Malware sudden recovery process steps include:
Step 1: infection confirmed
Quickly determine whether the system has been infected with the organization to minimize the impact of infection is essential.閫氳繃蹇?纭鎰熸煋骞舵爣璇嗗畠鐨勫彲鐤戠壒寰侊紝鍙互闄嶄綆鎰熸煋鐨勪紶鎾?搴︼紝骞跺噺灏忓畠瀵圭敤鎴风殑涓嶅埄褰卞搷銆?br />
There are many different types of computer failure could be mistaken for viral behavior. When the user through telephone or e-mail that "I think I'm the system has been infected" the support of staff must first determine whether the act Youkenengyou 鏌愮 types of malicious code by Dao Zhi. The following list provides some users may be reported as "virus-like" behavior of the typical symptoms of an example:
鈥?"I have to open an email attachment, then the situation is not abnormal; and now my computer is abnormal behavior. "
鈥?"I received an e-mail reply from the contact and asked me why I send them. Exe,. Zip or other accessories, in fact I have never sent a similar document. "
聽聽聽 鈥?"鎴戠殑闃茬梾姣掕蒋浠跺凡缁忓仠姝㈠伐浣滐紝涓旇绠楁満鎬绘槸鑷姩鍏虫満锛?"
聽聽聽 鈥?"鎴戠殑绋嬪簭宸ヤ綔寮傚父锛屽畠浠殑閫熷害閮介潪甯告參锛?"
鈥?"I can not open certain files or has disappeared! "
The user's observation and feedback is critical, because they have first to notice unusual activity may be. With unexpected speed of malicious software continue to increase, the initial infection and the effective length of time between the availability of defense has become increasingly important.鐢变簬澶ч儴鍒嗘劅鏌撳皢鍦ㄨ闃舵鍙戠敓锛屽洜姝ょ粍缁囪兘鍚﹀揩閫熸爣璇嗗苟纭鎰熸煋瀵逛簬灏嗙獊鍙戠殑浼犳挱鑼冨洿鍜屽畠鍙兘閫犳垚鐨勬崯瀹抽檷鑷虫渶浣庣▼搴﹁嚦鍏抽噸瑕併?
聽聽聽 浠ヤ笅閮ㄥ垎姒傝堪浜嗕竴绯诲垪浣挎偍鑳藉鏇村揩閫熷湴纭寮傚父琛屼负绌剁珶鏄惁鏄伓鎰忚蒋浠舵敾鍑绘垨绐佸彂鐨勬楠ゃ?
聽聽聽 濡傛灉鏂板瀷鎭舵剰杞欢鎰熸煋绯荤粺锛屽垯璇ョ郴缁熺殑鐢ㄦ埛灏嗙涓?釜娉ㄦ剰鍒板紓甯歌涓恒? Malicious software in the new release time and update anti-virus scanning applications to detect and respond to malicious software that often exists between the time delay. Early warning system to provide the best method is to let users know how to identify possible malicious software attacks signal, and providing them with fast communication links in order to report these malicious software attacks as soon as possible.
聽聽聽 鎰熸煋鎶ュ憡
Upon receipt of the user telephone or generate the possible new malware attacks alarm, used to define a warning as soon as possible to determine whether the process related to new attacks are usually very good for technical support. The following diagram shows the main steps in the process:
Figure 1 reports the process of malware infection
聽聽聽 寮傚父娲诲姩鎶ュ憡
The following issues apply to determine the cause of the alarm if abnormal activity may be a new malicious software. This guide assumes that these issues should be organized in the IT technical support to members to put forward non-technical users.
Collect basic information
The initial question should be can help to determine the alarm as soon as possible the nature and whether it is possible that new malicious software answers. You can use the following sample questions as a starting point of the process; should carry out modifications to meet the needs of the organization:
聽聽聽 鈥?鎶ュ憡鐨勬棩鏈熷拰鏃堕棿锛?br />聽聽聽 鈥?瀵艰嚧杩涜鎶ュ憡鐨勫紓甯告椿鍔ㄦ槸浠?箞锛?br />鈥?In the unusual event happened before the event?
鈥?whether the recent visit to a "normal" daily access to any Web site other than?
鈥?The system recently is in the external networks (for example, at airports, home networks, Wi-Fi hotspot or guest house)?
鈥?whether you are on the screen to see any unusual pop-up windows or ads?
聽聽聽 鈥?褰撳墠姝e湪杩愯鍝簺寮傚父鎴栨剰澶栬繘绋嬶紵
鈥?The computer is a workstation or server? It uses what operating system?瀹冨簲鐢ㄤ簡鍝簺瀹夊叏鏇存柊锛?br />鈥?it connected computer or any device whether to include mission-critical data?
鈥?whether the user account that has administrator privileges login?
鈥?the user whether to use strong passwords or password?
聽聽聽 鈥?璇ョ郴缁熶互鍓嶆槸鍚﹂伃鍒拌繃鎭舵剰杞欢鏀诲嚮锛?br />
聽聽聽 璇勪及璇ユ暟鎹?br />Collection of answers to these questions, technical support staff should assess the control group the following questions to collect data to help determine whether malicious software may be a reason:
鈥?whether the report could be a legitimate system features a new feature or update the results?
鈥?it can by the authorized user (not hackers / intruders) to explain the activities?
聽聽聽 鈥?瀹冭兘鍚︾敱宸茬煡鐨勭郴缁熸椿鍔ㄥ緱鍒拌В閲婏紵
聽聽聽 鈥?瀹冭兘鍚︾敱瀵圭▼搴忔垨绯荤粺鐨勬巿鏉冩洿鏀瑰緱鍒拌В閲婏紵
Finally, check the external anti-virus source, to determine whether the report, some of the existing virus or worm alert.
Collect detailed information
聽聽聽 姝ゆ椂锛屽彲浠ョ‘瀹氭柊鎭舵剰杞欢鏀诲嚮鏄惁鏄棶棰樼殑鍙兘鍘熷洜銆傚鏋滀笉鏄紝鍒欏彲鑳介渶瑕佹洿楂樼骇鍒殑鎶?湳淇℃伅锛屼笖鎶?湳鏀寔浜哄憳鍙兘闇?浠ョ墿鐞嗘柟寮忚闂紙濡傛灉鍙兘锛岃繙绋嬫帶鍒讹級鍙枒绯荤粺銆?You can use the following example to collect more detailed technical information, and clearly identify whether the system has been hackers or malicious code attacks:
鈥?equipment itself or in front of the firewall is enabled?濡傛灉鍚敤锛屽摢浜涚鍙e凡鍚?Internet 寮?斁锛?br />聽聽聽 鈥?濡傛灉搴旂敤绋嬪簭鍑虹幇鏁呴殰锛屽垯绔嬪嵆鑱旂郴搴旂敤绋嬪簭渚涘簲鍟嗕互纭畾鏍规湰鍘熷洜锛堜緥濡傦紝褰撳墠鐨?Microsoft 搴旂敤绋嬪簭鎻愪緵鍙敤浜庡彂閫佹晠闅滄姤鍛婄殑閿欒鎶ュ憡宸ュ叿锛夈?
鈥?the existence of the system has been released, but not yet installed the security update?
聽聽聽 鈥?绯荤粺鎷ユ湁鍝绫诲瀷鐨勫瘑鐮佺瓥鐣ワ紵 What is the minimum password length? Password complexity requirements?
鈥?the existence of the following new or suspicious circumstances:
鈥?the local computer if there is any new or suspicious account?
鈥?Administrators group for the presence of new or suspicious account?
聽聽聽 鈥?鏈嶅姟绠$悊鎺у埗鍙颁腑鏄惁鍒楀嚭浜嗘柊鐨勬垨鍙枒鐨勬湇鍔★紵
鈥?Event logs for new or suspicious incidents?
聽聽聽 鈥?鏄惁瀛樺湪鐢?Netstat 瀹炵敤绋嬪簭鎶ュ憡鐨勬寚鍚戝閮?IP 鍦板潃鎴栧彲鐤?IP 鍦板潃鐨勭綉缁滆繛鎺ワ紵
Response to unusual activity
The initial information gathered and used to determine the nature of alarm, the support staff should determine what happened is that false alarms, hoax or the real malicious software.
聽聽聽 鍒涘缓鍋囨伓鎰忚蒋浠舵姤鍛婅姣斿紑鍙戠梾姣掓垨锠曡櫕瀹规槗寰楀锛屽畠鍙互纭繚鍒涘缓璁稿鍋囨伓鎰忚蒋浠惰鎶ャ? These hoaxes and their calls and warnings generated will waste a lot of time and money. Mischief will bring trouble to the user, and usually report them to question the role of possible attacks. Should note the following to ensure proper handling of alarms:
鈥?false alarms. If the report is a false alarm, you should record call information. Regularly check the information may help determine the need for additional user training.
鈥?prank. Tracking and recording false alarms and malicious software malware real activities are important because they are still attacking instance - but they do not use malicious code.灏嗘湁鍏冲亣鎭舵剰杞欢璀︽姤浠ュ強鐪熸鎭舵剰杞欢濞佽儊鐨勪俊鎭姤鍛婄粰鐢ㄦ埛搴斾负缁勭粐鐨勫父瑙勯槻鐥呮瘨閫氫俊鐨勪竴閮ㄥ垎銆?This information will help users identify in advance hoax, thereby reducing the efficiency of the lower level.
鈥?known to be infected. If the system is infected, support staff should take steps to determine whether the infection is to use existing anti-virus applications deal with known attacks. Should check the system's anti-virus application to ensure it is functioning properly and to keep up to date.鐒跺悗锛屽簲杩涜瀹屾暣鐨勭郴缁熸壂鎻忎互灏濊瘯娓呯悊绯荤粺銆?If the scan successfully identify and clean up the infection, you should record call and send a warning to all users, to ensure that their anti-virus systems up and running and has been updated.濡傛灉鎵弿鏃犳硶鏍囪瘑鐗瑰畾褰㈠紡鐨勬伓鎰忚蒋浠讹紝鍒欏簲灏嗗叾瑙嗕负鏂版劅鏌擄紝骞堕伒寰?amp;quot;浜嬩欢鍝嶅簲杩囩▼"閮ㄥ垎涓殑鎸囧崡銆?br />鈥?New infections.濡傛灉绯荤粺鍙楀埌鏂版伓鎰忚蒋浠舵敾鍑荤殑鎰熸煋锛屽垯搴旀墽琛屼竴浜涘垵濮嬫搷浣滐紝浠ョ‘淇濇纭湴浜ゆ祦闂銆?The initial operation is designed to help IT support staff has always followed a process used to ensure proper operation follow the process.瀵瑰墠闈㈠垪鍑虹殑鍒濆闂鐨勫洖绛斿皢甯姪纭畾鍦ㄦ闃舵搴旇?铏戜互涓嬪摢涓垵濮嬫搷浣滐細
聽聽聽 鈥?浣跨敤璀︽姤璇︾粏淇℃伅鑱旂郴绱ф?鍝嶅簲灏忕粍鐨勬寚瀹氭垚鍛樸?
鈥?If you suspect your computer is a server, then contact the administrator to discuss whether it remove the computer from the network.
鈥?If the suspicious computer is a workstation, the link its users to discuss whether to remove the computer from the network.
鈥?To consider the IT system users to trigger a high alarm or warning of attacks against detected warning.
At this point, the role of support staff has been completed. The sudden responsibility will be transferred to the incident response process and the need to inform the Computer Security Incident Response Team (CSIRT) members.
Step 2: Incident Response
CSIRT will need to convene an emergency meeting as soon as possible to help arrange an event organized to respond to the next stage of the process. About how to create Incident Response Team, as well as the usual security and disaster recovery process more information, please see this guide in the same chapter.
For the purpose of this guide, assuming CSIRT has been created.姝ゆ椂锛岃灏忕粍鐨勭涓?釜鐩爣搴旀槸纭畾鍗虫椂绐佸彂鎺у埗鏈哄埗銆?The following section provides will help determine the mechanism and its components of the options.
聽聽聽 绱ф?绐佸彂鎺у埗
Confirmed malicious software attacks, the first step in control is to ensure that the sudden infection of computer and other equipment isolation. To ensure the isolation of infected computers is important, because it will not spread these malicious computer code. There are different mechanisms used to achieve this isolation, these mechanisms would affect the normal operation of the organization.瑕佺偣:濡傛灉鐩镐俊缁勭粐灏嗘彁璇峰垜浜嬫垨姘戜簨璇夎锛屽垯 Microsoft 寤鸿鎮ㄥ湪閲囧彇杩涗竴姝ョ殑鎺柦鍓嶅挩璇㈢粍缁囩殑娉曞緥浠h〃銆?br />
If the anti-virus community to detect sudden, use anti-virus vendor to provide a guide to help you determine the severity of emergencies. If the current burst in the broader anti-virus community is unknown, should be as soon as possible incidents reported to the anti-virus vendor. They may ask you to malware sample on compression and password protected file and send it to them so that they analyze. Find these examples of the process is not always straightforward, therefore, ideally should be prepared in advance to find malware sample preparation guide.
The next operation to be performed real-time process is to control the spread of attacks. Should consider three basic options:
鈥?The system has been damaged and the local network is disconnected.
鈥?If possible, isolate the infected host on the network contains.
聽聽聽 鈥?濡傛灉鏁翠釜缃戠粶宸查伃鍒扮牬鍧忔垨鏈夊彲鑳介伃鍒扮牬鍧忥紝鍒欏皢鏁翠釜缃戠粶涓庢墍鏈夊閮ㄧ綉缁滄柇寮?繛鎺ャ?
聽聽聽 鍙互閲囧彇璁稿鏇磋缁嗙殑鎶?湳姝ラ锛屽鐩戣瑕佸皾璇曠殑缃戠粶浠ュ強鏍囪瘑鏀诲嚮娑夊強鐨勭綉缁滅鍙e拰 IP 鍦板潃銆?However, if not yet completed a detailed analysis of the malicious software, it is likely omission may lead to more widespread infection of attack methods.缁勭粐鍙敤浜庣‘瀹氳椋庨櫓鏄惁鍙互鎺ュ彈鐨勫敮涓?満鍒舵槸瀹屽杽鐨勫畨鍏ㄩ闄╄瘎浼版姤鍛娿?璇ユ姤鍛婁娇鎮ㄨ兘澶熺‘瀹氭湭闃绘鏀诲嚮浠ュ強鍙兘鎰熸煋鎴栨剰澶栫敤浜庡瀹㈡埛鎴栧悎浣滀紮浼寸粍缁囧彂璧锋敾鍑绘墍娑夊強鐨勯闄┿?濡傛灉鍦ㄦ敾鍑诲彂鐢熷墠鏈畬鎴愭椋庨櫓鍒嗘瀽锛屽垯寤鸿缁勭粐鍔″繀灏忓績浠庝簨锛屽苟閫氳繃閫夋嫨鏈?珮绾у埆鐨勯殧绂绘帾鏂芥潵灏嗕紶鎾敾鍑荤殑鍙兘鎬ч檷鑷虫渶浣庛?
The options listed here only as a guide. May depend on the specific business needs of operational processes, regional settings, effects, severity and other factors, and other may only apply to organizations and unexpected environmental factors.
Ready to resume
Activation of emergency control mechanism, the activity should start the recovery process. The main objective of the recovery process is to ensure to achieve the following objectives:
鈥?Organization of business would be devastating to a minimum.
鈥?recovery from the attack time as fast as possible.
聽聽聽 鈥?鎹曡幏鐢ㄤ簬鏀寔鍙兘鐨勮捣璇夌殑淇℃伅銆?br />鈥?Capture the information for the development of other security measures (if necessary).
聽聽聽 鈥?閽堝宸叉仮澶嶇殑绯荤粺锛岄樆姝㈣绫诲瀷鐨勮繘涓?鏀诲嚮銆?br />
聽聽聽 閬楁喚鐨勬槸锛屽墠涓や釜鐩爣闇?"蹇?淇"鏂规硶锛岃?鍏朵綑涓変釜鏂规硶闇?鑺辨椂闂存敹闆嗘湁鍏虫敾鍑荤殑淇℃伅浠ヤ究瀹屽叏浜嗚В瀹冦? To satisfy these two conditions (that is, to solve the problem quickly, and still capture all relevant data required), please consider using the process shown in the image. The process is designed to ensure the release as soon as possible to restore infected systems, while ensuring that the necessary discussion of the data is not lost.璇ユ暟鎹緢閲嶈锛屽洜涓烘偍鐨勭粍缁囧皢浣跨敤瀹冪‘瀹氭仮澶嶇殑绯荤粺鏄惁浼氬厤鍙楁湭鏉ョ殑鏀诲嚮锛屽悓鏃跺畠杩樺皢鐢ㄤ綔璇佹嵁锛堝鏋滀互鍚庨噰鍙栨硶寰嬫椿鍔級銆?br />
System recovery and virus analysis process should be run as parallel activities to ensure the fastest possible recovery time.
鍥?聽 鍒嗘瀽鍓嶇殑鎭㈠姝ラ
聽聽聽 浣挎墍鏈夌郴缁熷緱浠ユ仮澶嶇殑鏈?揩鏂规硶鏄‘瀹氭煇涓彈鎰熸煋绯荤粺鑳藉惁鐢ㄤ簬鍒嗘瀽銆傚鏋滆兘澶熺敤浜庡垎鏋愶紝鍒欏簲闅旂鍜屽垎鏋愯绯荤粺銆?If you can not be isolated and analyzed, the next best option is to use some type of image software to create the system copy. If the option is available, the system should be shot images, released to restore the original computer, and then create a clone system.
In evidence to be collected or can be a more detailed analysis of the situation, take an infected computer as soon as the image (in the patch starts Zhi Qian) is very important, so be by the best and most appropriate method identifies priority treatment and deal with infection.
Finally, if you can not capture an image, then released to restore the system, should collect a minimum amount of court data. Ideally, the organization's security team should develop and maintain some type of incident response toolkit. You can use this toolkit will be used to provide systems to collect data on the instability and stability in the court system data.璇ュ伐鍏峰寘鍙互鏄洿瀹屾暣鐨勬伓鎰忚蒋浠跺垎鏋愬伐鍏峰寘锛堝皢鍦ㄦ湰绔犵殑涓嬩釜閮ㄥ垎涓敤浜庢毚闇插拰璁板綍鎭舵剰杞欢鐨勬墍鏈夊厓绱狅級鐨勫瓙闆嗐? However, the incident response toolkit main difference is that it should be captured in the shortest period of time the minimum level required for system information, so that the system can be resumed as soon as possible for release.
相关链接:
Dynamic Change CBA buttonProject Management reviewsAvi ps3In Section North soft, direct plug in for the "wings"!New Timers And Time SynchSTORM infringement advice to the court sentenced the company abandoned online playswf formatSalesforce Executives Leaving Three Hundred Will Continue To RecruitE-cology In The Pan Micro Series 29VC environment created in the symbian build EXE project questionsOfficial air strike 2 Cheatsmpeg4 Mp4Articles about DESKTOPContinuous production of the home page background musicInfomation Screen CaptureHitachi trademark infringement, Why still so arrogant?QUICKTIME for iphone 3g