Educause Security Discussion mailing list archives

Re: Helpdesk malware "first responder" tools, techniques, processes

From: Lecarla Christian <lchristian () COLORADO EDU>
Date: Mon, 19 Aug 2019 14:12:05 +0000

Hi Jim,

Due to potential risks and/or issues, we refer faculty, staff, and students to our walk-in center for virus/malware 
remediation or if faculty/staff we schedule a tech office appointment. Your questions below, somewhat mirror what we 
ask before referring them to the walk-in center/s.

Best, LeCarla

LeCarla Christian
IT Service Center/Incident Manager
Office of Information Technology
University of Colorado Boulder
Boulder, Colorado 80309

Help: 303 735 4357 (5-HELP on campus)
[cid:1F7D8146-9A0C-42F1-8343-0BA3B6289300]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Monday, August 19, 2019 7:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Helpdesk malware "first responder" tools, techniques, processes

Bumping this to see if anyone has any suggestions, especially around standalone scanning tools.


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



From: Jim A. Bole
Sent: Monday, August 12, 2019 2:28 PM
To: 'SECURITY () LISTSERV EDUCAUSE EDU' <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Helpdesk malware "first responder" tools, techniques, processes

I'm interested what others have done to help their helpdesk "first responders" handle potentially infected endpoints:


1.       Any list of questions or script that a helpdesk person can use with the end user to help determine what may 
have occurred ("What link did you you click on", etc). Below is a list I've started.

2.       Any standalone malware scanner or other tools? Everyone loves Malwarebytes, but I think licensing is an issue.

3.       Any other initial steps that a "first responder" should do (or not do)?

My initial list of questions to triage possible malware issues:


                                                               i.      Is the computer currently running?

                                                             ii.      What network is the computer connected to?

1.       If desktop that only has Ethernet wired connection - have user disconnect.

2.       If using WiFi connection

a.       See if user can identify the network

b.       Try to have user disable WiFi

                                                           iii.      What windows, pop-ups or messages can be seen?

1.       Get as many details as possible.

2.       If user has mobile device, have them take a picture of the screen.

                                                           iv.      Are there any other unusual behaviors on the 
computer?

1.       Files not accessible or filenames being changed/encrypted

2.       Mouse or keyboard not working

3.       Sounds

                                                             v.      What was the user doing on the computer 
immediately prior to the detection?

1.       Using email (ask if they recall any subject lines, recipients, name of attachments)

2.       Browsing websites (ask if they recall what sites)

3.       Opening files from a server (what was the name of the server or drive letter)

4.       Installing a browser extension or toolbar:

a.       What browser are they using (Chrome, Edge, Safari, Firefox, etc)?

                                                           vi.      What was the name or type of extension or toolbar?

                                                          vii.      Did the user take any actions after the detection?

1.       Entering information to any box/window such as username and password, cell number, etc.

2.       Restarting the computer.

3.       Going to any other websites to search for information about the behavior.

4.       Attempting to install any software, such as a virus cleaner.

Thanks in advance,

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 12)
- Re: Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 19)
  - Re: Helpdesk malware "first responder" tools, techniques, processes Lecarla Christian (Aug 19)
  - Re: Helpdesk malware "first responder" tools, techniques, processes Rob Milman (Aug 19)
    - Re: Helpdesk malware "first responder" tools, techniques, processes Hagan, Sean (Aug 19)
    - Re: Helpdesk malware "first responder" tools, techniques, processes Jim A. Bole (Aug 19)
    - Re: Helpdesk malware "first responder" tools, techniques, processes Pete, Andrew (Aug 19)