Eliminating Local Network Outbreak

To disinfect a local network of a malware outbreak, follow the step-by-step instructions below.

1. Quarantine the network

Disconnect the local network from the Internet immediately as a precautionary measure against further infection from an external source. It may also prevent malware already present in the network from connecting to external sites for further mischief.

If at all possible, take down the local network to prevent malware from spreading between local machines. This includes both wired and wireless connections.

Also, disable network file and printer sharing.

2. Close all suspect ports

If the malware infecting the network is known, block all ports used by the malware.

To determine which ports to close, refer to our Threat Descriptions or other trusted reference source for details of specific malicious programs, which may include port information. Note: This may need to be done on an isolated clean machine with separate Internet access if the local network has been successfully disconnected from the Internet.

If taking down the local network or closing targeted ports is not possible, setting the on-access scanner to "Disinfect Automatically" on all computers in the network may be attempted as a stopgap measure, to protect clean workstations from re-infection.

Do note however that this alternative is not effective in cases where malware propagation relies on exploiting a vulnerability in a system, program or network. Until the targeted vulnerability is patched, infected machines with network connection may continue to restart and re-distribute malware, making disinfection more difficult.

3. Scan all computers

Scan all computers with F-Secure Anti-Virus, using the latest database updates (available here). If some workstations do not have the latest updates, transfer and install the updates via removable media.

If F-Secure Anti-Virus does not detect the malware infection, please attempt to locate the malware's file or files and send them to our Labs for analysis via Submit A Sample (SAS)

Malware files usually generate a large amount of network traffic, occupy a lot of system resources, install themselves to Windows or Windows System folders and create startup keys for their files in the System Registry. These traits may provide useful pointers or clues in tracking down the malware's executable files.

If you are unable to find any malicious files, please send a message to our Support Team describing the virus incident and ask for instructions on locating an unknown malware.

Special disinfection utility programs (tools) are available for certain malware. Links to these tools may be found on the specific Description page for the malware in question; alternatively, you can check our Removal Tools page. 


4. Disinfect infected computers

F-Secure Anti-Virus will rename all infected files.

If renaming could not be performed when using the "Disinfect Automatically" action, please use the "Rename" disinfection action.

You can use the "Delete" disinfection action as well, just ensure no important files are deleted (mailboxes for example, as antivirus programs can sometimes find infected e-mail messages).

5. Restart computers

Restart cleaned computers and delete the renamed infected files.

It is recommended to scan clean computers one more time to make sure that no infected files are left.

6. Disable system restore

If some infected files ended up in the System Restore folders, then System Restore needs to be temporarily disabled and a computer has to be restarted.

After restart, the infected files inside the System Restore folders should be gone. Please refer to Microsoft Support for the latest applicable instructions on how to disable the System Restore feature on your operating system.

7. Install a firewall, if necessary

Install a firewall on the Internet gateway or to all workstations if a gateway firewall is not available.

If a firewall is already installed, configure it to block any ports used by malicious software — except for commonly used ports such as port 80, the default port used for normal Internet communications.

8. Install security updates

Install the latest security updates, patches or service packs for the operating system and other installed programs, on all workstations. This is very important to prevent further reinfections.

9. Change passwords of shared resources

If you were hit by a malware that spreads to network shares or by a password stealing trojan, please change passwords for all important applications, set strong passwords for shared network resources.

10. Reconnect local network and Internet access

Reconnect to the local network and enable the Internet connection.

Monitor traffic for a period of time to make sure that the infection doesn't return.