IR Playbook Malware Outbreak

This article provides guidance on how to slow or stop a malware outbreak when antivirus is not detecting/removing a threat. 

1. Identify the threat. The first step is to identify the malware, This will usually be a process or service, or sometimes a driver. The malware may be installed like a regular program (Trojan), it may have a service name that is similar to a legitimate service (or even replace the executables of an existing, legitimate service), or it may use rootkit/stealth techniques to hide from some troubleshooting tools.
2. Determine propagation methods.  The next step is to determine what method(s) it is using to spread through the network.  The key things to determine here are: What protocol is it using? (SMB, HTTP, ARP, etc.) What port(s) it is using?  In many cases, simply enabling Windows Firewall can stop malware from spreading. This can be enabled using domain Group Policy.
3. Stop malware using Software Restriction Policy (SRP). If the process name can be identified, then it is often possible to stop malware using Software Restriction Policy (SRP)-note: this assumes the affected computers are domain-joined.