Resolving Risks:
- Every risk alert should be treated as high priority and attended to at the earliest to stop any risk activity.
- Immediately Disconnect or Shutdown the reported computer from the network.
- Once disconnected, ensure the latest virus definitions are updated on the machine and run a local full scan on the machine.
- Determine the risk severity using below strategies and act appropriately.
If the risk incident obeys any of the below conditions then it’s considered to be a high severity risk otherwise a low severity risk:
From the data in the risk request,
· Sum of risk count per machine is more than 5 (choose some threshold as per your risk appetite).
· Reported user name has elevated privileges like temp-admin, administrator, SYSTEM, etc.
From Symantec Threat explorer, search for the reported risk and read through below important Threat Assessment Technical details:
· Risk Level: risk level Medium or above would indicate a significant risk.
· Wild, Damage and Distribution details.
· Removal: indicates a significant risk if it’s NOT mentioned as easy.
· Under the Distribution section, if it’s mentioned as capable of spreading through network, such reported PCs should not be allowed to connect to network for any reason unless it’s confirmed to be clean or rebuilt.
If risk severity is high, investigate the below details and finally rebuild the reported PC to ensure it’s free from all traces of the virus.
Analyze the logs and
· Identify the source of the risk and understand how the risk entered the PC. In case of the source being removable media of some kind, educate the user and rebuild the PC.
· Check the complete risk history for the reported PC to see if there are any recent risks reported and under which account it was reported (domain or administrative). If there were recent risk events under any administrative account and/or if the risk type was backdoor dropper then it indicates a possibility of previous incident traces acting again.
Read through the Technical details of risk in Symantec Threat explorer. Follow if any specific removal instructions are provided.
With latest virus definitions, if Symantec reports but continuously fail to clean the risk, work with Symantec to see if this is a completely new risk.
If Symantec confirms this to be a new risk and provides us with new virus definitions, make sure this is pushed to all machines as soon as possible.
If risk severity is low and if full scan reports no risks, bring the PC online. In case of, source being removable media, educate the user to not bring removable media from non trusted sources.
<
p>If you doubt that virus still exists on the computer or if events continue to report even after running full scan, take the help of the next level SEP experts and get it quarantined.
