Q: What is containment action after Virus is found

jludwig wralphie at comcast.net
Thu Apr 8 15:34:40 UTC 2004


On Thu, 2004-04-08 at 10:46, James Kosin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ow Mun Heng wrote:
> 
> | Hi Guys,
> |
> <<--snip-->>
> 
> |
> | SO.. what are your comments?
> |
> 
> It really depends on the virus.  Some infect, or try to, every file on
> the system.  Some just reproduce themselves on shares to get executed by
> unsuspecting users.  Some actually remove/delete/trash files...
> 
> 1) Usually, you need to isolate the computer infected from all outside
> connections... this includes the NET.  To keep spreading down to a minimum.
> 
> 2) Next, inform all users.  Regardless of weather or not they are
> infected.  Someone may remember something or realize I ran that file the
> other day.
> 
> 3) Disinfect the primary computer.  And check all the others for the
> virus as well.  Some viruses will spoof / hide / trick you into thinking
> things are OK and crop up again.
> 
> 4) If any important files are missing or bad, restore them from known
> good backups.  (2 days ago, you need to go back at least 3 days in your
> backups to restore).
> 
> 5) PLEASE INFORM YOUR MIRROR SITE if off premises or out of your
> control.  The sooner they know the better.
> 
> 6) Try to find out how the virus got on the system.  This is research
> intensive...  FIND a solution to keep it from happening again.
> 
> 7) Prepare for the next virus!
> 
> Good Luck,
> James Kosin
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFAdWWwc7lFLjBWKW0RAjZsAKCCkP8mjTOMS1ue8PJRqrZOkAl8gwCfQyaR
> NKN4pXSeL47qxEZ+miMXw3U=
> =dttD
> -----END PGP SIGNATURE-----
And if I might add don't assume all is safe, since the virus may now be
on a cdrom, floppy, or some other removable media out of your control.
-- 
jludwig <wralphie at comcast.net>





More information about the fedora-list mailing list