574 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks no sign of slowing. In the following sections, we’ll go over the process of recog- nizing and taking action against virus activity on your network. Identifying Computer Virus Outbreaks Under most circumstances, the alerts provided by AMS 2 will provide sufficient warning of any virus problems on your network. However, this becomes less effec- tive in the case of new or polymorphic viruses that are not covered within the latest antivirus definitions. (Some viruses even go one step further by attempting to block access to the major antivirus Web sites, Symantec’s included, to prevent administrators from obtaining the appropriate virus signatures.) So, how do you recognize a virus if NAVCE doesn’t recognize the virus? Experience, instinct, and a good dose of common sense. If you notice severely degraded server perfor- mance, a sudden surge in network traffic, or a rash of unresponsive or malfunc- tioning PCs, you should begin to suspect virus or worm activity. Responding to Computer Virus Outbreaks We’re fairly certain that most system administrators have encountered a situation similar to the antivirus commercials you see on television. Specifically, the one where the notoriously uneducated user stops the network administrator in the hallway and says “Hey, I just opened that e-mail virus like you told me not to.” The help desk switchboard lights are flickering like fireworks, response times across your network have dropped considerably, and your e-mail server has appar- ently decided to take off and not leave any forwarding information.The main www.syngress.com Figure 12.21 Viewing Virus History after Exporting to CSV Format 245_symantec_12.qxd 5/8/03 4:35 PM Page 574 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 575 receptionist is transferring calls to you left and right, the sales department is having a collective coronary, Bill from corporate finance keeps sticking his head into your office door asking if you’ve fixed the problem yet, and you’re just trying to get down the hall to the server room without being waylaid with more reports of an outage you’re already aware of. Relax, you’re not the first person this has happened to, and heaven knows you won’t be the last. It’s best to think of virus outbreaks in terms of three simple (yet infinitely important) concepts that we refer to as “The Three Cs.”The Three Cs of virus response are as follows: ■ Containment ■ Cleanup ■ Communication Communicating the Outbreak “But wait,” you say.“You listed communication as the last of the Three Cs. Why are we talking about it first?” Despite our best efforts to effectively manage the tech- nology under our purview, sometimes something out of our control takes place. And while you may be working furiously to correct the situation, you should never forget that you have an entire network of people—not just machines— who need to understand what is happening with the computer on their desktop. www.syngress.com End-User Communication End-user communication can also help to alleviate virus outbreaks, or even prevent them before they start. A real-world example: I walked into work early one morning and was stopped en route to my office (by an even earlier riser than myself) with the following sentence. “Hey, Laura, I had about 15 messages in my Inbox this morning with ILOVEYOU as the subject line. It really didn’t look right to me, so I didn’t open any of them. Do you want to take a look?” Did I ever…a quick visit to Symantec’s Web site indicated that there was a new e-mail-borne virus Notes from the Underground… Continued 245_symantec_12.qxd 5/8/03 4:35 PM Page 575 576 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks Does your organization have any sort of disaster recovery procedure in place, or any parallel or spare systems you can bring online to keep your business func- tioning? If not, now would be a great time to start planning against a rainy day, because it will most certainly be simpler to generate such a plan before it starts “raining,” rather than in the midst of a computer-virus-induced typhoon. Make sure to involve all segments of your user base in developing these procedures, as the input you receive will be nothing short of invaluable. Containing a Virus Outbreak Now that we’ve discussed the more customer-service oriented factors of handling a virus outbreak, let’s get down to the actual mechanics of getting your users and network services back online with a minimum of disruption and downtime.The first step in containing a virus outbreak is to identify any and all virus-infected PCs on your network. Hopefully you’ve already configured the Alert Management Server (AMS 2 ) to provide Windows Messaging, e-mail, and pager alerts of virus infections. (For specific information on how to configure the AMS 2 , please refer to Chapter 3.) In the following sections, we’ll discuss the use of NAVCE’s Virus Sweep function, as well as how to respond to a virus outbreak on your network. www.syngress.com making the rounds. It was a nasty bugger that had already brought sev- eral major corporations’ networks to a standstill, and an updated virus signature was not yet available. However, even without new antivirus definitions, it became clear that the virus was transmitting itself via a .VBS attachment. Twenty minutes of reconfiguring the mail server to reject .VBS attachments, and ILOVEYOU managed to sail right on past my network and users. But if I hadn’t been made aware of the problem, the situation could certainly have played out much differently. To take this story back a step, the early-morning ILOVEYOU recipient would not have known to alert me to anything out of the ordinary had I not pro- vided end-user training on how to recognize potentially hazardous e- mail attachments. I know we all think of “training” as a bunch of folks sitting in a classroom trying desperately not to doze off, but the training in this case was a simple e-mail memo. It doesn’t have to be anything grandiose: circulate a memo, hang a flyer by the coffee machine, what- ever will get the message across. 245_symantec_12.qxd 5/8/03 4:35 PM Page 576 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 577 NOTE Check the Symantec corporate home page for any updated virus defini- tions that you may have missed before proceeding. Especially in the case of widespread virus activity, Symantec may release multiple definition files in a single day; for your own peace of mind, never simply assume that you’re using the latest definitions available to you. Using Virus Sweeps If AMS 2 reports several client computers on your network with virus infections, you’ll be quite thankful for NAVCE’s Virus Sweep function. Using the SSC con- sole, you can quickly launch a virus sweep of your entire system, a server group, or all client computers connecting to a single server. With a single click from the SSC console, you will know within minutes which of your client and server PCs are virus-infected. (Virus sweeps have the additional advantage of being a type of scan that cannot be cancelled by the end user.) To launch a virus sweep of your entire system, open the SSC console window. Right-click System Hierarchy, then select All Tasks | Norton Antivirus | Start Virus Sweep.To sweep a specific server or server group, right-click the appropriate item within the System Hierarchy and follow the same steps, as shown in Figure 12.22. Using the SSC console, you can view the results of a virus sweep by selecting All Tasks | Logs | View Virus Sweep History from the appropriate server or server group. See the window shown in Figure 12.23. www.syngress.com Figure 12.22 Launching a Virus Sweep of a Server Group 245_symantec_12.qxd 5/8/03 4:35 PM Page 577 578 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks WARNING Depending on the size of your LAN/WAN, a virus sweep can cause con- siderable network traffic. Also important to remember is that once started, a sweep cannot be cancelled. If the situation is not an emer- gency, make sure you take these performance considerations into account before you launch a virus sweep of your network. From Figure 12.23, you can do the following: ■ Start a new virus sweep ■ View the results of a prior sweep ■ Delete the results of a sweep Select the virus sweep whose results you want to see, then click View Results.You’ll see the date and time that the scan finished on each PC (this field will be blank if the scan is still in progress), the total number of files scanned and the total number infected, as shown in Figure 12.24.You can click the floppy- disk icon to export the scan results to a text file for archiving or reporting. www.syngress.com Figure 12.23 Viewing Virus Sweep History Figure 12.24 Viewing the Results of a Virus Sweep 245_symantec_12.qxd 5/8/03 4:35 PM Page 578 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 579 NOTE If a workstation is turned off when you launch the virus sweep, the scan will begin the next time the PC is turned on. Once you’ve determined which of your PCs have become virus-infected, you’ll need to decide what action to take in order to clean the various machines. If at all feasible, we highly recommend disconnecting the infected PCs from your LAN until the virus infection can be removed, since allowing these machines continued network and Internet access will only serve to further propagate the virus to your network and those of others.This is especially the case with worms like Code Red and Nimda, where an infected machine will actively seek out (port scan) other vulnerable machines to infect. In certain extreme cases where the virus infestation has spread beyond a manageable point, you may wish to dis- connect your company’s Internet connection and/or the inbound Simple Mail Transfer Protocol (SMTP) traffic to your e-mail server.This will provide the ulti- mate “quarantined” environment to prevent further virus infections while you work to restore order to your network. NOTE Here are two useful definitions to be familiar with when dealing with virus outbreaks: ■ Simple Mail Transfer Protocol (SMTP) This protocol is designed to do exactly what it sounds like: provide for the timely and effi- cient delivery of electronic mail. SMTP transfers messages between clients and servers, as well as between servers, but it does not concern itself with the specifics of client mailboxes or downloading of messages. The SMTP protocol is fully defined by Request for Comment (RFC) 821, available from the Internet Engineering Task Force homepage at www.ietf.org. ■ Port Scan A process of connecting to TCP and UDP ports on a given system to determine which services are running. While this is not an attack, per se, port scanning is the first step in deter- mining what operating system and software applications are in use on a target system, enabling the attacker to formulate an effective plan of attack. Viruses such as Nimda use port scans to discover other machines that are vulnerable to infection. www.syngress.com 245_symantec_12.qxd 5/8/03 4:35 PM Page 579 580 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks Cleaning up a Virus Outbreak Once you have identified the infected PCs on your network, the next step is to restore the compromised machines to a working (and virus-free) state.You will need to decide on a case-by-case basis how best to address virus infections. Some can be fixed with simple file quarantining and deletion, while more insidious infections can require measures as extreme as reformatting and reinstalling a workstation from scratch. In this section, we’ll discuss several tools that NAVCE offers to accomplish this task, including the Alert Management Server, Built-in Notifications and viewable virus histories, as well as other options available from the Symantec Web site. Understanding Alert Management Server 2 Alert Management Server 2 (AMS 2 ) is a separate snap-in that can be installed for use with the SSC Console.This snap-in alerts an on-call administrator to a virus problem via pager, e-mail, an so forth. (Configuration of AMS 2 is covered exten- sively in Chapter 3.) The Alert Management Server should act as your first line of defense in detecting a virus outbreak. Using Built-in Notifications NAVCE also offers two notification methods that can operate in place of, or in addition to, AMS 2 ; the Alert Management Server does not necessarily need to be installed in order for these notifications to run.These alert methods are as follows: ■ Customizable message boxes that can be displayed in an e-mail message or on the infected computer’s desktop ■ Virus histories maintain a log of all virus activity found whenever NAVCE performs any type of antivirus scan Displaying Notification Messages to End Users When configuring a manual, scheduled, or real-time scan, you can use the Message button to display a pop-up window that immediately alerts the user to the situation. Using the variables listed next, you can customize what is displayed to the user when NAVCE finds an infected file.The default warning uses both system variables and plain text, as shown in Figure 12.25. Items contained within brackets (such as [Logged by]) are variables, while any- thing entered outside of the brackets displays as-is.The full list of variables and their descriptions are explained in Table 12.2. www.syngress.com 245_symantec_12.qxd 5/8/03 4:35 PM Page 580 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 581 Table 12.2 Understanding Symantec’s E-mail Notification Variables What You Enter What Is Displayed [ActionTaken] Action taken on the infected file (Cleaned, Quarantined, Deleted, Left Alone) [Computer] NetBIOS or DNS workstation name of the target computer [DateFound] Date and time that the virus alert was generated [Event] Type of event: “Virus Found,” and so on [Location] Drive letter containing the infected file [Logged by] Type of scan that flagged the virus: real-time, manual, or scheduled [PathandFilename] Full directory path to the infected file [Status] Current state of the infected file (Infected, Not Infected, Deleted) [User] Network login name of the user logged in at the time the alert is generated [VirusName] Name of detected virus Alternatively, you can simply display a generic message to your user without noting specific file information, similar to the one shown in Figure 12.26. NOTE The field containing NAVCE message information handles plain text only. You cannot include things like text formatting, embedded HTML, or MAILTO: links. www.syngress.com Figure 12.25 Displaying a Message on the Client Computer Figure 12.26 Creating a New Message to Display on a Client Computer 245_symantec_12.qxd 5/8/03 4:35 PM Page 581 582 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks Using the Virus History Feature From any server group, right-click All Tasks | Logs | Virus History to view a detailed description of any recent virus activity on the clients and servers attached to that group.You can also select Scan History to view the results of the latest scheduled scan run against the server group, and Event History to view other information that may not specifically relate to a virus infection. (For example, the last time the antivirus service was restarted, or when the newest antivirus defini- tions were downloaded.) You can view any of these items in the following time frames: ■ Today ■ Past seven days ■ This month Or you can view items within a very precise range, such as December 8th through the 29th. From here you will be able to take necessary actions against infected files. Taking Actions Against Infected Files If NAVCE flags a file containing a virus that it was unable to repair, you can use the Virus History screen to take further actions against any infected files, particu- larly if you just downloaded a newer set of antivirus definitions. From the Virus History screen, right-click any listed file to perform any of the actions we’ve cov- ered in this chapter, such as cleaning, deleting, or quarantining a file. (An example of this function is shown in the following section.) You can also undo whatever action NAVCE performed against the file.This is useful if you want to remove a file from quarantine so it can be repaired with newer virus definitions. Recovering from Boot Sector Viruses If you suspect that a hard drive has become infected with a boot sector virus (for example, you are unable to start the computer in question), you can use the Norton AntiVirus Rescue Disk Set to correct the situation. (Detailed instructions on creating the Rescue Disk Set can be found in Chapter 3.) The following describes the steps necessary to repair a boot sector virus on a hard drive. NAVCE can detect and repair a floppy disk boot sector virus by simply per- forming a manual scan. www.syngress.com 245_symantec_12.qxd 5/8/03 4:35 PM Page 582 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 583 N OTE A boot sector virus resides on a portion of the computer drive that is only read when the computer is powered up, at which point the virus loads into memory. They typically spread via floppy disks, which also have a boot sector that can become infected. If an infected floppy disk is present in the disk drive when a computer is booted up, the virus will be loaded into the computer’s memory and can spread to other computers and floppies. Cleaning the Hard Drive Boot Sector 1. Power the computer down completely. Wait approximately 30 seconds, or until all hard drive activity has stopped. (This prevents unnecessary wear-and-tear on the physical components of the hard drive.) 2. Place the Norton AntiVirus Rescue Boot Disk into your floppy (A:) drive, then power the computer on. 3. Wait until the PC has fully booted and the screen displays the A:\ prompt. 4. Remove the Rescue Boot from the A:\ drive, and insert the Norton AntiVirus Program Disk. 5. Type Go and press Enter to begin. 6. Follow the instructions that appear on the screen in order to clean the boot sector virus. 7. When you’re finished, remove all floppy disks and reboot normally. Restoring a Hard Drive Boot Sector If your hard drive’s boot sector cannot be repaired using the preceding steps, you can restore a copy of the boot sector from the Rescue Disks.This will over-write the infected boot sector with a clean backup copy, thus preventing the virus from spreading any further. Follow these steps to restore the boot sector from backup. 1. Restart the computer using the Norton AntiVirus Rescue Boot Disk (as described in Steps 1 and 2 in the previous section). 2. From the A: prompt, type Rescue and then press Enter. www.syngress.com 245_symantec_12.qxd 5/8/03 4:35 PM Page 583 [...]... Servers I Restoring Dedicated NAVCE 7.6 Servers Summary Solutions Fast Track Frequently Asked Questions 595 245 _symantec_ 13.qxd 596 5/8/03 4:46 PM Page 596 Chapter 13 • Backup and Disaster Recovery Introduction Most of the topics addressed in this book discuss the use of Norton Antivirus Corporate Edition (NAVCE) to prevent network outages or data losses caused by virus outbreaks However, the best laid... information from the old server name, and will no longer receive antivirus definition updates and the like The grc.dat file resides, by default, in the following locations on your NAVCE clients: I Windows 9x/ME: C:\Program Files\Norton AntiVirus I Windows NT: C:\WINNT\Profiles\All Users\Application Data\ Symantec\ Norton Antivirus Corporate Edition\ 7.x, where x is the version number of the NAVCE software... the latest anti-virus definitions, you’ll also see the name of the infection(s) in question www.syngress.com 5 89 245 _symantec_ 12.qxd 590 5/8/03 4:35 PM Page 590 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks If a file is flagged with a “Bloodhound.something” virus, it means that Symantec s Bloodhound Heuristics have flagged this file as being potentially virus-infected, though the virus signature... IM-transferred files as you are with e-mail attachments—the next Klez could very easily originate from your Buddy List instead of Microsoft Outlook www.syngress.com 593 245 _symantec_ 12.qxd 5/8/03 4:35 PM Page 594 245 _symantec_ 13.qxd 5/8/03 4:46 PM Page 595 Chapter 13 Backup and Disaster Recovery Solutions in this chapter: I Basic Principles of Backup and Disaster Recovery I Designing a Disaster Recovery Plan... of antivirus protection needs to be available to your users as quickly as possible, especially if the outage you’re recovering from was caused by a virus outbreak in the first place Reestablishing your NAVCE configuration as a major priority will prevent your clients and servers from becoming virus infected (or reinfected) while you perform data and service restorations NOTE Would you say that 99 .99 percent... much data really exists on your network? Is it housed on a single server, on multiple servers in a single subnet or building, or on many different servers and www.syngress.com 597 245 _symantec_ 13.qxd 598 5/8/03 4:46 PM Page 598 Chapter 13 • Backup and Disaster Recovery workstations throughout an enterprise WAN? Next, how much does your data change on a daily basis? For example, a static data archive... previous version of NAVCE antivirus definitions for any reason.Two popular rotation schedules are the Tower of Hanoi and the Grandfather-Father-Son.You can choose the one that works for you, or use them as a template to customize one that fits your needs Whichever rotation scheme you choose, be sure to put it in place at all of your business locations www.syngress.com 599 245 _symantec_ 13.qxd 600 5/8/03... would you do differently next time? Documentation Analysis www.syngress.com 587 245 _symantec_ 12.qxd 588 5/8/03 4:35 PM Page 588 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks Summary Scanning for viruses and managing virus outbreaks are two of the primary functions of any antivirus offering, and Symantec s AntiVirus is no exception In previous chapters we went over the steps in planning... Symantec\ Norton Antivirus Corporate Edition\ 7.x, where x is the version number of the NAVCE software you are running I Windows 2000/XP: C:\Documents and Settings\All Users\ Application Data \Symantec\ Norton Antivirus Corporate Edition\ 7.x Once you’ve copied the modified grc.dat file to your clients, they will begin to look to the new NAVCE server for update information after they’ve been rebooted Designing a... solution is obviously specific to your business needs, but it’s useful to note that many e-mail-based viruses are transmitted via file types that most business www.syngress.com 591 245 _symantec_ 12.qxd 592 5/8/03 4:35 PM Page 592 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks users would not need to send or receive during the course of a normal business day (VBS, SHS, and so on) Q: What . question. www.syngress.com 245 _symantec_ 12.qxd 5/8/03 4:35 PM Page 5 89 590 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks ; If a file is flagged with a “Bloodhound.something” virus, it means that Symantec s. will get the message across. 245 _symantec_ 12.qxd 5/8/03 4:35 PM Page 576 Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 577 NOTE Check the Symantec corporate home page for any updated. viruses and managing virus outbreaks are two of the primary func- tions of any antivirus offering, and Symantec s AntiVirus is no exception. In pre- vious chapters we went over the steps in planning