These instructions describe what to do on receipt of a Zombie or Spam alert email, and how to clean up the affected Windows computer.
Note: ZombieAlert can be configured to send you the sample message as seen by SophosLabs.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
What To Do
1. Identifying the IP address of the Zombie computer
Upon receipt of a Zombie or Spam alert email, as the administrator, you must first identify which system on your network has generated this alert. The IP address in the email is the external IP address, and you will need to look within your own firewall, core switch, or network appliance, to map that external address to the system's internal address.
Any systems listed on the alert that have a publicly facing IP will be easy to identify.
If the internal system's IP address is behind a network device with an NAT, you will need to review the network device routing table to map the external IP address to an internal IP address. You should refer to your network device documentation to perform this step correctly.
2. Identifying the computer itself
Once you have identified the internal IP address, you will need to use your internal resources to find the computer's location. One way to locate where a node is plugged in is to look at the network switch logs.
All organizations have different methods of identifying where their systems are physically located, use the method that best suits your environment.
3. Cleaning the affected computer
Once the computer has been located you should ensure the computer:
- Has a recent version of Sophos Anti-Virus installed
- Sophos Anti-Virus is up to date
If SAV is installed and up to date: Disconnect the computer from the network and run a full scan on the computer - either from the central console or locally. If SAV is not installed or has not updated recently you should attempt to install and/or update it now. However if this is problematic consider using:
- SAV32CLI copied from another computer (see article 13251)
- Sophos Bootable Anti-Virus (see article 52011)
- Sophos Virus Removal (see article 113298)
Note: Before running a scan it is recommended that you disconnect it from the network and leave it disconnected until you have scanned the computer, cleaned up any threats found, and completed steps five below.
4. Monitoring the computer after cleanup
Remove any files that may have required a reboot for cleanup to completer or were locked during the scan, as described in the knowledgebase article on removing problem files.
- Monitor the computer carefully for any unknown processes or behavior.
- Any files that are found to be causing problems after running a complete scan (step 3 above) will need to be submitted to SophosLabs to determine if this is new malware or a variant.
5. Checks to perform before re-connecting to the network
If Sophos Anti-Virus is installed check the on-access scanner is active and the program has successfully updated recently (i.e., recently before it was disconnected from the network). Note:
If SAV updates from a network share you should question how up to date that source is and hence check it holds a recent update from its parent (i.e., check your Sophos Update Managers etc. to ensure there are no problems downloading there). If SAV is not installed you should install the program now and ensure it is up to date.
Check that the computer is up to date with Windows Security Patches. For example, refer to an up to date computer on your network, and compare the hotfixes loaded. Alternatively, check with Windows Update or the Microsoft Baseline Analyzer. After you have identified what security patches are missing, download them from Microsoft, put them on CD or USB drive (locked), and install them.
Once you are satisfied with the state of the computer you should reconnect it to the network.
6. Monitoring for malicious activity
Monitor this computer and your network firewall, and similar equipment, to make sure there are no further unknown port communications, or other suspicious behavior occurring.
If you encounter further problems, contact technical support saying that you are using these instructions, and which step you are having difficulty with.