EDU>
Date: Mon, 19 Aug 2019 14:12:05 +0000
Hi Jim, Due to potential risks and/or issues, we refer faculty, staff, and students to our walk-in center for virus/malware remediation or if faculty/staff we schedule a tech office appointment. Your questions below, somewhat mirror what we ask before referring them to the walk-in center/s. Best, LeCarla LeCarla Christian IT Service Center/Incident Manager Office of Information Technology University of Colorado Boulder Boulder, Colorado 80309 Help: 303 735 4357 (5-HELP on campus) [cid:1F7D8146-9A0C-42F1-8343-0BA3B6289300] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Monday, August 19, 2019 7:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Helpdesk malware "first responder" tools, techniques, processes Bumping this to see if anyone has any suggestions, especially around standalone scanning tools. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 From: Jim A. Bole Sent: Monday, August 12, 2019 2:28 PM To: 'SECURITY () LISTSERV EDUCAUSE EDU' <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Helpdesk malware "first responder" tools, techniques, processes I'm interested what others have done to help their helpdesk "first responders" handle potentially infected endpoints: 1. Any list of questions or script that a helpdesk person can use with the end user to help determine what may have occurred ("What link did you you click on", etc). Below is a list I've started. 2. Any standalone malware scanner or other tools? Everyone loves Malwarebytes, but I think licensing is an issue. 3. Any other initial steps that a "first responder" should do (or not do)? My initial list of questions to triage possible malware issues: i. Is the computer currently running? ii. What network is the computer connected to? 1. If desktop that only has Ethernet wired connection - have user disconnect. 2. If using WiFi connection a. See if user can identify the network b. Try to have user disable WiFi iii. What windows, pop-ups or messages can be seen? 1. Get as many details as possible. 2. If user has mobile device, have them take a picture of the screen. iv. Are there any other unusual behaviors on the computer? 1. Files not accessible or filenames being changed/encrypted 2. Mouse or keyboard not working 3. Sounds v. What was the user doing on the computer immediately prior to the detection? 1. Using email (ask if they recall any subject lines, recipients, name of attachments) 2. Browsing websites (ask if they recall what sites) 3. Opening files from a server (what was the name of the server or drive letter) 4. Installing a browser extension or toolbar: a. What browser are they using (Chrome, Edge, Safari, Firefox, etc)? vi. What was the name or type of extension or toolbar? vii. Did the user take any actions after the detection? 1. Entering information to any box/window such as username and password, cell number, etc. 2. Restarting the computer. 3. Going to any other websites to search for information about the behavior. 4. Attempting to install any software, such as a virus cleaner. Thanks in advance, Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 12)
- Re: Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Lecarla Christian (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Rob Milman (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Hagan, Sean (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Pete, Andrew (Aug 19)
- Re: Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 19)