Malware Threat Assessment: A Practical Guide

TL;DR

This guide outlines a step-by-step methodology for assessing malware threats. It covers identification, containment, eradication and recovery phases, with practical advice for both technical users and those needing to understand the process.

1. Preparation & Initial Assessment

1. Define Scope: What systems are potentially affected? Is it a single computer, a network segment, or the entire organisation?
2. Gather Information: Collect any initial reports of unusual behaviour – slow performance, error messages, unexpected pop-ups. Ask users what they were doing when problems started.
3. Initial Triage (Non-Technical): Look for obvious signs:
   • Unexpected software installed.
   • Changes to browser homepage or search engine.
   • Unusual network activity (if visible – e.g., a lot of downloads).

2. Identification & Analysis

1. Isolate the System: Disconnect the affected machine(s) from the network to prevent further spread. This is *crucial*.
2. Run a Full Scan with Anti-Virus Software: Use your existing anti-virus solution first. Ensure it’s up-to-date before scanning.

   # Example using Windows Defender (command line)

   MpCmdRun.exe -Scan -ScanType 3 -File C:

3. Second Opinion Scanner: Download and run a reputable second opinion scanner (e.g., Malwarebytes, HitmanPro). These often catch things your primary anti-virus misses.
   • Download from the official website only!
   • Run in safe mode for best results.
4. Process Analysis (Technical): Use tools like Process Explorer to identify suspicious processes:
   • Look for processes with unusual names or locations.
   • Check CPU and memory usage – high usage by an unknown process is a red flag.
   • Examine the parent process of any suspect programs.
5. File Analysis (Technical): Use VirusTotal to scan suspicious files online:

   https://www.virustotal.com/gui/file/YOUR_FILE_HASH

   Replace YOUR_FILE_HASH with the SHA256 hash of the file.

3. Containment

1. Confirm Scope: Based on analysis, determine all affected systems.
2. Network Segmentation: If possible, isolate affected network segments to limit spread.
3. Account Lockdown: Reset passwords for any accounts potentially compromised on infected machines.

4. Eradication

1. Remove Malware: Use anti-virus and second opinion scanners to remove identified malware.
   • Quarantine detected files before deleting them.
   • If a program refuses to be removed, consider booting from a rescue disk (see Recovery section).
2. Clean Temporary Files: Delete temporary files and browser caches.
3. Remove Suspicious Scheduled Tasks: Check the Task Scheduler for any unusual tasks that might be re-infecting the system.

5. Recovery

1. Restore from Backup (Recommended): If available, restore affected systems from a clean backup taken *before* the infection.
   • Verify the integrity of the backup before restoring.
2. Re-image System: For severely infected systems or if backups are unavailable, re-imaging the system is often the fastest and most reliable solution.
3. Boot from Rescue Disk (Technical): Use a bootable rescue disk containing anti-virus tools to scan and clean the system before booting into Windows.
   • Kaspersky Rescue Disk, Bitdefender Rescue CD are good options.

6. Post-Incident Activity

1. Review Logs: Analyse system logs and network traffic for any further evidence of the infection.
2. Update Security Measures: Patch vulnerabilities, strengthen passwords, review firewall rules, and improve cyber security awareness training.
3. Incident Reporting: Document the incident thoroughly, including timelines, affected systems, malware identified, and actions taken. Consider reporting to relevant authorities if required (e.g., ICO in the UK).