Method to Conduct Post-Mortem Mal-Ware Incident Analysis
Original Publication Date: 2005-Jan-21
Included in the Prior Art Database: 2005-Jan-21
Today a number of solutions exist to scan a computer system for viruses and worms (mal-ware). These can only protect a system from "known" mal-ware. Quite often there exists a lag between a mal-ware outbreak and it becoming "known" to these solutions. As a result, on the systems that get infected in this period, mal-ware can run freely until the anti-virus software gets to "know" it. Although these solutions can clean a system of mal-ware once they get to "know" it, they do not provide any information regarding activity of the mal-ware on the computer system or the vulnerability (program/mechanism) used by the mal-ware to infect the system. Hence even though the mal-ware is removed, a number of vital questions to assess damage caused by that infection cannot be answered. For e.g., which vulnerability did the mal-ware use to intrude, what files did it read, what files did it send out of the system (anything company confidential items), which other systems did it spread infection to. This article describes a methodology to provide information regarding the activity of mal-ware during the period of infection.