Respond to Data Security Incidents Caused by Malware - Checklist for IT Administrators


Computers compromised by malware are the most common data security incident on campus. Departments can choose to handle portions of an incident internally (using the checklist below) or contact UMass Amherst IT at security@umass.edu as soon as possible.

Use the following checklist for your preliminary analysis. Contact security@umass.edu if you need assistance with any of the steps.

1. Keep detailed notes

Depending on the severity of the incident, you may have to provide details about the incident, including how you first responded, to other staff, management, University Legal Counsel, or Internal Audit.

2. Minimize system changes

Keep the system intact as changes can destroy valuable data related to the incident. Do not power off, run anti-virus software, or attempt to back up data.

3. Gather volatile information while the system is running (optional)

Document any open network connections, running processes, logged-in users, and connected drives. Capture an image of the computer’s memory.

4. Shut the system down & preserve hard drive data

You need to shut the system down before completing the next steps.

Option A: Get a forensically-sound copy of the hard drive

Get a forensically-sound 'bit-by-bit' copy of the affected hard drive(s) and keep this information until the incident is resolved. You should also preserve an MD5 hash of the original drive(s) and image(s). Note: You will need a hard drive write blocker to complete this step (see details below).

Option B: Connect the hard drive to a write blocker

Alternatively, you can connect the hard drive to a hard drive write blocker before performing the next steps. Write blockers enable you to acquire information from a drive without damaging its contents. We recommend Tableau products, available from multiple online retailers.

5. Run Spirion & a malware detection scan

With the write blocker in place or after you obtained a forensically-sound copy of the affected hard drive(s):

  • Run Spirion (if installed) to determine whether personally identifiable information is stored on this device and where it is located.
  • Complete a virus/malware detection scan using your preferred anti-virus/malware application.
  • Gather any other information relevant to this incident.

6. Provide UMass Amherst IT with an Incident Report

You must contact UMass Amherst IT if Spirion finds any personally identifiable information, if UMass Amherst IT first contacted you about this incident, or if you cannot rule out the presence of sensitive data on this device.

Preliminary analysis: findings & next steps

If you have completed a preliminary analysis, these are some general recommendations based on the most common findings. For additional information, contact security@umass.edu.

Malware and personally identifiable information found
Submit an Incident Report (see Step 6 above). UMass Amherst IT will need the compromised device (or the forensically-sound copy) for an in-depth analysis.

Personally identifiable information found, but no malware
Contact UMass Amherst IT for a secondary analysis (additional detection tools may be required). Remove the data if no longer necessary or save it in a safe location (e.g., server). Review the business processes that require sensitive data to be placed in this location.

Malware found, but no personally identifiable information
Review the scope of the incident to ensure other devices are not affected. Change all passwords and complete the appropriate recovery steps for this device. Submit an Incident Report if UMass Amherst IT originally notified you of this incident. Alternatively, email your malware scan results to security@umass.edu (we'll share them with other IT Administrators).

No malware, no personally identifiable information
You may need to re-diagnose the problem: check the incident symptoms and contact UMass Amherst IT for assistance.