What Should You Do when You Find Malware?
Discovering signs of malware calls for prompt, effective action. You need to get rid of the problem and deal with its consequences. Avoid panic. Proceed a step at a time, and you’ll have the best chance of restoring normal operations with minimal losses. Take the following five steps, moving quickly but systematically.
- Confirmation. Determine if there really is a problem.
- Isolation. Keep the malware from attacking other systems.
- Eradication. Remove it from the affected system or systems.
- Remediation. Identify and deal with the consequences.
- Fortification. Improve your defenses so that there isn’t a recurrence.
The first signs of malware can come from a variety of sources. An employee may report a misbehaving system or a ransomware message. Monitoring systems or logs may report a problem. Sometimes the dog that doesn’t bark is the clue; if anti-malware systems stop issuing regular reports, something is wrong and needs looking into.
Other signs of malware include persistently slow operation, crashes, applications running or stopping for no apparent reason, a sudden increase in disk usage, and spam reports.
These signs are sometimes false alarms. Look into exactly what is happening before taking more serious steps. A misbehaving machine may just need a reboot. The ransomware message could be a bluff on a website. Monitoring alerts can be false positives. An email message reporting malware could be designed to push you into taking the wrong action.
Be reasonably sure the problem is real, and take further action if it is.
If an employee has a communicable disease, your first priority is to keep others from catching it. You tell the sick employee to stay home. Likewise, if a computer has malware, you start by keeping it from spreading. If possible, take it off the network. If you can’t, limit access to it as much as possible. At a minimum, shut down the affected service.
The issue isn’t just that the malware will try to replicate itself. Any software on your local network is in a good position to access databases and steal or alter confidential information. To minimize the chances of harm, you need to keep the malware from doing that.
You may need to give the affected system Internet access to solve the problem. In this case, you can still set up the firewall so that all traffic that isn’t strictly necessary is blocked. The log may show that the malware is communicating with a “command and control” server. You can block that server with the firewall, but be careful that it doesn’t switch to another one.
Once you’ve identified and isolated the problem, you’ve bought time to get rid of it. Removing malware is a difficult problem. You may want expert outside assistance, but you can try some things before following that route.
Many malware removal products are available on the market. If you already have anti-malware software on the system (and you should), you can use its removal features. Be careful, though; the more advanced forms of malware know how to avoid detection. A zero-day threat (one that’s been exploited before it’s generally known) usually won’t be caught.
If you can run the malware removal from a bootable external drive, your chances of a clean fix are better. It won’t be as easily affected by damage from the infection.
The most obvious malware isn’t necessarily the only problem. A common strategy is to use an obvious attack to distract attention from a sneakier one. You may eliminate the problem you know about and not realize that a more serious one is still active.
The downloader that installed the malware could still be present. It will wake up periodically, check if the malware is still present, and re-install it if it isn’t. You need to find and remove that piece, or the problem will come right back. Be sure the problem is gone before re-connecting the system to your network.
Once you’ve removed the malware, your problems aren’t over. You need to find out what damage it did and remedy it. The worst case is a data breach; your confidential data has been exposed to outside criminals or state actors. If that happens, you need to find out its extent, and you may be legally obligated to report it. The matter becomes a legal and public relations issue as well as a technical one.
Even if you don’t have a breach, you may have suffered loss of data. Compare the current state to a known good backup. Use your backups to restore everything to a known good state.
The malware could have installed a backdoor to enable further infections. You need to check for vulnerabilities and remove them.
Change all passwords on the affected system. That’s a simple fix which guards against the chance that the malware grabbed them. Check for accounts that the malware created, as well as outdated accounts that should be deactivated.
The malware is gone, and you’ve dealt with its consequences. Congratulations. But one question remains: How did it happen?
You might have old software with known vulnerabilities. A phishing message might have duped an employee. Your anti-malware software may not be good enough. Another machine in your network might be the source of the infection.
The follow-up to any malware incident has to include a review of the defenses on the network and on individual machines. It may reveal that better employee training is necessary. It might conclude that the schedule for updating software needs improvement. Perhaps the firewall needs hardening. There are always ways to improve network security, and a malware attack emphasizes the importance of staying ahead of the villains.
Even with the best defenses, malware attacks will sometimes get through. It’s never a pleasant experience, but following these steps will help you to defeat them and prevent recurrences. With strong protective measures and alert employees, the incidents will be rare. When they happen, deal with them systematically. Use them as an opportunity to improve your defenses. We can help to improve your company’s security posture. Contact us to arrange a consultation.