Malware Alert: The Biggest Mistakes to Avoid (and What to Do Instead)

Full transcript of the episode:

[00:00] Sarah: Welcome back to My Antivirus Says Threat Found, Now What?
[00:12] I’m Sarah and I’m here with cybersecurity expert Patrick.
[00:15] Last time, Patrick, you gave us an excellent breakdown of what common antivirus alerts actually mean.
[00:22] Now, we face the critical, what next?
[00:24] That alert has appeared, the initial understanding is there.
[00:27] What are the immediate, practical steps a business or an employee should take?
[00:32] Patrick: This is where a calm, methodical approach can make all the difference, Sarah.
[00:35] The very first piece of advice before anything else is, don’t panic.
[00:39] It’s easier said than done, I know.
[00:41] But reacting impulsively can sometimes make things worse.
[00:45] Take a breath and then focus on a few key actions.
[00:48] Sarah: Okay, don’t panic. Good advice for any crisis.
[00:51] So, assuming we’ve taken that breath, what’s the first active step?
[00:56] I’ve often heard that isolating the affected machine is paramount.
[01:00] Can you elaborate on why and how?
[01:02] Patrick: Think of it like putting it in quarantine.
[01:05] Now, in a perfect world with a big IT team on standby, you might hear some debate about this.
[01:10] Incident response professionals might argue against pulling the plug immediately because keeping that connection live gives them a chance to quietly observe the attacker’s tactics and learn how they operate, all without immediately alerting them that they’ve been discovered.
[01:25] But let’s be realistic.
[01:28] We are talking about a small business here.
[01:30] You likely don’t have dedicated incident response team or cybersecurity pros on the speed dial, ready to conduct that kind of complex investigation.
[01:38] For you, the risk of that malware spreading across the entire network is a much, much bigger and more immediate danger.
[01:46] So, for a small business, this is a must.
[01:49] It’s the difference between having one poorly computer to sort out versus the whole business grinding to a halt.
[01:55] When it’s ransomware, it’s not even a question. You must isolate it and fast.
[02:01] So, how do you actually do it?
[02:03] Well, the quickest way is usually the simplest.
[02:05] If there is a cable plugged in to the back for the internet, just pull it out.
[02:10] If it’s on Wi-Fi, just switch the Wi-Fi off. Usually you’ve got like a small button to to do it.
[02:15] Just click it, job done. You’ve put a barrier around the problem straight away.
[02:20] Sarah: So, physically or digitally severing its connection to the outside world and the internal network.
[02:26] Once it’s isolated, what then?
[02:28] Should you try and click clean or quarantine if the AV offers it, or just leave it be?
[02:33] Patrick: Once it’s isolated, avoid interacting with the machine more than absolutely necessary.
[02:38] Don’t open another files, don’t launch programs and if your AV has already popped up a dialogue box asking to clean or quarantine, and you are comfortable with that, it’s usually okay to proceed with the AV’s recommendations on that specific alert.
[02:52] However, don’t go browsing through your files trying to find the malware yourself or delete things manually unless you are very technically proficient.
[03:01] Sarah: That makes sense. Let the AV do its job, but don’t go poking around.
[03:05] What about informing someone?
[03:07] In a larger business, there’s IT support, but for smaller businesses, that might be the owner or a tech-savvy colleague.
[03:14] Patrick: This is critical and especially with the ransomware.
[03:17] Inform your IT department or managed service provider or the designated responsible person immediately.
[03:23] Even if the antivirus says it has cleaned the threat, they need to know.
[03:28] I assume they will have protocols for this, may want to investigate further or check other systems.
[03:33] For smaller businesses without dedicated IT, this might mean informing the business owner or the person who usually handles tech issues.
[03:41] The key is just don’t assume it’s sorted and carry on.
[03:45] This is a security incident, however minor it might seem.
[03:50] Sarah: So, communication is key.
[03:52] And while waiting for IT or before they arrive, is there anything useful the user can do?
[03:58] Perhaps noting down details?
[04:01] Patrick: Yes, that’s an excellent point.
[04:02] Note down as much information as possible.
[04:05] What was the exact wording of the antivirus alert?
[04:08] Take a screenshot if possible or write it down verbatim.
[04:12] What were you doing on the computer just before the alert appeared?
[04:15] Were you browsing a particular website?
[04:17] Did you open an email or attachment, or did you plug in a USB drive?
[04:22] Note the date and time of the alert.
[04:24] This information can be invaluable for an IT team or person investigating the incident, helping them to understand the potential source and scope of it.
[04:34] Sarah: That context could be vital for diagnosis.
[04:37] Now, Patrick, just as important as the do’s are the don’ts.
[04:41] What are some common mistakes people make in this situation that can exacerbate the problem?
[04:46] Patrick: There are several definite don’ts.
[04:48] Don’t ignore the alert. It might seem obvious, but sometimes people click ignore or close the pop-up hoping it will just go away, especially if they are busy.
[04:57] That’s a recipe for a minor issue becoming a major one.
[05:01] Don’t automatically assume your AV has perfectly fixed everything and it’s all over.
[05:07] While AVs are good, some malware is persistent.
[05:10] The initial clean might remove the active component, but remnants could remain, or it could have already done some damage like exfiltrating data.
[05:19] Don’t try to fix it yourself if you are not confident.
[05:22] Deleting random system files hoping to remove the malware can cripple the operating system.
[05:28] Leave deeper cleaning to the experts.
[05:31] Don’t reconnect the machine to the network prematurely.
[05:34] Not until a qualified person has given the all clear.
[05:38] And a really important one, don’t plug in any USB drives or external hard drives after seeing the alert, either to back up files or for any other reason, as you risk spreading the malware to those devices.
[05:51] If you were already using one, leave it connected for IT to check, but don’t introduce new ones.
[05:58] Sarah: That’s a comprehensive list of pitfalls.
[06:01] The point about not assuming the AV has dealt with it completely is particularly pertinent.
[06:06] It’s a tool, but not always a perfect one-shot solution.
[06:10] Patrick: Exactly.
[06:11] It’s a fantastic first responder, but it might not always see the full picture of what the malware has done or what other components might be lurking around.
[06:20] Sarah: So, Patrick, the immediate response boils down to, stay calm, isolate the machine, inform the right people, note down the details, and then very carefully avoiding doing anything that could make it worse or spread the potential infection.
[06:36] It’s about containment and clear communication.
[06:39] Patrick: That’s it in a nutshell, Sarah.
[06:41] A measured, controlled response at this stage can significantly limit the potential damage and make the subsequent investigation and remediation much more straightforward.
[06:51] Sarah: Excellent advice. Now, there are times when, even after these initial steps, there might be lingering doubts.
[06:57] When should a business suspect that their AV hasn’t quite caught everything and that a deeper dive, perhaps specialist malware analysis, might be necessary?
[07:07] We’ll be exploring that in part three.