When malicious code is detected, the following steps are taken to handle the infection: • the infected systems are isolated • all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary • antivirus software is used to remove the infection from infected systems and media • if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.
Topic
Handling and containing malicious code infections
Applicable to
all
History
Priority
recommended
Oct 2019
When malicious code is detected, the following steps are taken to handle the infection:
§ the infected systems are isolated
§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary
§ antivirus software is used to remove the infection from infected systems and media
§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.
Security control 0917 was modified to note that system restoration or rebuild is only necessary when infections cannot be reliably removed from systems.
Sep 2019
When malicious code is detected, the following steps are taken to handle the infection:
§ the infected system is isolated
§ all previously connected systems, including any media used in the period leading up to the infection, are scanned for signs of infection and isolated if necessary
§ antivirus software is used to remove the infection from infected systems and media
§ if possible, any previously infected system is restored from a known good backup or rebuilt.
Jan 2019
When malicious code is detected, the following steps are taken to handle the infection:
§ the infected system is isolated
§ all previously connected systems, including any media used in the period leading up to the infection, are scanned for signs of infection and isolated if necessary
§ antivirus software is used to remove the infection from infected systems and media
§ if possible, any previously infected system is restored from a known good backup or rebuilt.
Fixed typographical error in security control 0917 – ‘inflected systems’ replaced with ‘infected systems’.
Nov 2018
When malicious code is detected, the following steps are taken to handle the infection:
§ the infected system is isolated
§ all previously connected systems, including any media used in the period leading up to the infection, are scanned for signs of infection and isolated if necessary
§ antivirus software is used to remove the infection from inflected systems and media
§ if possible, any previously infected system is restored from a known good backup or rebuilt.
2017
Agencies should follow the steps described below when malicious code is detected:• Isolate the infected system.
Control Text Changed. No public explaination.
2015
Agencies should follow the steps described below when malicious code is detected:• isolate the infected system• decide whether to request assistance from ASD, and if such assistance is requested andagreed to, delay any further action until advised by ASD to continue• scan all previously connected systems, and any media used in a set period leading up to thecyber security incident, for malicious code• isolate all infected systems and media to prevent reinfecting the system• change all passwords and key material stored or potentially accessed fromcompromised systems• advise users of any relevant aspects of the compromise, including changing all passphraseson the compromised systems and any other system that uses the same passphrase• use current antivirus or other Internet security software to remove the infection from thesystems or media• report the cyber security incident and perform any other activities specified in the IRP• where possible, restore a compromised system from a known good backup or rebuild theaffected machine.
2010
It is recommended agencies follow the steps described below when malicious code is detected:• isolate the infected system• decide whether to request assistance from DSD, and if such assistance is requested and agreed to, delayany further action until advised by DSD to continue• scan all previously connected systems, and any media used in a set period leading up to the cybersecurity incident, for malicious code• isolate all infected systems and media to prevent reinfection• change all passwords and key material stored or potentially accessed from compromised systems• advise system users of any relevant aspects of the compromise, including a recommendation to changeall passwords on compromised systems• use current antivirus software to remove the infection from the systems or media• report the cyber security incident and perform any other activities specified in the IRP.