Malware Response

Download the Malware Response Guide

Launch the download of the IPD guide for Malware Response.

Launch the download of the entire Infrastructure Planning and Design Guide series.

Visit the Download Center to select another guide in the Infrastructure Planning and Design Guide series.

About This Guide

The Infrastructure Planning and Design (IPD) Guide for Malware Response replaces Malware Removal Starter Kit: How to Combat Malware Using Windows PE.

The new Infrastructure Planning and Design Guide for Malware Response will help organizations plan the best and most cost-effective response to malicious software. This guide provides methodologies for the assessment of malware incidents, walks the reader through considerations and decisions that are pertinent to timely response and recovery. It also describes approaches to investigating outbreaks and cleaning infected systems.


Figure 1. Decision flow chart

In More Detail

The Malware Response Guide includes the following content:

  • Step 1: Confirm the Infection. This step involves taking actions to immediately contain an infection. Information is gathered from the user and about the system to help assess the breadth of the problem.

  • Step 2: Determine the Course of Action. This step involves determining the risk to data, performing backups before proceeding with the chosen course of action, if required, and deciding whether to examine the malware’s effects on the system. Also, decide whether to clean the malware, restore system state, or rebuild the system

  • Step 3: Attempt to Clean the System. This step involves putting the system cleaning plan into effect. Attempting to remove the malware using automated tools such as antimalware products are performed.

  • Step 4: Attempt to Restore the System State. This step involves attempting to restore the system state, and evaluating the restored system for the effectiveness of malware removal.

  • Step 5: Rebuild the System. This step involves either rebuilding the system from image or by reinstalling the operating system. Also, restoring the user settings and data are performed, and evaluating the activities performed for effectiveness.

  • Step 6: Conduct Post Attack Review. This step focuses on post-attack items to consider for lessons learned.

This guide is one in a series of planning and design guides that clarify and streamline the planning and design process for Microsoft infrastructure technologies. The goal of this guide is to provide processes and tasks to help determine the nature of the malware problem, limit the spread of malware, and return the system(s) to operation.

When a malware attack occurs, there are a number of factors that must be considered quickly and simultaneously to restore service to the system. Some of these factors are, indeed, conflicting. Understanding how the system was compromised, while simultaneously returning the system to operation as quickly as possible, is a common conflicting issue that this guide addresses. This malware response guide does not resolve this conflict; the reader must do so based on the priorities of the business.

When deciding which course of action to take to get the attack under control and restore the system to normal as quickly as possible, consider the following:

  • The amount of time required and available to restore the system to normal operations.

  • The resources needed and available to perform the work.

  • The expertise and administrative rights of the personnel performing the recovery.

  • The cost to the business that could result from data loss, exposure, and downtime.

All of these items will influence the decisions and the risk the organization is willing to accept when responding to and recovering from a malware attack.

  • Check out what the Infrastructure Planning and Design team has to offer! For additional information, including our most recent guides, visit Infrastructure Planning and Design Guide Series.

  • The Microsoft Malware Protection Center provides the latest information about major desktop and email threats to computers running Windows. For more information, visit Malware Protection Center.


About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free, prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Sign up to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as:

  • Communication and collaboration

  • Security, data protection, and recovery

  • Deployment

  • Operations and management

See also