Q: What is containment action after Virus is found

Ow Mun Heng ow.mun.heng at wdc.com
Fri Apr 9 07:11:04 UTC 2004



> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com]On Behalf Of James Kosin
> Sent: Thursday, April 08, 2004 10:46 PM
> To: For users of Fedora Core releases
> Subject: Re: Q: What is containment action after Virus is found
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ow Mun Heng wrote:
> 
> | Hi Guys,
> |
> <<--snip-->>
> 
> |
> | SO.. what are your comments?
> |
> 
> It really depends on the virus.  Some infect, or try to, every file on
> the system.  Some just reproduce themselves on shares to get 
> executed by
> unsuspecting users.  Some actually remove/delete/trash files...
> 
> 1) Usually, you need to isolate the computer infected from all outside
> connections... this includes the NET.  To keep spreading down 
> to a minimum.

This is a SAMBA file server.. The virus' not going anywhere or isn't
gonna affect the server. (win32 virus)
 
> 2) Next, inform all users.  Regardless of weather or not they are
> infected.  Someone may remember something or realize I ran 
> that file the other day.

Done

> 3) Disinfect the primary computer.  And check all the others for the
> virus as well.  Some viruses will spoof / hide / trick you 
> into thinking things are OK and crop up again.

Was informed that stinger was ran on the 'source' PC.

> 4) If any important files are missing or bad, restore them from known
> good backups.  (2 days ago, you need to go back at least 3 
> days in your backups to restore).

No one's complained about currupted files. SO.. I'll just keep a backup 
of the 3 days ago backup.

> 5) PLEASE INFORM YOUR MIRROR SITE if off premises or out of your
> control.  The sooner they know the better.

Done.

> 6) Try to find out how the virus got on the system.  This is research
> intensive...  FIND a solution to keep it from happening again.

Actually, that's easy. It's a Samba File server. Users connect to it 
to share and save files. One of the users' PCs got infected by the 
virus and since that person has write access to the server, the 
Virus just migrated there. I'm trying to research into how to get
some kind of anti-virus agent on my LInux Server.
 
> 7) Prepare for the next virus!

Yeah.. Just for the benefit of my windows users.





More information about the fedora-list mailing list