Cleaning up a Worm or Virus

Viruses and worms like MSBlaster, Sasser, and MyDoom are running rampant. If your network becomes infected with one of these viruses, Prism can quickly identify and clean up infected computers.

The steps in this example walk you through identifying and remedying the MSBlaster worm. Similar steps can be used for other viruses and worms.

  1. In a Prism Channel, create three new user-defined configuration groups and an All Others group representing the four possible states in relation to the MSBlaster worm:

Configure the rulesets for these groups to look for both:

Note:   This registry key is the relevant key for Windows XP and Windows 2000 systems.

image\worm_ex_cleanup.gif

  1. Create these deployment Tasks to perform the remediation process:

(1) Run the Microsoft patch executable as a Command Task. Use the Microsoft-supported switches to configure how the patch is installed (for example, quiet, force reboot, and so on.)

(2) Turn off System Restore and reboot the target computer.

Tip!        Download the following file from our support Web site. It contains a Package that turns off System Restore and reboots the target computer.
www.newboundary.com/support/docs/General/SasserRemediation_files/systemrestore.zip


Then, create a Package Task to deploy this Package through the Console.

(3) Run the cleanup utility from your anti-virus vendor as a Command Task.

(4) Turn on System Restore and reboot the target computer (again with the Prism Package from New Boundary Technologies support).

  1. Assign the Tasks to the appropriate configuration groups.

For example, assign the Tasks to patch and turn off System Restore to the first group. As an option, you can assign the Task that runs the Microsoft patch to recur at system startup to allow infected systems as much time as possible to run the patch before rebooting. This may not be necessary, however, because computers poll the Channel as soon as they are online, and the patch runs very quickly.

  1. Your computers automatically move themselves in and out of the appropriate configuration groups as their status changes. Since the Tasks are assigned to the Groups, the target computers receive the appropriate Tasks for their current status.