I am writing a powershell script that effectively quarantines a computer after malware is detected on the system. So far I have the script disconnecting the ethernet adapters to ensure the device can't communicate with the internet. Next the script launches a full anti virus scan. Is this enough to successfully quarantine malware or should I be doing more? Maybe disjoining the active directory domain?
Asked
Active
Viewed 192 times
1 Answers
3
If you have the malware executable / exploit / doc with macro / ... , then what you want to ensure is that nobody opens it. For this it is enough if you remove the extension. Anyway a good way to store samples is e.g.: a password protected .zip file with the password 'infected'.
If you don't have the sample yet, then yes, disable its connection for sure (not just the internet, the whole networking - imagine a ransomware getting access to a network share). That should be enough for a computer quarantine. Anti-virus scan can help, but if it is a yet unknown or modified sample it can't ensure the cleaning. Find out what kind of malware it is and after you are sure that it is disabled, you can enable the internet connection.
akg
- 291
- 1
- 6
-
I'm not sure removing the extension is sufficient to stop execution. It would certainly be OS dependent, but I believe most OS's will simply look for the execution permission and attempt to run it. This also doesn't quarantine the computer itself, just the piece of malware. – RoraΖ Mar 02 '17 at 20:08
-
Regarding to the extension you are right, I assumed it was about Windows machines because of the powershell mentioned. Storing in a password protected .zip is still a good way though. The second part of my answer is about the computer quarantine. Though I would disable the whole networking for that computer not just the internet. Imagine a ransomware accessing a network share. (I also add this to the answer) – akg Mar 02 '17 at 20:15
-
Ah, you are correct, my eyes skipped over the "power" in that sentence. – RoraΖ Mar 02 '17 at 20:17