Security Procedures

Responding To Incidents - Support Staff

20 Nov 2013

Issues to consider:

  1. Notify IST IST
    • They are likely the ones who told us something was wrong in the first place.
  2. Create a CS work request ST
    • ST fields
      • Subject [GROUP] host.cs nature of problem
        • [GROUP] including the brackets reflects the department to help filter the support group who will be involved
      • Requester: soc@uwaterloo.ca
      • Service: Desktop, Server, etc
      • Component: Security and a subcatagory that matches the nature of the compromise.
      • Advancement: Problem and a subcatagory that matches the nature of the compromise.
    • Keywords: security and any others that relate
    • Mark the ST private. * We don't need the world knowing that a machine is lacking patches.
  3. Who owns the machine? Find out using these resuorces:
  4. Policy 8 - Information Security
  5. Emailng the owner The user will sometimes (often) have been cc'ed on the abuse email. Most users don't know what to make of it. They may not even know who you are. Keep that in mind when composing messages: see general guidelines.
  6. Is it causing a massive network disruption? find it and cut it off the network!.
    • If you use ONA to do this, put the ST number in the comment field! so others can undo the blocked port later on.
  7. Assign the ST
  8. Notify the user of group of anything you do to his or her machine or network connection. If it's a shared machine (i.e., softbase, plg2, ds, mail.cs, etc) the affected group needs to know. So contact them.
  9. Other general guidelines
    • Do not imply the user has done something wrong, unless you have very good reason to believe this
    • It is entirely possible that the user has no idea what's happening on his/her PC

Other UofW Security Resources and Documents

Keeping software up to date

  • Secunia Software Inspector
    • Feature Overview - The Secunia Software Inspector:
    • Detects insecure versions of applications installed
    • Verifies that all Microsoft patches are applied
    • Assists you in updating your system and applications

User Education - Application and OS Vulnerabilities

The following links show very useful statistics that can help an end user gauge the risk of using common internet enabled products
Note many of the links the contain charts of risk histories for each product

User Applications

Example Risk History for Internet Explorer

Operating Systems

Please feel free to add any other that are common ...

Procedure for cleaning Malware and Virus Infected Windows Machines

First Response Recipe

  • FirstResponseRecipe - steps that CSCF staff can take to analyze a machine that is suspected of being infected

Minimum Recommendations

updated 20 Nov 2013

  1. Make sure you contact your CSCF point of contact if you suspect Virus or Spyware issues
  2. Make sure you have Symantec Antivirus and that it is working
    many types of Malware will uninstall or disable Antivirus software!
  3. Make Sure you have Microsoft security software
  4. Run Microsoft Safety Scanner
  5. Consult the Removal and Detection Tools sections below

Suggestions

20 Nov 2013

  1. Ad-Aware Free Antivirus

Microsoft Safety & Security Center

updated 20 Nov 2013
#MicrosoftSecurityCenter * Main Microsoft Security home page - all tools and resources link for here*

Windows Security Tools

Removal Tools

20 Nov 2013

  • Microsoft Safety Scanner
  • The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software. Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again. The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection. For real-time protection that helps to guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

Antivirus Ranking and Testing

20 Nov 2013

  • http://www.virusbtn.com
  • *This site has comprehesive testings of most of the Anti Virus products on the market.
  • Free registration - gives all product reports and basic testing resuls
  • Note: Some documents have to be purchased

Symantec AntiVirus Corporate Edition

Web Page: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=155&EID=0
Download Links: http://ist.uwaterloo.ca/admin/norton.html (Use UW Software Depot)
BE SURE YOU HAVE THIS PROGRAM INSTALLED - many types of Malware will disable or uninstall Antivirus Software!
The University of Waterloo has signed a license agreement with Symantec for use of the Norton Anti-Virus software. Included in the agreement are versions for: * Windows 98, ME, NT, 2000 and XP * Macintosh This software is available for any University owned machine. There is a "home use" clause in the license for this software. That means that a faculty or staff member who has the software on their machine at the university may also install the same version on a machine at home or on a laptop (but not both). This does not count as two copies of the software.

ESET NOD32 AntiVirus

Web Page: http://www.eset.com Download Links: http://www.eset.com/download/index.php This software can be used as a 30 day trial it has the best rated support for unknown viruses because it uses virtualization technology to detect virus behavior rather then just scanning for signatures.

Kaspersky AntiVirus

20 Nov 2013

Spybot-S&D

10 April 2014

  • DO NOT INSTALL THIS

Ad-Aware Free Antivirus+

20 nov 2013 #AdAware

  • Web Page: http://www.lavasoftusa.org
  • Download Links: http://www.lavasoft.com/products/ad_aware_free.php
  • Description from site: Combining our legendary anti-spyware with a powerful antivirus, Ad-Aware Free Antivirus+ enhances them with real-time protection, download protection and continuously updated filters against malicious URLs, providing top-of-the-line anti-malware protection for the casual computer user.

Microsoft Baseline Security Analyzer (MBSA)

Web Page: http://www.microsoft.com/technet/security/tools/mbsahome.mspx Note this tool can help do a security Audit of your Machine
There are Virus/Trojan programs that will adjust your settings to make it easy to break in the next time

Malicious Software Removal Tool

Web Page: http://www.microsoft.com/security/malwareremove/default.mspx
Download Links: http://www.microsoft.com/security/malwareremove/default.mspx

Malwarebytes

  • Site: http://www.malwarebytes.org
  • This is one of the better free and commercial removal tools and is frequently referenced.
    • Please be sure to observe the license requirements when using the free version.

Detection Tools

Active Ports

Web Page: http://www.devicelock.com/freeware.html
Download Links: http://www.devicelock.com/freeware.html
Notes

  • The program will dynamically list all of the programs using network connections.
  • A neat feature is the color coding of connections that change state so you can quickly see what is going on.
  • It has an option for terminating any of the listed processes.
  • Be sure to turn the Always on Top off
  • Note Symantec Antivirus will show a misleading warning for aports.exe, this is harmless, you should only be concerned if it was NOT installed by you or your support group
    See http://www.symantec.com/avcenter/venc/data/securityrisk.aports.html for more information
    Summary The program provides a programming API that can be used to kill processes. Aports has been found bundled with some harmful programs that make use of its API to kill processes which is why it is flagged - but is otherwise harmless.
  • If you plan to use this utility you have to put an exception in the real-time scan and in ALL scan profiles.

Process Monitor

Web Page: http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx

Notes: *Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit

Process Explorer

Web Page http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
Download Links * http://download.sysinternals.com/files/ProcessExplorer.zip
*Notes:

  • This program uses color highlighting to show the changing state of processes - just about anything you want to see about a process can be done by pick which columns you want to view or by right click a process - picking properties and then opening a tab based on the category of information you wish to see.
  • Right click Web Search for process name
  • Does many of the functions that TaskInfo - see below - does not have tabbed views so is more awkward - but it is free

Task Info

Web Page: http://www.iarsn.com/taskinfo.html
Download Links: http://www.iarsn.com/download.html
Notes - I have found it to be my number one tools for tracking down Trojan/Spyware programs that are not detected by standard scanning software (ex AV and Spyware scanners)

This is a summary of the options I find most useful in TaskInfo*

  • Right click Web Search for process name
Tabbed views
  • System pane - with a Tabbed view - showing overall system usage
  • Process Information pane - with a Tabbed view of process details
  • Processes pane - list of all processes
Other features
  • Save all process information out to nicely formatted an HTML file
  • Flush memory, cache or processes out of memory
  • Find open file
  • Search strings in process
  • Automation - set process priority - you can force a priority for a list of processes by configuration
  • View all network connections or per process
  • View all files or per process
  • System and per process Tabbed views
Tracking down Trojan/Spyware
  • List all processes - even those that try to hide
    • Note: the listing of processes in task manager is voluntary - any process can hide
  • List open files for a give process
    • Find config and control files, etc
  • List open network connections - both overall and per process
  • list the starting process, full path of task and description of task
  • List process threads
  • change priority of threads and tasks
  • start debugging on a process
    • see what it is doing at a very low level
  • show versions of all processes and all used components (dll's etc)
    • Many virus/Trojan programs have no version information
    • Many machine operations issues are as a result of mismatched versions
  • kill processes that can't be killed with task manager
  • Use automation rules to idle unwanted processes automatically without user intervention

Root Kit Detection

  • RootKitRevealer
    Web Page: http://www.sysinternals.com/Utilities/RootkitRevealer.html
    Download: http://download.sysinternals.com/Files/RootkitRevealer.zip
    RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

Rescue CDs

Links to CDs that you can boot from and use anti-virus tools with or without a network connection

File Removal Tools

Note these tools will help delete locked files

  • Unlocker
    • Application Close
    • Handle Kill
    • Process Unload
    • DLL Delete
    • index.dat Delete
    • Rename
    • Move Invalid
    • Names Without
    • reboot With
    • reboot Context
    • Menu Command
    • Line/GUI
  • Remove on Reboot
    "This shell extension adds the Remove on Next Reboot functionality to the Windows operating system. Just right click the file you want deleted and it will be removed the next time you reboot."
System Performance
  • List process CPU usage with graphic history
    • Useful in detecting active processes/CPU hogs
  • list detailed memory usage - per process and overall - both in memory and total size
    • Useful in assessing system memory requirements
  • List context switch rates - overall and per process plus running totals
    • Useful in determining swap file size and ram requirements

WinTasks 5 Professional

Web Page: http://www.liutilities.com/products/wintaskspro/features/
Download Links: http://www.liutilities.com/products/trial/

Whats Running

Web Page http://www.whatsrunning.net/whatsrunning/main.aspx
Download Links http://www.whatsrunning.net/whatsrunning/Download.aspx

Web Sites that Document Windows Processes

ProcessLibrary.com Free Process Information

  • Note - they also have a plug-in for Windows Task Manager that links to their process library
    Quick Access InfoBar

Whatsrunning.net Process Information

Exedb.com: Process Information

-- MikePatterson - 01 Oct 2004, 18 Apr 2005

-- MikeGore - 19 May 2005

Topic revision: r43 - 2014-04-10 - MikeGore
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback