Over time best practices have been developed through trial and error that help minimize both the chances of getting viruses and reduce the effort involved in getting rid of malware.
Identify Malware Symptoms:
First identify the symptoms the malware is producing as clearly as you can. This can help identify the exact virus in some cases. In many scenarios identifying the symptoms can help establish the severity of the infection, which is good to determine when IT resources are stretched thin and battles must be chosen.
Quarantine infected system:
The infected system should be quarantined-removed from the network to prevent a spread of the infection to other systems. This is why it is a good practice to keep data on servers so that when user systems need to be quarantined a new machine can be quickly imaged for the user to reduce the impacts on productivity while the infected machine is cleaned.
Disable system restore:
System Restore is useful tool in many cases, but when virus infection occurs, it can be an ally of the virus. Virus scanners cannot clean infections from restore points, making reinfection possible. If a system restore is performed after running an antispyware utility, viral objects may reappear. Disable System Restore before attempting to clean a system. When you do this, you will delete all restore points in the system, including any that may have an infection.
Remediate infected systems:
Once the infected system has been quarantined, you must take steps to clean it. This two steps process in discussed in this section.
Update anti-virus software:
Before scanning the system with antivirus software, update the software and the engine if necessary. Definition files can change daily and the virus may be new that it is not contained in you current definitions file even if it is only a week old.
Scan and removal techniques (safe mode, pre-installation environment):
Although you can run the scan and removal from the GUI, it is a best practice to do this either after booting to Safe Mode or from a preinstallation environment like Windows PE. Viruses that evade detection in the GUI are not as easily able to do so in either of these environments.
Schedule scans and updates:
The antivirus software can be scheduled to perform a scan of the system. You should set the is up to occur when the system is not in use, like at night. The scanning process will go faster then and will not affect users. Also, set the software to automatically check for and install any updates to the definition files and to the engine when available.
Enable system restore and create restore point:
Although it is recommended that you disable System Restore before cleaning an infection, it is agood idea to create a restore point after an infection is cleaned. This give you a clean resote poin going forward in case the system become infected again at some point.
Educate end user:
In many case users are partly responsible for the virus infection. After an infection occurs is a great time to impress on users the principle of secure computing. They should be reminded that antivirus software and firewalls can only go so far in protecting then and that they should exercise safe browsing habits and refrain from opening any attachment in email from unknown sources, regardless of how tempting.