How SMBs can recover from a virus attack

A simple virus can be extremely costly to businesses. Once a virus penetrates security defenses, it can quickly rip through the network, destroy files, corrupt data, render applications useless and cause an expensive lull in productivity.

Understanding how viruses operate and assessing ways to prevent them from spreading is vital knowledge every organization, including small and midsize businesses (SMBs), must have.

What is a virus?
Viruses are computer programs specifically written to change the way a computer functions, without the permission or knowledge of the user.

To be categorized as a virus, it must meet two criteria:

• It must execute itself, often placing its own code in the path of execution of another program; and
• It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. The original virus can also modify the copy or the copy may modify itself, as occurs in a metamorphic virus.

Viruses infect desktop computers and network servers alike.

Some viruses are designed to compromise a computer by damaging programs, deleting files or reformatting the hard disk. Others are not programmed to do any harm, but simply to duplicate themselves and make their presence known by presenting text, video and audio messages.

Even these benign viruses can create problems for small businesses, as they typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes.

In addition, many viruses are bug-ridden. These bugs often lead to data loss and sometimes system failure.

Variety of viruses
Viruses come in all forms and spread through various ways such as e-mail, instant messenger, Web sites and even devices.

• E-mail: Viruses are commonly transmitted through e-mail attachments and if activated, can result in the computer being compromised. In some cases, data can be erased from the hard disk. It is also common for attachments to be forwarded to everyone in the victim's address book.
• Instant messenger: Viruses can be spread through instant messenger by downloading infected files or clicking on a link that takes the online user to an infected Web site. The effects of a virus attack include the victim's computer slowing down, spyware being installed to track information entered into the computer, and files being compromised or damaged.
• Web-based attacks: As the number of available Web services grows, the number of new Web-based threatswill continue to increase. From applications in social networking sites and banner ads on a Web site, to online services, hackers have found ways to spread malicious code and steal identities online.
• Devices: Devices such as MP3 players, PDAs and portable hard disks, are becoming more commonly used in the workplace these days to synch up calendars or store files. Viruses can be transferred when devices are connected to an infected PC through USB ports, and vice versa.

With so many different ways for viruses to enter an organization, SMBs have to more than ever, be on their guard and make sure they have the tools and processes in place to deal virus attacks when they strike.

After an attack
Regardless of the form they take, viruses are costly and can try anyone's patience. If a business has suffered a virus attack and its systems are compromised, it will need to take action promptly to stop the virus from spreading to other computers on its network.

Here are some suggestions on how to quickly get your business back up and running again after an attack:

• Quarantine
  Once a computer is suspected of suffering a virus attack, IT managers must immediately quarantine the computer by physically disconnecting it from the core network. Infected machines pose a danger to all other computers connected to the network.

  If other computers are suspected of being infected, even if they aren't displaying any symptoms, they still need to be treated as if they are infected. It would be counter-productive to clean one machine while an infected computer is still connected to the network.

  Operating on the assumption that more than one computer on the network has been infected, is more cost-efficient than treating only one computer and finding out later that others are infected as well.

• Remove
  Once the infected computer has been disconnected, IT managers must focus on removing the malicious code. Use virus removal tools written specifically for the virus that is causing the damage.

  Antivirus software should have updates or patches available for the specific security threat. If the antivirus software has not been updated recently, be sure to update it.

• Reinstall
  The type of damage caused by a virus attack varies depending on the particular virus. These range from changing file names, to permanently disabling software applications.

  If the operating system is completely damaged, reinstall it by using the quick restore CD that usually comes with the computer. This will restore the computer to its original configuration, so any application that has been installed or data files that have been saved will be lost.

  Before the reconfiguration process can be initiated, IT managers need to make sure they have all the necessary information handy--the original software, software licenses, registration and serial numbers.

• Restore
  All organizations should back up their files and documents on a regular basis, so they can recover and restore lost data after a virus attack. If they do not perform routine backups of all data and files on the computer's hard drive, infected files will most likely be permanently lost.

  It is important to keep in mind that not all viruses target data files; some attack applications. If an application is attacked and rendered unusable, the application needs to be uninstalled and loaded back onto the computer.

• Scan
  After reinstalling and restoring the data, businesses need to complete a thorough virus scan of computer systems on their network. Use the most recent virus definitions available for antivirus software.

  Be careful not to overlook anything, and do scan all files and documents on all computers and servers on the network.

• Prevent
  The first step to prevention is to run antivirus software and make sure security patches are up-to-date. Create and enforce a regular backup schedule to ensure no data will be lost in the event of a future attack.

  It is also important to change ALL passwords, including passwords for ISP and FTP access, for e-mail and passwords used in Web sites. Some viruses can capture or crack passwords, leading to future system vulnerabilities. By changing passwords, businesses are able to boost their security.

If a virus manages to penetrate the network despite the fact that the company has implemented certain security measures, learn from the mistake and consider changing or enhancing current security practices.

Look into why previous security measures were not effective. Was there a firewall, and if not, was it necessary? Were virus definitions and security patches updated promptly? Was a file downloaded before it was scanned for potential viruses?

Companies should refine and reinforce their IT security policy. By implementing prevention tools and practices, businesses can save themselves time, money and stress associated with a virus attack.

Ronnie Ng is manager of systems engineering at Symantec in Singapore, and is responsible for helping customers develop processes to protect data and deploy disaster recovery policies.