The first thing that happens when DNSWatch blocks a piece of malware is that you will get an email with details about the malware and the victim. It’s your job to figure out what has happened. When you click the link inside that email, you will be brought to the Infections page (an example is below). This page will show you the victim system and where the malware was trying to phone home to. We will give you the name of the victim and the location of where it is. Look for the location of the infected system. For example, if you have multiple offices, it may say “Chicago Office” (depending on how you set it up.)
Next we will give you information about the malware. For example, we will tell you where the malware is being hosted. If this is on an intelligence feed, we allow you to click into the feed itself so that you can do more research about what is being hosted at this malicious domain. At any time along the way, if you get stuck and have questions while trying to understand the domain, attacker, or victim system, you can always contact us by clicking the “Contact” button at the bottom of the screen. You can also send us an email at support@strongarm.io.
Last step is understanding the victim. On the infections dashboard, you’ll be able to see important things about the victim like;
-
User logged on
-
Current address
-
Active directory
-
Install path of malware
At this point, you should have enough information to decide what to do. There are three options:
-
Nuke & pave: Wipe disk and reinstall from scratch
-
If asset is on the road or you can’t nuke it, use Active Directory tools to remotely access and remove this file
-
In certain cases, DNSWatch can remediate the malware remotely. When available, you will see a remediate button pop up on the right sidebar of an infection. This sends malware a self-destruct command (suicide pill) that renders workstations safe to use.