Virus Infection and Response

The unfortunate truth is that no matter what steps you take to prevent virus infection, the chance of your system becoming infected unfortunately never disappears entirely. At this point, what matters is taking preventive measures against infection and being able to stop it before it occurs.

But what do we do if there is a possibility that our computer could be infected regardless?

Part of your response will depend on the severity of the virus and how far it has spread, but you generally need to focus on three points. The first is stopping the virus from spreading. The second is ensuring the virus is completely cleaned. The third is finding out how the infection started — that is, how the computer became infected.

Stopping the Virus from Spreading

When a virus has been contracted, the first priority is to stop it from spreading. How this is done will depend on how far the virus has spread. If the virus has only affected one machine, you can cut off all of that machine’s connection to the network. In corporate environments, infected systems are generally automatically isolated from the network through EDR or similar technologies. However, it is unlikely that you will detect a virus before it spreads beyond a single machine. Given this reality, it will generally be necessary to follow the steps below.

• If the infection is in a segment of a WAN, immediately disconnect from that WAN connection.
• If the infection is on a subnet, immediately disconnect that subnet.
• If there are servers with sensitive data connected (in any way) to the affected machine or machines, disconnect those servers.
• If there are backup devices connected to the affected machine or machines, disconnect them.

Your main goal here is to avoid infecting your systems with the virus. However, if an unfortunate incident does occur, implementing these steps can minimise the damage and get your system back up and running in a shorter time.

Cleaning the Virus

After isolating the infected machine or machines, the next step is to clean them. If you know the specific virus, you should be able to remove it by running an antivirus program (Antivirus) or by finding virus removal instructions online. In the unlikely event that you cannot remove the virus, you may have no option other than to format the machine (or machines) and restore from backups.

If you successfully remove the virus, you will need to fully scan the machine for other virus infections before reconnecting it to the network. You must make sure it is completely clean before bringing it back online. At this point, you can of course also use Internet Security or EDR applications.

Finding Out How the Virus Infection Started

After quarantining and removing the virus, the next objective is to examine whether the virus could recur. This begins with finding out how the virus entered your system. To do this, you need to investigate the cyber incident in three ways:

• Talk to the users of the infected machines and find out whether anyone opened an email attachment, downloaded something, or installed something.
• Read online documentation about the virus in question. This will give you information about the method of spread.
• If neither of these approaches tells you what happened, check the log records and activity on the infected machine.
• If you have suspicions and would like support with this, our experts are always available to assist.

To get information and support on Cyber Incident Detection and Cyber Incident Analysis, you can contact our experts at [email protected] and request a price quote.