Incident Response

Cleaning Up Malware (Part 1: The bigger picture)


I think every techie has their own ideas on how to clean up a malware outbreak. And every malware outbreak is different. There is no one size fits all answer. But this is roughly how I approach the situation in my day job.


Confirm Malware – Users aren’t always right. If a single user reports malware I want more than just their word on it. I’m not going to pull down a network/or servers just because one person had a brain fart. Feel free to have that user pull their own network cable. But that’s as far it goes until I have more information.


Containment/Identification – Once I have positive confirmation its malware next step is to contain it and stop it infiltrating the network. There are no easy rules here. It varies too much depending on the malware you are dealing with. To take 2 polar extremes on this: ransomware actively spreading across the network through a zero day attack vs adware that’s inundating a single user with annoying pop-ups. Common sense is key here.


Revoking Access– Once everything is quarantined/contained next step is to immediately reset everything associated with the user(s). All their passwords. O365. Social media. Any online accounts. Is this person in finance? Is this machine used for online banking etc etc User is not given any of the new credentials until they have a clean machine to work on.


Investigation – Will there be a report needed at the end of this outbreak? If yes you need to start documenting at this stage. We already know, generally speaking, what type of malware this is from Containment/Identification step. But at this stage you can get an exact ID on the malware. How did it get onto the network. Which machine is patient zero? How exactly did it spread across the network? Why did it spread to the machines that it did infect  and more importantly the machines that weren’t infected- why? Why were these other machines not infected? Are they on a different network boundary? Were the infected machines not patched? Etc etc


Eradicate Malware – Clean up your machines. Generally speaking, and I suppose this applies to most organisations, you have 2 main considerations.


Manual Clean vs Rebuilds (or in managements eyes €€ vs €€€€€€€€€)


The manual clean tends to be faster and easier, but you do run the risk of missing something. The rebuild option takes a lot longer but you reduce your chances of reinfection later down the line.


As techies, we all know there’s few things worse than to see your company (or a customer for us MSP lads) get infected with malware. But if you thought that’s bad, imagine the soul searching your going to be doing if that same customer gets ‘re-infected’ a few days/weeks later because you missed something the first time around.


Personally, I’m trigger happy when it comes to the ‘nuke it from orbit’ option. I have a few hard fast rules to follow.



Was the malware able to get admin level access? Yes? Wipe the machine.

Have any system files been edited/replaced? Yes? Wipe the machine.

Is there any question about the integrity of the drivers/services? Yes? Wipe the machine.

Is the machine unstable after scans/quarantine of malware? Yes? Wipe the machine.

Can you get an ID on the malware/do we know what it does and how it works? No? Wipe the machine.


How confident are you with those answers? Would you be willing to gamble your months salary with those answers? No? Wipe the machine.

Leave a Reply

Your email address will not be published. Required fields are marked *