Cleaning Memory-Resident Virus Infected Endpoints

Version 1

    Details

    Lumension Endpoint Management and Security Suite (LEMSS) 7.2

    Memory-resident viruses can evade detection mechanisms when:

         
    • No Real-Time Monitoring Policy that provides on-access scanning protection is assigned to the endpoint.
    •    
    • A packer that compresses and encrypts an executable file can hide the virus from on-demand scans (Scan
          Now and Recurring Virus and Malware Scan).
    •    
    • The virus was previously unknown and became known by a recent definition update.
    •    
    • The malware sample uses an anti-heuristic technique.
    •    
    • Malware is delivered using a heap-spraying technique on a browser or zero days exploit on a trusted process.

    Removal

         
    1. Download the Norman Malware Cleaner (http://www.norman.com/downloads/malware_cleaner) and store it on a USB device.
    2.    
    3. Reboot the infected endpoint into Safe mode.
    4.    
    5. Run Norman Malware Cleaner scan from the USB device.
    6.    
    7. On the Scan tab, select the Full scan mode and then click Start.
    8.    
    9. Restart the endpoint when the scan completes.
    Result
    The memory-resident virus is removed. If the endpoint is still infected, contact HEATsoftware support – the infection may be new or unknown and require an AntiVirus definition file update to assist in its removal. You may be asked to run a forensics tool or provide logs to aid in examining and discovering new threats.

    After Completing This Task
    Assign a Real-time Monitoring Policy to the endpoint.