Respond to Malware Incidents: IT Admins

Computers compromised by malware are the most common data security incident on campus. Departments can choose to handle portions of an incident internally (using the checklist below) or contact UMass Dartmouth CITS at it.security@umassd.edu as soon as possible.

  • If your department’s computers are maintained directly by UMass Dartmouth CITS, complete the steps below in collaboration with a CITS technician.
  • If a server is compromised, contact it.security@umassd.edu for instructions.
  • UMass Dartmouth CITS can help! IT technicians can provide assistance with any of the steps below. We can also provide additional information related to an incident, such as network logs or centralized system / application logs.

Use the following checklist for your preliminary analysis. Contact it.security@umassd.edu if you need assistance with any of the steps.

1. Keep Detailed Notes

Depending on the severity of the incident, you may have to provide details about the incident, including how you first responded, to other staff, management, University Legal Counsel, or Internal Audit.

2. Minimize System Changes

Keep the system intact as changes can destroy valuable data related to the incident. Do not power off, run anti-virus software, or attempt to back up data.

3. Gather volatile information while the system is running (optional)

Document any open network connections, running processes, logged-in users, and connected drives. Capture an image of the computer’s memory.

4. Shut the system down & preserve hard drive data

You need to shut the system down before completing the next steps. 

Option A: Get a forensically-sound copy of the hard drive
Get a forensically-sound 'bit-by-bit' copy of the affected hard drive(s) and keep this information until the incident is resolved. You should also preserve an MD5 hash of the original drive(s) and image(s). Note: You will need a hard drive write blocker to complete this step (see details below).

Option B: Connect the hard drive to a write blocker
Alternatively, you can connect the hard drive to a hard drive write blocker before performing the next steps. Write blockers enable you to acquire information from a drive without damaging its contents. CITS recommends Tableau products, available from multiple online retailers.

5. Run Spirion & a malware detection scan

With the write blocker in place or after you obtained a forensically-sound copy of the affected hard drive(s):

  1. Run Spirion (if installed) to determine whether personally identifiable information is stored on this device and where it is located.
  2. Complete a virus/malware detection scan using your preferred anti-virus/malware application.
  3. Gather any other information relevant to this incident.

6. Provide UMass Dartmouth CITS with an Incident Report

You must contact UMass Dartmouth CITS if Spirion finds any personally identifiable information, if UMass Dartmouth CITS first contacted you about this incident, or if you cannot rule out the presence of sensitive data on this device.

7. Preliminary Analysis: Findings & Next Steps

If you have completed a preliminary analysis, these are some general recommendations based on the most common findings. For additional information, contact it.security@umassd.edu.

Malware and personally identifiable information found
Submit an Incident Report (see Step 6 above). UMass Dartmouth CITS will need the compromised device (or the forensically-sound copy) for an in-depth analysis.

Personally identifiable information found, but no malware
Contact UMass Dartmouth CITS for a secondary analysis (additional detection tools may be required). Remove the data if no longer necessary or save it in a safe location (e.g., server). Review the business processes that require sensitive data to be placed in this location.

Malware found, but no personally identifiable information
Review the scope of the incident to ensure other devices are not affected. Change all passwords and complete the appropriate recovery steps for this device. Submit an Incident Report if UMass Dartmouth CITS originally notified you of this incident. Alternatively, email your malware scan results to it.security@umassd.edu (CITS will share them with other IT Administrators as necessary).

No malware, no personally identifiable information
You may need to re-diagnose the problem: check the incident symptoms and contact UMass Dartmouth CITS for assistance.

8. Related Documents

The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.