Malware Response

Infrastructure Planning and Design

Published: February 2011
What Is IPD?
Guidance that clarifies and streamlines the planning
and design process for Microsoft infrastructure
technologies

IPD:
• Defines decision flow
• Describes decisions to be made
• Relates decisions and options for the business
• Frames additional questions for business understanding
IPD guides are available at www.microsoft.com/ipd
Purpose and Overview

Purpose
• To provide a process and tasks to help determine the nature
of the malware problem, limit the spread of malware, and
return the system to operation

Overview
• Confirm the infection
• Determine a course of action
• Evaluate effectiveness
• Conduct a post-attack review
Response to a Malware Incident Decision Flow

ITA
Step 1: Confirm the Infection
• Task 1: Isolate the Threat
• Contain the immediate threat by performing one of the following:
• Power the system off
• Disconnect the system from the network
• Leave the system on and connected to the network to allow help
desk personnel remotely troubleshoot the system

• Task 2: Notify Others to Be on Alert

• Watch for an emerging malware outbreak
• Time may be an important factor
• Gather reports to help evaluate the scope and severity of the threat
Step 1: Confirm the Infection (Continued)
• Task 3: Gather Information About the Threat
• Gather information from the user:
• Determine the unusual activity that prompted the report
• Gather information from the system:
• Determine whether antivirus and anti-malware software were
installed, running, and up to date
• Determine whether all updates and patches for the operating
system and applications were current
Step 1: Confirm the Infection (Continued)
• Task 4: Determine the Breadth of the Problem
• Is this an isolated incident, or are multiple systems experiencing
the same problems?
• Multiple systems affected may increase the alert level

• Task 5: Determine Whether Malware is Present

• Evaluate evidence to determine whether the organization is
experiencing a malware attack
Validating with the Business (Step 1)

• To help understand the organization’s priorities

when responding to a malware incident, ask the
business stakeholders the following questions:
• Is there an expectation for the response time required to return
the systems to operation?
• Have policies and procedures been documented for isolating
computers infected with malware so users and the business are
prepared for the impact on productivity?
Step 2: Determine Course of Action Decision Flow
Step 2: Determine Course of Action
• Task 1: Determine the Risk to Data
• Consider the risk to the data, and verify whether the data
has been backed up:
• Operating system files and configuration settings
• Application installation sources, configuration
settings, and data
• User data

• Task 2: Decide Whether to Examine

Malware’s Effects on the System
• The primary factors when considering examination are
whether the organization has the expertise needed and
how urgent it is to return the system to operation
 Step 2: Determine Course of Action (Continued)
• Task 3: Decide Whether to Clean, Restore System
State, or Rebuild
• This table provides details on the advantages and disadvantages
of each option:
Validating with the Business (Step 2)

• To ensure that all requirements have been

identified to recover from a malware incident, ask
business stakeholders the following questions:
• Does the recovery plan budget resources appropriately,
depending on the scope of the outbreak and the business impact
of the affected computers?
• Are there different response expectations to address different
types of data and systems, such as High Impact, Medium
Impact, and/or Low Impact designations for these different
assets?
Step 3: Attempt to Clean the System Decision
Flow
Step 3: Attempt to Clean the System
• Task 1: Clean the System
• Use scanning tools to detect and potentially automatically
remove any malware from the system, or manually remove the
malware
• See the table on the next two slides for the pros and cons of
cleaning
Step 3: Attempt to Clean the System (Continued)
• Task 1: Clean the System (Continued)
• This table provides options about the advantages and
disadvantages of each option:
Step 3: Attempt to Clean the System
(Continued)
• Task 2: Evaluate Effectiveness
• At the end of each option, evaluate its effectiveness and consider
whether additional measures, including re-running scans, need to
be taken to ensure that the system can be safely returned to
production:
• “No malware found” does not conclusively mean cleaned
• Permissions or settings may have been changed
• If malware is still present, attempt to restore system state or
rebuild the computer
Additional Considerations (Step 3)
• Microsoft tools to help:
• Windows Defender helps provide protection against spyware.
• Microsoft Security Essentials is a consumer-oriented offering that
helps provide protection against spyware, viruses, and other
malicious software.
• The Malicious Software Removal Tool checks for infections and
helps remove infections, if one is found.
• For enterprise customers, Microsoft® Forefront® Endpoint
Protection helps provide unified protection from viruses, spyware,
and other current and emerging threats for business client
computers, portable computers, and server operating systems.
• The Windows Live® OneCare safety scanner is a free online service
that checks for and removes viruses, spyware, and other
potentially malicious software and finds vulnerabilities or
shortcomings in Internet security.
Step 4: Attempt to Restore System State
• Task 1: Restore System State
• The tools for restoring the system state vary depending on the
installed operating system, but the mechanisms are similar

• Task 2: Evaluate Effectiveness

• Does it appear that malware is still on the system?
• Are any security or system settings not corrected?
• Does the system operate properly according to the user’s
expectations (user acceptance–type testing)?
Step 5: Rebuild the System Decision Flow
Step 5: Rebuild the System
• Task 1: Rebuild the System
• As a reminder, any critical data on the system should be backed
up, because rebuilding the system will destroy any data on the
hard disk

• Task 2: Restore User Settings and Data

• Ensure that the files are clean prior to restoring them by
scanning them with a malware scanner

• Task 3: Evaluate Effectiveness

• Verify that the system is clean of malware and protected against
future infections
Step 6: Conduct a Post-attack Review
• This section provides suggestions for conducting a
post-attack review to document the decisions made
during the event to speed up the recovery process
in future events:
• Work with legal counsel, if necessary
• Consider estimating how much the attack may have cost the
business for internal reporting purposes
• Review the anti-malware defense-in-depth policy
• Add lessons learned to security policies
Summary and Conclusion

• This guide provided recommendations for limiting the risk

of malware infecting computers in organizations. It
introduced a defense-in-depth approach to protecting
systems against viruses, spyware, and other types of
undesirable software.
• It also described approaches to investigating outbreaks
and cleaning infected systems. Appendix C of the
accompanying IPD Malware Response Guide presents
three approaches to building a bootable CD-ROM or DVD
that the organization can use to scan and clean systems
while they are offline.
• Provide feedback to [email protected].
Find More Information

• Download the full document and other IPD guides:

www.microsoft.com/ipd
• Contact the IPD team:
[email protected]
• Access the Microsoft Solution Accelerators website:
www.microsoft.com/technet/SolutionAccelerators
Questions?
Addenda
• Benefits for consultants or partners
• Malware security products at a glance
Benefits of Using the Malware Response Guide
• Benefits for business stakeholders/decision-makers:
• Most cost-effective design solution for implementation
• Alignment between the business and IT from the beginning of the
design process to the end

• Benefits for infrastructure stakeholders/decision-makers:

• Authoritative guidance
• Business validation questions ensuring that the solution meets the
requirements of business and infrastructure stakeholders
• High-integrity design criteria that include product limitations
• Fault-tolerant infrastructure
• Infrastructure that is sized appropriately for business requirements
Benefits of Using the Malware Response Guide
(Continued)
• Benefits for consultants or partners:
• Rapid readiness for consulting engagements
• Planning and design template to standardize design and peer reviews
• A “leave-behind” for pre- and post-sales visits to customer sites
• General classroom instruction/preparation

• Benefits for the entire organization:

• Using the guide should result in a design that will be sized, configured,
and appropriately placed to deliver a solution for achieving stated
business requirements
Appendix A: Malware Security Products at a
Glance
Microsoft offers several security products for both enterprise and home users. This table provides this
information at a glance. See http://
www.microsoft.com/security/portal/Shared/Help.aspx#security_products for up-to-date information.