By design, each of these were left to automatically run scripts, which can escalate to raw code. Modern Windows and MS Office are less inclined to automatically run scripts in "messages" and "documents", but web sites and even media files are still getting unwanted traction on our PCs.
So, what do you do when it's "not your system anymore"? You try and get it back! A corollory to Rule #1 might be "If the bad guy's code is not running, you may be able to reclaim your PC", and that informs how I approach such matters.
I found a useful article on this topic here...
http://defendingyourmachine.blogspot.com/2005/01/defending-your-machine.html
...though in some ways it differs from my own approach, which is (terse version)...
Clean the system:
- Isolate the PC from all networks, i.e. LAN, Internet, Bluetooth, WiFi, IR
- Formally scan for traditional malware, detect only, log results
- Read up on the malware found, clean according to caveats (warnings)
- Safe Mode Cmd Only scans for commercial malware
- Read up on the malware found, clean according to caveats
- Manually visualize integration points, manage what you find
- Repeat for each user account
- Purge all web caches, set a sane cache size (e.g. 20M), for each user account
- Purge Temp files
- If system running OK, purge all System Restore, manage SR size
- Create new System Restore point
- Defrag file systems
- Apply risk management settings
- Apply malware wall-outs e.g. Spyware Blaster or similar
- Set new baselines e.g. for HOSTS backups, etc.
- Create new System Restore point
- Make sure firewall is enabled / installed
- Review LAN network shares; do NOT full-share any part of startup axis
- Remove File and Print Sharing from unwanted "networks" (Internet, IR, WiFi etc.)
- Create new System Restore point
- Repeat cleaning process on all PCs on your LAN
- Reconnect cleaned PCs to LAN
- Reconnect to Internet
- Get and apply patches
- Create new System Restore point
No comments:
Post a Comment