Here are the instructions on how to eliminate an outbreak of
a malware in a local network:
1. Disconnect a local network from Internet immediately.
2. Kill a local network or block ports that are commonly used by
malware (see the description of a malware that you are
disinfecting or a malware similar to it on our Virus Information
Pages), disable network file and printer sharing. If this is not
possible or a malware is already detected by F-Secure Anti-Virus,
set FSAV's on-access scanner to 'Disinfect Automatically' on all
computers. This will protect clean workstations from
re-infection. However this is not an ideal way, because a malware
will still try to spread around. In case it uses exploits (for
example LSASS exploit), many computers in a local network will
keep restarting and that would make disinfection more difficult.
3. Scan all computers with F-Secure Anti-Virus and the latest
updates. If some workstations do not have the latest updates,
transfer them via removable media. The files with the latest
updates can be downloaded from here (see Other Methods on the
bottom of the page):
If F-Secure Anti-Virus is not detecting a new malware that you've
got, please try to locate the malware's file or files and send
them to our Virus Research Team for analysis. Usually malware
files generate a lot of network traffic, occupy a lot of system
resources, install themselves to Windows or Windows System
folders and create startup keys for their files in System
Registry. If you are unable to find a malicious file, please send
a message to our F-Secure Virus Research Team describing the
virus incident and ask for instructions to locate an unknown
malware.
For certain malware we have special disinfection tools. Please
see the description of a malware that you are disinfecting for
the links to disinfection tools or check our disinfection tools
download page:
4. Disinfect all infected computers. F-Secure Anti-Virus will
rename all infected files. If renaming could not be performed
when using 'Disinfect Automatically' action, please use 'Rename'
disinfection action. You can use 'Delete' disinfection action as
well, just make sure that no important files are deleted (for
example mailboxes, as sometimes FSAV can find infected messages
in them).
5. Restart cleaned computers and delete the renamed infected
files. It is recommended to scan clean computers with F-Secure
Anti-Virus one more time to make sure that no infected files are
left.
6. If some infected files ended up in System Restore folders,
then System Restore has to be temporarily disabled and a computer
has to be restarted. After restart the infected files inside
System Restore folders should be gone. Instructions on how to
disable System Restore feature are here:
7. Install a firewall on Internet gateway or to all workstations
if gateway firewall is not available. If you already have a
firewall, configure it to block ports used by malware (except
commonly used ports, for example port 80).
8. Install all the security patches and service packs to all
workstations that do not have them. This is very important to
prevent further re-infections.
9. If you were hit by a malware that spreads to network shares or
by a password stealing trojan, please change passwords for all
important applications, set strong passwords for shared network
resources.
10. Re-connect the local network and enable Internet connection
and monitor traffic for some time to make sure that the infection
doesn't come back from Internet.
![](/images/pixel.gif"){kind=tracking}
