Results 1 to 2 of 2

Thread: How do you clean an infected machine.

  1. #1

    How do you clean an infected machine.

    I'm asking this question to understand what do "you" do to cleanup an infected machine?

    Considering the OS is Windows 2000 and above.

    To start:

    What do you believe in (ONLY WORKSTATION, NOT TALKING ABOUT CRITICAL SYSTEMS AND SERVERS. I'm only sticking to end user systems. These systems will never house critical data)

    1. Clean the machine and continue using it?

    Or

    2. Reghost or rebuild the machine.

    Consider the fact that you have around 5000 machines spread across the country, served by third party tech team with NO SLA set.

    And

    Scenario 2: Consider only 2 or 3 workstation.. That’s it.. However would you still clean it ?

    I am also trying to get ideas so that I can write a cleanup guide for the community.



    Here is what I usually do:

    If it is a local machine :

    1. Ensure system restore is OFF.

    2. We use a BartPE cd with Kaspersky on it. This CD gets updated every morning. This is used to clean the machine. (For those who have never used Kaspersky on BartPE - it is same as complete AV suite with all features).

    3. Just to be sure, we reboot in safe mode and use trend micro's sysclean with latest pattern file.

    4. Use anti-rootkit by Trendmicro and f-secure.

    5. Post cleanup machine is checked with sigverif and checked for any rouge services.


    6. Use NSS by Symantec but this is not usually done.

    7. Depending on what we found system may be rebuilt - incase of rootkits or trojans.

    8. Change passwords and other credentials for the user.


    Machine is patched if not already patched. Security logs are browsed through to see if it was an intrusion or just an automated piece of code that made through *due to unpatched machines*


    Scenario 2 :

    If it is a remote machine(none of our remote machines have CD/DVD ROM’S):

    Same steps except using BartPE CD.

    We use sysclean and pattern files, sent over netmeeting.


    ****

    My personal opinion is never use an infected system because you never know the extent of damage. However this is not feasible in a domain environment where machines are spread across the country and ghosting is not possible every time.

    Like I said I want to make a tutorial on how to clean an infected machine, so if you have any points please let me know.

    I know IE or Firefox (browsers) can be used for scanning but then at that point of time machine is in normal mode and I prefer cleaning a machine in safe mode or through bootcd.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi ByTe~

    I know IE or Firefox (browsers) can be used for scanning but then at that point of time machine is in normal mode and I prefer cleaning a machine in safe mode or through bootcd.
    Well you could try safe mode with network connectivity?

    Trio of questions:

    1. Do these remote machines have WAN and/or internet connectivity?
    2. Do they have activated USB ports?
    3. Are they a standard software build (apart from versions)?

    The first thing I do is run CCleaner in safe mode. That gets rid of most of the temporary garbage and some malware with it.

    I don't place too much reliance on traditional AV products. Try others as well, like A-Squared, Spybot S&D and so forth. They are better at catching the less obvious malware.

    If I am dealing with a large number of machines I tend to go for the re-imaging/rebuilding route due to the time and cost factors that a cleanup may involve. It is also more certain in its outcome.

    I guess a lot also depends on what the infection is and what it does. Some nasties need special tools to clean them. If the machine has been "owned"
    I would generally go for a reinstall, on the grounds that you never know what else might have been put on there.

Similar Threads

  1. Ssh
    By Status in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: July 31st, 2004, 11:10 PM
  2. Whats a good stable OS?
    By s3nate in forum Operating Systems
    Replies: 25
    Last Post: July 20th, 2004, 10:32 AM
  3. How to read email header
    By rajat in forum Roll Call
    Replies: 0
    Last Post: February 20th, 2002, 05:08 AM
  4. Home security?
    By Ramelo25 in forum Security Archives
    Replies: 4
    Last Post: December 21st, 2001, 12:36 AM
  5. Securing A Windows System
    By Ennis in forum The Security Tutorials Forum
    Replies: 5
    Last Post: December 11th, 2001, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •