L17 - T17C - S9 – Malware Infection Prevention

Reinfection — (Missing Word)

Once a system has been cleaned, you need to take the appropriate steps to prevent ______

The Main Points in this section

• Configure On-Access Scanning

• Configure Scheduled Scans

• Re-enable System Restore and Services

• Educate the End User

On-Access Scanning

Term for when the A-V software intercepts an OS call to open a file and scans the file before allowing or preventing it from being opened

• Reduces performance somewhat

  • But is essential to maintaining effective protection against malware

• Nearly all security software is now configured to do this

Scheduled Scans

Regular scans of the OS Software and system files carried out by antivirus software

• Supported by all security software

• Can impact performance

  • So it is best to run them when the computer is otherwise unused

• You also need to configure the security software to perform malware-pattern and antivirus-engine updates regularly

Re-enable System Restore / Automatic Backups and Services — Steps Simplified

• Create a fresh restore point or system image and a clean data backup

• Validate any other security-critical services and settings that might have been compromised by the malware.

• Verify DNS configuration

• Re-enable software firewalls

• Complete another antivirus scan

  • If the system is clean, then remove the quarantine and return it to service

Verify DNS Configuration — Re-enabling System Restore/Backup & Services

• As part of preventing reinfection, you should inspect and re-secure the DNS configuration

  • DNS spoofing allows attackers to direct victims away from the legitimate sites they were intending to visit and toward fake sites

Re-enable Software Firewalls — Re-enabling System Restore/Backup & Services

• As part of preventing re-infection, if malware was able to run with administrative privileges, you should reconfigure the software firewalls

  • It may have made changes to the software (host) firewall configuration to facilitate connection with a C&C network

  • An unauthorized port could potentially facilitate reinfection of the machine

  • You should inspect the firewall policy to see if there are any unauthorized changes.

  • Consider resetting the policy to the default

Educate the End User — Related Points

• Password and account-management best practices plus security features of PCs and mobile devices.

• Education about common social engineering and malware threats e.g.

  • Phishing | Website exploits | Spam | Alerting methods for new threats

• Secure use of software

  • Browsers | e-mail clients | appropriate use of internet e.g. social networking sites

• Specific anti-phishing training to identify indicators of spoofed communications

• Continuing education

Specific anti-phishing training to identify indicators of spoofed communications — Educating the End User

This aspect covers education of

• Unexpected communications,  

• Inconsistent sender and reply to addresses,  

• Disguised links and attachments,  

• Copied text and images, and 

• Social engineering techniques,  

  • Such as exaggerated urgency or risk claims 

Continuing Education — Related Points

• Ensures that the participants do not treat a single training course or certificate as a sort of final accomplishment

• Skills and knowledge must be continually updated to cope with changing threat types