Infection and Cleaning in Corporate Environment

The corporate environment is more complicated than home one.

There are a number of file servers and many tens to thousands client computers. An antivirus is usually installed on all those machines. In most cases it detects the malware that attacks a company, however there could be cases when malware outsmarts the antivirus , then malware samples are traced and detection is improved. The system administrators need to be sure that all the environment, both servers and clients, are clean and no more malware is active. System administrators are very disturbed when multiple and repeating detections occur. Consider a number of scenarios that have been observed:

1. Successfully stopped, but repeated attack.

Some malware is reported detected and removed, then reported again and again. An example could be Win32/Conficker or Win32/Caphaw that are distributed via exploits. A Win32/Conficker DLL with random name is detected in System directory, later detected again with another name. Is the computer infected? Probably not, as we know about this malware. An attacker succeeds to penetrate victim computer, and creates a DLL, but it is immediately deleted by antivirus, then the attack repeats. To be 100% sure that the computer is clean, it is possible to run memory scan and verify that Conficker did not infect the memory. It is difficult to find the infection source in such cases. General purpose and malware-specific file and network monitors could help. The monitor output should be filtered to limit log size and sometimes it could take long time to observe a repeated attack. Windows update or vulnerability hotfixes are recommended.

2. Server is clean, clients are infected.

Detections in some, but not all, shared folders ,repeatedly pop up at the server. This means that most probably the server is not infected: malware does not run on it and does not infect it. But some clients are infected and the antivirus on them does not detect the malware for some reason. The infected clients infect shared folders for which they have write access, particularly a worm tries to propagate. In this case the problem is at these clients. The AV could be shut down by malware attack and/or deny any updates. Update from server could also be prevented. Solving problems at multiple clients could be difficult and could require manual work on each one.

3. Server is infected

This is worst case: a malware runs on the server, it drops files on shared folders, clients run them and get infected. The sign of server infection is detections at non-shared folders, particularly in Windows directory. Although, it could be scenario 1 : the malware attempted to attack and was stopped. It is important to determine what does occur : if the server is infected ,all the clients are in danger.

In this case safest way is to disconnect the server from network ,to cure and to connect again. However, for most of malware cases it is enough to scan all the disks including shared drives.

4. Malware is running and creating additional components

Detections are observed periodically even if a computer is disconnected from network. This means that antivirus detects only some malware components, they are detected and then created again by other ones. This computer is infected. In this case the solution is to locate these components and to add detection. The full scan usually removes the infection.

Additional challenge could be memory infection. Then the malicious code runs not in process ,but in injected code. Deleting malware sample could not help, the components could be created again from memory or access could be denied. Usually it is enough to update antivirus and to reboot the computer, then malware components will be detected and deleted when they will attempt to start.

5. Parasitic virus infection vs Trojan found

Dislike Trojans, parasitic viruses modify clean files, usually many clean files are affected. It is not enough to kill and to delete malware, the affected files should be cleaned. It is common that the viruses corrupt files, so that the correct cure is impossible. This depends on virus species: some always infect correctly and some corrupt. The system administrator should consult antivirus specialists in this case. For corrupted files, the only option is any available kind of restore from backup, this is manual work and could take much time in total to clean all the computers. In case of virus infection it is important to stop is as soon as possible to prevent corruption of files. The measure is usually to disconnect infected machines from network.

Same as other malware, the viruses often infect memory, so that even if all the files at the machine are cleaned, the virus continues to infect and new detections are observed. In this case the options are either using memory cure utility, or cleaning after boot from clean media.