Resources & Publications

29 February 2016

Detection and Recovering from Malware Infection


  • Prepare incident handling procedures and policies
  • Educate and exercise the procedures


The detection of a malware infection would be identified mainly from three sources in an organization. They are Users, IT staff and the security tools such as antivirus/anti-spyware installed in the systems. The indications would vary based on the type of malware. While the security tools would provide specific details on their identification, the users would observe abnormal host and network activities. As soon as the detection happens, it should be reported to the responsible party within the organization (Preferably the information security team). Based on the report, the information security team should validate the report and should categorize the malware to identify the level of priority. This is based on the:

  1. Type of the malware
  2. Origin of the malware
  3. What network systems are affected
  4. How fast the malware is spreading through the network


Containment is a must in most of the malware infection scenarios and it should be done as soon as the proper detection of the malware was performed. Different containment mechanisms could be deployed based on the malware category and the level of risk acceptable for the organization. The containment mechanism should be decided by the designated authoritative person whom has been appointed by the organization policy. The following containment mechanisms could be deployed;

  1. Containment Through User Participation Instructions could be given to the users in order to perform the containment.
  2. Containment Through Automated Detection Security tools such as antivirus software could quarantine and contain the malware.
  3. Containment through Disabling Services If the malware targets a specific service for spreading and attacking, organization should be prepared to disable the service, recognizing the impact that service disruption might have on organizational functions .
  4. Containment through Disabling Connectivity Organizations should be prepared to place additional restrictions on network connectivity to contain a malware incident, recognizing the impact that the restrictions might have on organizational functions.


The primary goal of eradication is to remove malware from infected systems. Sometime this includes elimination or mitigation of system security vulnerabilities and other security weaknesses, which should prevent the system from becoming reinfected or becoming infected by another instance of malware or a variant of the original threat.

Instead of performing typical eradication actions, organizations should strongly consider rebuilding any system that has any of the following incident characteristics:

  • One or more attackers gained administrator-level access to the system.
  • Unauthorized administrator-level access to the system was available to anyone through a backdoor, an unprotected share created by a worm, or other means.
  • System files were replaced by a Trojan horse, backdoor, rootkit, attacker tools, or other means.
  • The system is unstable or does not function properly after the malware has been eradicated by antivirus software, spyware detection and removal utilities, or other programs or techniques.


The two main aspects of recovery from malware incidents are restoring the functionality and data of infected systems and removing temporary containment measures. Organizations should carefully consider possible worst-case scenarios, such as a new malware threat that wipes out the hard drives of a large percentage of the organizations workstations, and determine how the systems would be recovered in these cases.

Post-Incident Activity

Because malware incidents can be extremely expensive to handle, it is particularly important for organizations to conduct robust lessons learned activities for major malware incidents. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention software deployments.

As proactive measures against malware infections organizations may:

  • Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date are critical.
  • Back up often.
  • Enable your popup blocker
  • Exercise caution. Don’t click on links inside emails, and avoid suspicious websites.
  • Alert authorities.