Published: July 10, 2007 | Updated: February 17, 2012
Download the Malware Response Guide
About This Guide
The Infrastructure Planning and Design (IPD) Guide for Malware Response replaces Malware Removal Starter Kit: How to Combat Malware Using Windows PE.
The new Infrastructure Planning and Design Guide for Malware Response will help organizations plan the best and most cost-effective response to malicious software. This guide provides methodologies for the assessment of malware incidents, walks the reader through considerations and decisions that are pertinent to timely response and recovery. It also describes approaches to investigating outbreaks and cleaning infected systems.
Figure 1. Decision flow chart
In More Detail
The Malware Response Guide includes the following content:
- Step 1: Confirm the Infection. This step involves taking actions to immediately contain an infection. Information is gathered from the user and about the system to help assess the breadth of the problem.
- Step 2: Determine the Course of Action. This step involves determining the risk to data, performing backups before proceeding with the chosen course of action, if required, and deciding whether to examine the malware’s effects on the system. Also, decide whether to clean the malware, restore system state, or rebuild the system
- Step 3: Attempt to Clean the System. This step involves putting the system cleaning plan into effect. Attempting to remove the malware using automated tools such as antimalware products are performed.
- Step 4: Attempt to Restore the System State. This step involves attempting to restore the system state, and evaluating the restored system for the effectiveness of malware removal.
- Step 5: Rebuild the System. This step involves either rebuilding the system from image or by reinstalling the operating system. Also, restoring the user settings and data are performed, and evaluating the activities performed for effectiveness.
- Step 6: Conduct Post Attack Review. This step focuses on post-attack items to consider for lessons learned.
This guide is one in a series of planning and design guides that clarify and streamline the planning and design process for Microsoft infrastructure technologies. The goal of this guide is to provide processes and tasks to help determine the nature of the malware problem, limit the spread of malware, and return the system(s) to operation.
When a malware attack occurs, there are a number of factors that must be considered quickly and simultaneously to restore service to the system. Some of these factors are, indeed, conflicting. Understanding how the system was compromised, while simultaneously returning the system to operation as quickly as possible, is a common conflicting issue that this guide addresses. This malware response guide does not resolve this conflict; the reader must do so based on the priorities of the business.
When deciding which course of action to take to get the attack under control and restore the system to normal as quickly as possible, consider the following:
- The amount of time required and available to restore the system to normal operations.
- The resources needed and available to perform the work.
- The expertise and administrative rights of the personnel performing the recovery.
- The cost to the business that could result from data loss, exposure, and downtime.
All of these items will influence the decisions and the risk the organization is willing to accept when responding to and recovering from a malware attack.
- Check out what the Infrastructure Planning and Design team has to offer! Visit the IPD page on TechNet at http://www.microsoft.com/ipd for additional information, including our most recent guides.
- To learn more about the Microsoft Malware Protection Center, which provides the latest information on major desktop and email threats to computers running Windows, visit http://www.microsoft.com/security/portal.
Join the IPD Beta Program
Subscribe to the IPD beta program and we will notify you when new beta guides become available for your review and feedback. These are open beta downloads. If you are not already a member of the IPD Beta Program and would like to join, follow these steps:
- Go here to join the IPD beta program: https://connect.microsoft.com/InvitationUse.aspx?ProgramID=1587&InvitationID=IPDM-QX6H-7TTV&SiteID=14 (If the link does not work for you, copy and paste it into the Web browser address bar.)
- Sign in using a valid Windows Live ID.
- Enter your registration information.
- Continue to the IPD program beta page, scroll down to Infrastructure Planning and Design, and click the link to join the IPD beta program.
Already a member of the IPD beta program? Go here to get the latest IPD beta downloads: https://connect.microsoft.com/content/content.aspx?ContentID=6556&SiteID=14
- To connect with others in the IPD community, learn more about the tool, and get help with questions, visit the Infrastructure Planning and Design Guide Series.
- To read more about threat research and response from the experts, visit the Microsoft Malware Protection Center Blog.
- Want to know what’s coming up next? Check out our Security Guidance Blog.
- If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).
- Please send questions or comments about this guide to IPDfdbk@microsoft.com.
About Solution Accelerators
Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free, prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.
Sign up to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as
- Communication & Collaboration
- Security, Data Protection, & Recovery
- Operations & Management