If you know the name of the executable files, you may be able to use a software restriction policy in active directory to kill or limit the virus.
Try to determine the infection mechanism. Don't forget to check any backup media, usb keys, etc to prevent reinfection. If you can isolate infected hosts as Russell mentioned, it will make it easier. As far as prevention, make sure the users are running with least user privileges, remove unneeded software from the machines, keep ALL software patched not just MS products (removal of unneeded software makes this easier), disable unneeded services, use different administrator passwords for each local machine if possible (to stop worms and pass the hash), segment critical machines (911) from web surfing machines on the network, etc. *user education *. Use this episode to illustrate the risks. (do you really want someone to die because 911 is down because you infected your machine playing Farmville?) Good luck! Bart Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Tyler Robinson <[email protected]> Sender: [email protected] Date: Thu, 2 Sep 2010 13:24:11 To: PaulDotCom Security Weekly Mailing List<[email protected]> Reply-To: PaulDotCom Security Weekly Mailing List <[email protected]> Subject: Re: [Pauldotcom] LAN Virus outbreak Procedures _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
