1. Purpose
1.1. This SOP describes the West Virginia University (WVU) Research Office’s IT group process for identifying and removing malicious software.
2. General Guidance
2.1. Research Office IT Support, Samuel Kisko, sekisko@mail.wvu.edu, will assist users with the technology aspect of malicious software removal. Alternately, you may contact the ITS Helpdesk for immediate assistance at 304 293 4444 or email at ITSHelp@mail.wvu.edu. All end users should be trained on WVU’s Cyber Security best practices. Please see WVU ITS policies and procedures https://it.wvu.edu/policies-and-procedures
3. Procedures
3.1. Malicious Software Identification and Removal
Malicious Software is usually identified in four ways: Sophos Alerts, which are the most common, are automated and will notify the Research Office IT Support group as to their presence. Windows alerts, which are rare, are when Windows itself will prompt that Malicious software will be present. User Identified malicious software, which is usually in the form of a popup or other prompts. Lastly, for Macs, the Mac OS can sometimes identify malicious software. In all cases contact the Research Office IT Support group if the user notices anything before the administration becomes aware.
3.1.1. Popup and Web Prompts Malicious Software Removal
Should a website prompt a browser popup window or other unexpected windows that you are unable to close or causes other issues, the Research Office IT Support group recommends shutting down the machine immediately and restarting it. Use Sophos to scan for malicious software after restarting. If there are no further popups and no Sophos alerts (scanned or generated) exist, then typically malicious software did not install on the computer. If any further popups occur, shut it down immediately and contact the Research Office IT Support group, Research Office IT Support is located in room 109 of the Chestnut Ridge Research Building and may be contacted by phone at (304) 293-0081, or by email at sam.kisko@mail.wvu.edu, for malicious software removal.
3.1.2. Sophos Alerted User Identified Malicious Software Removal
For any alerts, Sophos alerts, strange pop-ups in Windows, or a browser, shut down the machine immediately. The Research Office IT Support group will usually backup any local data, wipe the computer and reinstall a fresh image. Backup data is then restored after scanning it for any issues. In rare cases, such as encrypted malicious attacks (ransomware), the data may be lost. It is always recommended that any important data be stored on the network drives for this reason. Never attempt to copy or recover data on your own from a machine that may be compromised.
3.1.3. Notification device is isolated.
For any alerts, Sophos alerts, or Sophos email alerts that indicate that your computer
has been isolated, please shut down the computer immediately. This usually means
the computer may be infected with a virus that Sophos was unable to automatically
clean. Notify the Research Office IT Support group for recovery from this type
of malicious software. Never attempt to copy or recover data from a machine that
may be compromised.
4. References
WVU ITS Policies
The Policies and Standards of WVU ITS can be found here:
https://it.wvu.edu/policies-and-procedures
The WVU Research Office follows the policies set by ITS including Acceptable Use for WVU computers, email, and networks. This also includes security for WVU devices and systems and privacy of personal and health data.
Research Office IT Support is located in room 109 of the Chestnut Ridge Research Building and may be contacted by phone at (304) 293-0081, or by email at sam.kisko@mail.wvu.edu. In-person consultation and support are available from 8:00 a.m. to 4:00 p.m. or by appointment