Eliminating A Local Network Outbreak
To disinfect a local network of a malware outbreak, follow the step-by-step instructions below:
- Quarantine the Network
- Close All Suspect Ports
- Scan All Computers
- Disinfect Infected Computers
- Restart Computer
- Disable System Restore
- Install a Firewall, If Necessary
- Install Security Updates
- Change Passwords for Shared Resources
- Reconnect Local Network & Internet Access
Disconnect the local network from the Internet immediately as a precautionary measure against further infection from an external source. It may also prevent malware already present in the network from connecting to external sites for further mischief.
If at all possible, take down the local network to prevent malware from spreading between local machines. This includes both wired and wireless connections.
Also, disable network file and printer sharing.
If the malware infecting the network is known, block all ports used by the malware.
To determine which ports to close, refer to our Threat Descriptions or other trusted reference source for details of specific malicious programs, which may include port information. Note: This may need to be done on an isolated clean machine with separate Internet access if the local network has been successfully disconnected from the Internet.
If taking down the local network or closing targeted ports is not possible, setting the on-access scanner to "Disinfect Automatically" on all computers in the network may be attempted as a stopgap measure, to protect clean workstations from re-infection.
Do note however that this alternative is not effective in cases where malware propagation relies on exploiting a vulnerability in a system, program or network. Until the targeted vulnerability is patched, infected machines with network connection may continue to restart and re-distribute malware, making disinfection more difficult.
Scan all computers with F-Secure Anti-Virus, using the latest database updates (available here). If some workstations do not have the latest updates, transfer and install the updates via removable media.
If F-Secure Anti-Virus does not detect the malware infection, please attempt to locate the malware's file or files and send them to our Security Lab for analysis:
Malware files usually generate a large amount of network traffic, occupy a lot of system resources, install themselves to Windows or Windows System folders and create startup keys for their files in the System Registry. These traits may provide useful pointers or clues in tracking down the malware's executable files.
If you are unable to find any malicious files, please send a message to our Support Team describing the virus incident and ask for instructions on locating an unknown malware.
Special disinfection utility programs (tools) are available for certain malwares. Links to these tools may be found on the specific Description page for the malware in question; alternatively, you can check our Removal Tools page:
F-Secure Anti-Virus will rename all infected files.
If renaming could not be performed when using the "Disinfect Automatically" action, please use the "Rename" disinfection action.
You can use the "Delete" disinfection action as well, just ensure no important files are deleted (mailboxes for example, as antivirus programs can sometimes find infected e-mail messages).
Restart cleaned computers and delete the renamed infected files.
It is recommended to scan clean computers one more time to make sure that no infected files are left.
If some infected files ended up in the System Restore folders, then System Restore needs to be temporarily disabled and a computer has to be restarted.
After restart, the infected files inside the System Restore folders should be gone. Instructions on how to disable System Restore feature can be found from Microsoft:
Install a firewall on the Internet gateway or to all workstations if a gateway firewall is not available.
If a firewall is already installed, configure it to block any ports used by malicious software - except for commonly used ports such as port 80, the default port used for normal Internet communications.
Install the latest security updates, patches or service packs for the operating system and other installed programs, on all workstations. This is very important to prevent further re-infections.
If you were hit by a malware that spreads to network shares or by a password stealing trojan, please change passwords for all important applications, set strong passwords for shared network resources.
Re-connect to the local network and enable the Internet connection.
Monitor traffic for a period of time to make sure that the infection doesn't return.