Blog | G5 Cyber Security

Malware Threat Assessment: A Practical Guide

G5 Cyber Security

TL;DR

This guide outlines a step-by-step methodology for assessing malware threats. It covers identification, containment, eradication and recovery phases, with practical advice for both technical users and those needing to understand the process.

1. Preparation & Initial Assessment

  1. Define Scope: What systems are potentially affected? Is it a single computer, a network segment, or the entire organisation?
  2. Gather Information: Collect any initial reports of unusual behaviour – slow performance, error messages, unexpected pop-ups. Ask users what they were doing when problems started.
  3. Initial Triage (Non-Technical): Look for obvious signs:
    • Unexpected software installed.
    • Changes to browser homepage or search engine.
    • Unusual network activity (if visible – e.g., a lot of downloads).

2. Identification & Analysis

  1. Isolate the System: Disconnect the affected machine(s) from the network to prevent further spread. This is *crucial*.
  2. Run a Full Scan with Anti-Virus Software: Use your existing anti-virus solution first. Ensure it’s up-to-date before scanning. 
    # Example using Windows Defender (command line)
    MpCmdRun.exe -Scan -ScanType 3 -File C:
  3. Second Opinion Scanner: Download and run a reputable second opinion scanner (e.g., Malwarebytes, HitmanPro). These often catch things your primary anti-virus misses.
    • Download from the official website only!
    • Run in safe mode for best results.
  4. Process Analysis (Technical): Use tools like Process Explorer to identify suspicious processes:
    • Look for processes with unusual names or locations.
    • Check CPU and memory usage – high usage by an unknown process is a red flag.
    • Examine the parent process of any suspect programs.
  5. File Analysis (Technical): Use VirusTotal to scan suspicious files online: 
    https://www.virustotal.com/gui/file/YOUR_FILE_HASH

    Replace YOUR_FILE_HASH with the SHA256 hash of the file.

3. Containment

  1. Confirm Scope: Based on analysis, determine all affected systems.
  2. Network Segmentation: If possible, isolate affected network segments to limit spread.
  3. Account Lockdown: Reset passwords for any accounts potentially compromised on infected machines.

4. Eradication

  1. Remove Malware: Use anti-virus and second opinion scanners to remove identified malware.
    • Quarantine detected files before deleting them.
    • If a program refuses to be removed, consider booting from a rescue disk (see Recovery section).
  2. Clean Temporary Files: Delete temporary files and browser caches.
  3. Remove Suspicious Scheduled Tasks: Check the Task Scheduler for any unusual tasks that might be re-infecting the system.

5. Recovery

  1. Restore from Backup (Recommended): If available, restore affected systems from a clean backup taken *before* the infection.
    • Verify the integrity of the backup before restoring.
  2. Re-image System: For severely infected systems or if backups are unavailable, re-imaging the system is often the fastest and most reliable solution.
  3. Boot from Rescue Disk (Technical): Use a bootable rescue disk containing anti-virus tools to scan and clean the system before booting into Windows.
    • Kaspersky Rescue Disk, Bitdefender Rescue CD are good options.

6. Post-Incident Activity

  1. Review Logs: Analyse system logs and network traffic for any further evidence of the infection.
  2. Update Security Measures: Patch vulnerabilities, strengthen passwords, review firewall rules, and improve cyber security awareness training.
  3. Incident Reporting: Document the incident thoroughly, including timelines, affected systems, malware identified, and actions taken. Consider reporting to relevant authorities if required (e.g., ICO in the UK).
Exit mobile version