If you can use a tool for good, then it is possible to use that same tool for evil. Malware is malicious software. Malware can do great harm to your systems and organization.
Malware has taken many different forms; here are a few of the most prevalent types:
Virus (spread themselves through replication)
Worm (a virus that spreads itself using computer networks)
Trojan (Misleads users of its real intent)
Ransomware (Encrypts or steals data and requires payments to regain access)
These are not the only forms malware have taken. In the future new forms will be developed.
A pint of sweat is worth a gallon of blood.
The most desirable position to maintain is to avoid becoming 'infected' with malware. While they are not always practical, many efforts to prevent infection are usually worth taking.
A user’s behavior significantly impacts the probability of getting infected with malware. Some of the things you can do are:
Only install software from known (reputable) sources.
Update software frequently (to minimize vulnerabilities)
Only visit reputable websites, don’t click on links in emails unless you were expecting them, and trust the sender. When in doubt, contact the sender via an alternate communications channel to verify (for example, phone).
Disable unused services.
You should install and enable Antivirus software on the systems you own/operate. Programs marketed as antivirus also usually protect against other forms of malware.
Antivirus software uses a database of malware definitions to detect malware on your systems. Because new malware is continuously in development, it is vital that you keep your definitions up-to-date to keep your antivirus software effective. If possible, enable your antivirus software to update automatically.
You should ensure that your antivirus software has the following features enabled to protect your systems better:
Scan all files downloaded from the Internet and Network
Conduct scanning of your system at regular intervals (usually daily)
Scan removable media when it is attached (or inserted) into the system
Disable 'autorun' of any removable media
Some malware is so new that the antivirus programs don’t yet have definitions for them. Because of this, you should use sandbox services to scan untrusted or suspicious files.
Sandboxes interact with possibly malicious files within a controlled environment to evaluate their behavior to determine if they are malicious.
There are several 'free' sandbox services available. They will scan submitted files and report back their findings. Antivirus vendors pay these services to gain access to the submitted files and their associated findings. Because of this, you should not submit any files to such services if you believe the files contain confidential information.
If your organization needs to sandbox files with confidential information, they should either subscribe to a dedicated sandbox service or operate and maintain their own.
In addition to the tools we’ve identified and described, humans can be an essential way to detect malware. If you detect any of the following signs or symptoms, you might want to report them to your IT or Information Security teams.
Unexplained/Unexpected:
High CPU (processor) usage
High network usage
Excessive usage of storage
Slower than usual system performance
Other odd system behavior
If your system(s) get infected by malware, it will be necessary to contain, eradicate, and restore your system(s) and data.
Most antivirus software will quarantine any files that contain malware to reduce the harm they could do to your system(s).
Additionally, you should disconnect your system from the network if you suspect that it is infected (this is to prevent the further spread of the malware.
Do not turn-off or modify a system you suspect may be infected. Forensics personnel will need to investigate the system to determine where the malware came from and the damage it has done.
Once you have contained the malware, it is time to remove it from your system(s). Sometimes, this is as simple as deleting the malicious file. Because attackers are likely to take additional steps to ensure they continue to have access to your system, the only sure way to eradicate the malware is to erase the device’s local storage and reinstall. If an attacker is sufficiently advanced, it may be necessary to wipe the local storage and destroy the device.
What measures you take will vary based on the system’s criticality and the suspected expertise of the attacker.
If you plan to use the previously infected system, you may need to reinstall the operating system and software to restore the system to a usable state. Additionally, you may want/need to restore your data from backups.
Having backups is critical to getting back up and running. You should enable automatic backups to ensure that you minimize the time lost. Before restoring from backups, you should scan them to ensure they are clean.
Warning | Warning: Test your Backups A backup is only as good as a tested restore. Test your restore method to a different location and compare data to the source to ensure you have a safe backup. |
Backups also become very useful when you have multiple levels or incremental backups.
Events like a ransomware attack are less costly if you can restore files from incremental or off-site backups.