1
00:00:00,520 --> 00:00:03,160
<v ->Once you've identified that there's a symptom of malware</v>

2
00:00:03,160 --> 00:00:05,160
that may be existing on your computer

3
00:00:05,160 --> 00:00:06,890
what should you do about it?

4
00:00:06,890 --> 00:00:09,410
Well, the first thing you should do is scan the computer

5
00:00:09,410 --> 00:00:11,530
to see if there's actually malware on it.

6
00:00:11,530 --> 00:00:14,520
In this case we have a virus that's been detected.

7
00:00:14,520 --> 00:00:16,870
How are we going to clean out that system from this virus

8
00:00:16,870 --> 00:00:18,580
or other types of malware?

9
00:00:18,580 --> 00:00:21,800
Well, before we take any action to try to clean up the virus

10
00:00:21,800 --> 00:00:23,840
we want to make sure we have a good backup

11
00:00:23,840 --> 00:00:25,350
of our current system.

12
00:00:25,350 --> 00:00:27,600
As we go through, we try to clean up the malware,

13
00:00:27,600 --> 00:00:29,410
we may have to change file systems.

14
00:00:29,410 --> 00:00:31,710
We may have to delete everything and start all over.

15
00:00:31,710 --> 00:00:33,720
We may have to change different configurations.

16
00:00:33,720 --> 00:00:35,750
And so making sure that we have a good backup

17
00:00:35,750 --> 00:00:38,860
of all of our files is critically important.

18
00:00:38,860 --> 00:00:40,040
The first thing we're going to do

19
00:00:40,040 --> 00:00:42,960
is identify the symptoms of the malware infection.

20
00:00:42,960 --> 00:00:44,180
What is your computer doing

21
00:00:44,180 --> 00:00:46,270
that makes you think that it's been infected?

22
00:00:46,270 --> 00:00:47,800
Have new files been created?

23
00:00:47,800 --> 00:00:49,580
Is the computer acting slowly?

24
00:00:49,580 --> 00:00:51,460
Do you have gibberish showing on your screen?

25
00:00:51,460 --> 00:00:53,850
Whatever the things are, you need to notate that.

26
00:00:53,850 --> 00:00:56,070
And because that will help you determine what type

27
00:00:56,070 --> 00:00:58,960
of virus or malware has been infecting your machine.

28
00:00:58,960 --> 00:01:01,870
Next, we're going to quarantine the infected systems.

29
00:01:01,870 --> 00:01:03,750
Now what does that mean exactly?

30
00:01:03,750 --> 00:01:05,570
It means that we want to prevent this system

31
00:01:05,570 --> 00:01:07,480
from communicating with other systems

32
00:01:07,480 --> 00:01:10,770
so that the malware from this system can't spread to others.

33
00:01:10,770 --> 00:01:13,610
Most commonly, we do this by turning off the network card

34
00:01:13,610 --> 00:01:16,440
or unplugging the network cable to remove your computer

35
00:01:16,440 --> 00:01:18,450
from your production network.

36
00:01:18,450 --> 00:01:20,150
The third step to removing malware

37
00:01:20,150 --> 00:01:22,080
is to disable your system restore

38
00:01:22,080 --> 00:01:24,230
if you're using a Windows machine.

39
00:01:24,230 --> 00:01:26,750
The reason we want to do this is we want to make sure Windows

40
00:01:26,750 --> 00:01:30,530
isn't continuing to take snapshots of our infected machine.

41
00:01:30,530 --> 00:01:32,620
This makes a lot of sense if you think about it.

42
00:01:32,620 --> 00:01:35,050
Let's say we go and we clean out this piece of malware

43
00:01:35,050 --> 00:01:37,220
and a couple of months go by or even a year

44
00:01:37,220 --> 00:01:38,890
and we have an issue with our system.

45
00:01:38,890 --> 00:01:41,290
We decide to revert to a good backup.

46
00:01:41,290 --> 00:01:43,890
And we end up choosing one of those snapshots that was taken

47
00:01:43,890 --> 00:01:45,465
while the malware was enabled.

48
00:01:45,465 --> 00:01:47,580
This is going to be a mistake that we did,

49
00:01:47,580 --> 00:01:49,490
but by doing so, we're reintroducing

50
00:01:49,490 --> 00:01:51,010
and reinfecting ourselves.

51
00:01:51,010 --> 00:01:52,640
And for this reason, we want to go

52
00:01:52,640 --> 00:01:54,860
and turn off our Windows Restore.

53
00:01:54,860 --> 00:01:57,700
Also, we want to go back and delete any of the snapshots

54
00:01:57,700 --> 00:01:58,930
that may have been taken

55
00:01:58,930 --> 00:02:01,107
during the time the computer was infected.

56
00:02:01,107 --> 00:02:03,160
The fourth step to removing malware

57
00:02:03,160 --> 00:02:05,500
is to remediate the infected machine.

58
00:02:05,500 --> 00:02:07,340
This includes updating our antivirus

59
00:02:07,340 --> 00:02:09,860
and anti-malware software on the machine,

60
00:02:09,860 --> 00:02:13,020
using its scanning capabilities, quarantining capabilities,

61
00:02:13,020 --> 00:02:15,540
and removal techniques to our advantage.

62
00:02:15,540 --> 00:02:17,400
Now, what are some of these techniques?

63
00:02:17,400 --> 00:02:20,040
Well, this includes doing things like rebooting your machine

64
00:02:20,040 --> 00:02:23,450
into safe mode and going into a pre-installation environment

65
00:02:23,450 --> 00:02:26,910
and then running the scans from your anti-malware software.

66
00:02:26,910 --> 00:02:28,790
Now, this is important because if you're using

67
00:02:28,790 --> 00:02:31,740
a normal Windows machine, a lot of the files are in use

68
00:02:31,740 --> 00:02:33,300
when you're normally booted up.

69
00:02:33,300 --> 00:02:35,900
And so to remove that virus, you need to make sure

70
00:02:35,900 --> 00:02:37,570
that that file isn't in use.

71
00:02:37,570 --> 00:02:40,100
But when you reboot yourself into safe mode,

72
00:02:40,100 --> 00:02:41,910
you're able to minimize the amount of files

73
00:02:41,910 --> 00:02:44,680
that are in use and allows the anti-malware solution

74
00:02:44,680 --> 00:02:48,810
to more effectively remove the malware much more cleanly.

75
00:02:48,810 --> 00:02:52,180
Our fifth step is to schedule automatic updates and scans.

76
00:02:52,180 --> 00:02:54,120
This will ensure that we've removed the malware

77
00:02:54,120 --> 00:02:56,090
and we can prevent it from coming back.

78
00:02:56,090 --> 00:02:58,720
The most common way of getting malware into your system

79
00:02:58,720 --> 00:02:59,740
is because you don't have

80
00:02:59,740 --> 00:03:02,370
an updated anti-malware solution on there.

81
00:03:02,370 --> 00:03:05,000
By scheduling automatic scans and updates,

82
00:03:05,000 --> 00:03:06,460
we're going to make sure that the engine

83
00:03:06,460 --> 00:03:07,650
and the virus definitions

84
00:03:07,650 --> 00:03:10,430
are always up-to-date in our anti-malware product.

85
00:03:10,430 --> 00:03:13,106
And we're going to make sure we're doing a scan

86
00:03:13,106 --> 00:03:16,170
at least on a weekly basis to keep malware off our system.

87
00:03:16,170 --> 00:03:18,950
The sixth step is to re-enable our system restore.

88
00:03:18,950 --> 00:03:21,040
And we want to create a new restore point

89
00:03:21,040 --> 00:03:22,770
now that we have a clean system.

90
00:03:22,770 --> 00:03:25,290
We're going to label this as a known good backup

91
00:03:25,290 --> 00:03:27,340
because there's no malware in the system,

92
00:03:27,340 --> 00:03:29,220
and we've already cleaned everything up.

93
00:03:29,220 --> 00:03:31,490
This gives us our fresh new starting point.

94
00:03:31,490 --> 00:03:33,500
So, if we have any issues in the coming weeks,

95
00:03:33,500 --> 00:03:36,140
we can always roll back to today's date.

96
00:03:36,140 --> 00:03:38,090
The seventh step and final step

97
00:03:38,090 --> 00:03:39,610
is that we're going to provide end-user

98
00:03:39,610 --> 00:03:41,160
security awareness training.

99
00:03:41,160 --> 00:03:43,170
Yes, this is very important.

100
00:03:43,170 --> 00:03:45,420
Because if the user is the one who clicked on a link

101
00:03:45,420 --> 00:03:48,040
or downloaded a piece of software and got the virus,

102
00:03:48,040 --> 00:03:49,980
we want to show them the proper things to do

103
00:03:49,980 --> 00:03:52,000
so this doesn't happen again in the future.

104
00:03:52,000 --> 00:03:53,380
One of the biggest problems we have

105
00:03:53,380 --> 00:03:54,660
in our enterprise networks

106
00:03:54,660 --> 00:03:57,080
is that our users do silly things.

107
00:03:57,080 --> 00:03:59,960
And that is the source of most of our security problems.

108
00:03:59,960 --> 00:04:01,330
So, making sure our users go

109
00:04:01,330 --> 00:04:03,200
through good online security training

110
00:04:03,200 --> 00:04:05,300
and learning the proper way to use their machine

111
00:04:05,300 --> 00:04:08,680
is going to help us prevent a lot of issues in the future.

112
00:04:08,680 --> 00:04:12,080
Now, one final note, if you have a boot sector virus,

113
00:04:12,080 --> 00:04:13,700
you're going to have to reboot your computer

114
00:04:13,700 --> 00:04:15,840
from an external device to scan it.

115
00:04:15,840 --> 00:04:17,560
The reason for this is when you boot it up

116
00:04:17,560 --> 00:04:19,190
from the internal hard drive, it's going to

117
00:04:19,190 --> 00:04:21,500
read from the boot sector and load up the virus,

118
00:04:21,500 --> 00:04:23,860
whether you're in safe mode or in normal mode.

119
00:04:23,860 --> 00:04:27,080
But when you boot from a USB, a CD, a DVD,

120
00:04:27,080 --> 00:04:29,110
or an external hard drive, you're going to be able

121
00:04:29,110 --> 00:04:32,250
to scan the internal hard drive including that boot sector,

122
00:04:32,250 --> 00:04:34,620
and that way, you can find that malicious file

123
00:04:34,620 --> 00:04:35,950
and get it out of there.

124
00:04:35,950 --> 00:04:37,780
Another technique or method that you can use

125
00:04:37,780 --> 00:04:40,340
to remove malware from a drive is to physically remove

126
00:04:40,340 --> 00:04:42,630
the hard drive from the victimized machine.

127
00:04:42,630 --> 00:04:45,352
Connect it to a clean workstation as a secondary drive

128
00:04:45,352 --> 00:04:48,690
and then scan it using that clean workstation.

129
00:04:48,690 --> 00:04:51,450
Again, because it's being hooked up as an external drive,

130
00:04:51,450 --> 00:04:53,390
the files aren't already in use,

131
00:04:53,390 --> 00:04:55,650
and then malware can be more easily removed

132
00:04:55,650 --> 00:04:57,740
and then replace that hard drive back

133
00:04:57,740 --> 00:04:59,720
into the victimized system to go

134
00:04:59,720 --> 00:05:01,870
through the rest of your restoration steps.