Introduction 1 . 1 This policy provides guidelines on the Virus Protection procedures in place throughout Down District Council. (DDC) Failure to adhere to this policy will be considered to be a potentially serious disciplinary offence which could lead to disissal. Purpose ! . 1 To protect DDC coputers and data networ"s against virus infections to an e#tent consistent with cost$effectiveness and without interfering unnecessarily with the productive use of its coputers and networ"s. ! . ! To establish a policy and procedure that defines the responsibilities for reducing the threat of coputer viruses to DDC coputers and networ"s. ! . % To establish responsibility for overseeing coputer virus prevention activities within DDC and to establish a reporting echanis to ensure that all appropriate personnel are contacted in case of a coputer virus incident. ! . & To proote DDC eployee awareness of the threat posed by coputer viruses and to ensure that virus protection software and procedures are properly ipleented and utili'ed on a regular basis. Scope % . 1 Copliance with the provisions of the policy concerning pre$scanning of all data and progra files before installation and reporting of possible viruses applies to anyone perforing wor" using (T resources within DDC. Policy Updates & . 1 This policy will be aended fro tie to tie in response to changing circustances as coputer facilities develop and in response to operational and legislative re)uireents. & . ! The Council will do its best to ensure that individual users are ade aware of these changes when they occur. & . % The ost current version of the policy will however always be available on the Council*s (ntranet site and in paper for fro +uan ,esources. -s a condition of use. it is the responsibility of users to ensure that they "eep up$to$date with the latest re)uireents of the policy. Deinition o Ter!s 1 / . 1 -uthorised 0oftware1 0ee the DDC Coputer 0oftware Policy. / . ! Coputer Virus1 - coputer virus is a progra or piece of code that is loaded onto any coputer. including PCs and servers. without the "nowledge of the owner and runs against the owner2s wishes. -ll coputer viruses are anade. -ll coputer viruses will disrupt the operation of the infected coputer. 0oe coputer viruses are destructive. peranently daaging data files or progras on a coputer. User "#areness 3 . 1 -ll users will be re)uired to sign the following stateent before being allowed access to DDC coputers4networ"s1 I have read the Councils Virus Protection Policy and fully understand the terms and conditions and agree to abide by them. I understand that the Councils security systems will record for management use all virus protection activity on DDC computers/networks. I understand that violation of this policy may lead to disciplinary action including termination of employment and could also lead to personal criminal prosecution. Responsi$ilities o Users 5 . 1 . 6 7very 7ployee2s ,esponsibility. 5 . 1 . 1 7ach eployee is personally responsible for understanding and observing the provisions of this policy. 5 . 1 . ! (t is contrary to DDC policy for any eployee to introduce. deliberately. a virus into DDC coputers and4or networ"s. to withhold inforation necessary for the effective ipleentation of virus protection procedures or to use software or data that has not been properly scanned for viruses in DDC coputers and4or networ"s. 5 . ! . 6 (T Departent*s ,esponsibility. 5 . ! . 1 The (T Departent is responsible for overseeing coputer virus protection activities within DDC. 5 . The (T Departent will evaluate. recoend. and aintain virus protection software and4or tools for use on DDC des"top coputers and networ" servers. The (T 2 ! . ! Departent will provide support for the evaluation. ac)uisition. and aintenance of virus protection software and4or tools for other systes aintained within DDC. The (T Departent will ensure that virus protection software is installed on any des"top coputer and networ" server ac)uired by DDC before they are ade available for use by DDC. its eployees or its agents. 5 . ! . % The (T Departent will investigate every report of an apparent coputer virus infection. and will a"e every reasonable effort to deterine the source of the infection. The (T Departent will "eep all affected personnel advised of the investigation. 5 . ! . & For each incident. The (T Departent will develop and4or provide step$by$step procedures for the scanning and actual reoval of the virus. 5 . ! . / The (T Departent will oversee the effort to reove the virus fro the affected coputer. to scan for viruses on any other coputers that were connected to this coputer. and to scan any dis"ettes that were used in the coputer(s). Virus Protection Procedures 8 . 1 . 6 9eneral 9uidance 8 . 1 . 1 -ll data and4or progra files ust be scanned for viruses before installation (or. in the case of software distributed in copressed for. iediately after installation) to safeguard DDC networ"s fro infection. This includes shrin"$wrapped software (i.e.. software shipped in taper$proof pac"aging) procured directly fro coercial sources such as :icrosoft. ;ovell. etc. (t also includes shareware and freeware obtained fro electronic bulletin boards or on dis" (dis"ette or CD$,<:). custo$ developed software. and software received through governent sources. 8 . 1 . ! -ll data and progra files that have been electronically transitted to a DDC coputer fro another location. internal or e#ternal. ust be scanned for viruses iediately after being received. 8 . 1 . % 7very dis"ette is a potential source for a coputer virus. Therefore. every dis"ette ust be scanned for virus infection before it is used in a DDC coputer or networ" server. 8 . 1 . & Coputers and4or networ" servers shall never be =booted= fro a dis"ette received fro an outside source. >sers shall always reove a dis"ette fro the dis" drive when not in use. This is to ensure that the dis"ette is not in the dis" drive when the achine is powered on. - dis"ette infected with a boot virus ay infect a coputer in that anner. even if the dis"ette is not a =bootable= dis"ette. 3 8 . 1 . / Virus protection software shall be loaded on each des"top coputer and server as a terinate and stay resident (T0,) progra to constantly onitor for viruses to prevent introduction to the networ". 8 . ! Virus ,eporting and Docuentation by 7ployee. 8 . ! . 1 ?hen an eployee detects what appears to be a virus. the eployee shall ta"e the following steps1 a) ?rite down the nae of the virus if provided by the virus detection software. b) ?rite down any recent unusual syste activities (for instance. une#pected dis" access. error essages or screen displays) and. if possible. include when these activities were first noticed. (ediately1 c) ;otify the (T Departent d) (f the coputer that ay be infected is part of a networ". disconnect the coputer fro the networ". e) Post a warning note on the infected coputer. 8 . % Virus ,eport +andling by the (T Departent. 8 . % . 1 >pon receipt of a notice of a possible virus. clarify syptos. verify if there is a virus. deterine the source of the infection. isolate the source fro the DDC environent. and assess the daage. 8 . % . ! Verify that all potentially affected users have been notified. 8 . % . % (f it is a new virus and4or the aount of daage is significant. wor" with the user(s) to isolate the virus and develop a course of action (step$by$step procedures) for restoring the networ" and4or coputer(s) to noral. 8 . % . & ,eove the virus fro the affected coputer. scan for viruses on any other coputers that were connected to this coputer. and scan any dis"ettes that were used in the coputer(s). %ac&up and Restore @ . The (T Departent is responsible for the bac"up of all file server progras and data. -ll storage devices ust be scanned for viruses before bac"up. 4 E'ceptions 1 6 . -ny e#ceptions to this Virus Protection Policy shall re)uire prior written approval of the Director of Corporate 0ervices. (urt)er Inor!ation 1 1 . (f you would li"e further inforation on the contents of this Virus Protection Policy. or on any atters relating to it. please contact the Council*s (T -dvisor. I at any sta*e t)ere are any issues #it)in t)e policy #)ic) are percei+ed $y any party as conlictin* #it) t)eir ri*)ts, t)at party s)ould $rin* t)ese to t)e attention o t)e Director o Corporate Ser+ices or raise a *rie+ance t)rou*) t)e -rie+ance Procedure. :ay !66% 5
Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data: An Excerpt from Malware Forensic Field Guide for Linux Systems