• About
  • Contact

    Have something to say? We want to hear it.

    Just send us a message using the form below.

    * * Required
    *


    Cancel

Welcome to OUR GLOBAL IT COMMUNITY.

Bringing together top IT experts, IT professionals and you to find solutions to today's biggest IT challenges. Ask for expert advice, post a solution and surround yourself with IT knowledge.

MEET THE EXPERTS

Brian Milne
Brian Milne
Daniel Petri
Daniel Petri
Debra Shinder
Debra Shinder
Lawrence Abrams
Lawrence Abrams
Lowell Heddings
Lowell Heddings
Jenny Stout
Jenny Stout

CHALLENGE

How can we rid our network of a worm outbreak without taking our PCs out of commission?

Asked by Howard, Partner, New York City Law Firm - March 11, 2010

I am a partner for a large New York City Law Firm. On numerous occasions our network has become bombarded with worms that infect numerous, if not all, of the computers on our network. When this happens, cleaning the computers can be a nightmare as when we clean a computer, another infected computer will just infect it again. We have anti-virus programs on all of our computers and servers, but unfortunately new infections may sneak past them and we are left with a big mess that is very tough to clean up. For example, in our latest situation we were hit with a worm that spread throughout our network, but would not allow us to update Windows until the infection was removed. As you can imagine, this made it extremely difficult to patch the holes that were allowing the worms and malware through in the first place, thus our computer kept re-infecting themselves after we would clean them. Can you suggest the proper method for cleaning up these types of network-wide infections? What procedure should we use that would cause the least amount of downtime to our employees? If you could provide this in a step-by-step approach it would be appreciated.

Topics: Infrastructure Management , Security , System Management

Was this helpful?

+3

Yes
  • aasd
  • As others have said, you may want to look into a new antivirus vendor to prevent this happening again in the future.

    cleaning a network worm once it has spread through your network can be a royal pain. As said, once you clean a computer, another one could just reinfect it. Unfortunately, though, there is no easy way to clean your machines, and keep them from being reinfected, without downtime or lot's of firewalls or access lists. The best advice, which is unfortunately not what any network tech wants to hear, is to shutdown the network at night and literally go from computer to computer cleaning them. After each clean, detach it from the network and move on to the next. Once all the machines are clean, bring them back online.

    If its a fairly easy worm that does not protect itself, you can also add commands to the domain's logon script so the script kills the process, scrubs the registry, and deletes the file when a user logs on. It may take some experimenting, but this is a good method to do a network wide cleaning. This will only work,though, if the malware does not protect itself in some manner.
  • Howard

    Lowell beat me to the response, and he pretty much said exactly what I would have said.

    It worries me that you are being repeatedly hit by worms the "sneak" past your security. Zero Day attacks do happen, but not that often to well protected networks so you really should look at stopping the attacks from happening rather than trying to come up with an easy way to fix it when it does happen.

    Andrew Edney
    UsingWindowsHomeServer.com
  • First, you probably need to find a new antivirus provider, and make sure that your email server has virus protection on it. Most networks don't get repeatedly infected like that.

    Second, you need to lock the machines down so that users are running on standard user accounts without access to install software. This will help cut down on the amount of stuff that can get through.

    Third, the easiest way to deal with these scenarios is to start using System Images for the PCs, with a software package similar to Ghost. This way you build a single image and can easily re-deploy to PCs, wiping them clean of any crap on them.

    To make that strategy succeed, you'll need to migrate user data from the desktops to the servers instead, so they aren't wiped when the PC is reloaded. You can do that with roaming profiles and exchange server, or just turning your PCs into thin clients with a Citrix environment.

    These aren't the only answers, and I'm sure the other guys will contribute - this is just the strategy I've used in the past.
blog comments powered by Disqus