Computers Infected with Malicious Software "Quarantined" Under New Policy

quarantine computers

Computer Support Specialist James Perlman demonstrates how technicians repair systems infected with malware. Under a policy instituted at the end of 2008, computers infected with the malicious software can be blocked, or "quarantined," from accessing Harvard networks.

January 22, 2009 - Two computers used by library staff were restricted from accessing Harvard College Library networks in recent months in accordance with a university policy directed toward "quarantining" machines believed to be infected with potentially malicious software.

The computers were isolated from the network under the University's Network Take-down and Vulnerability Scanning Policy, said Jeff Bernhard, Assistant Director for ITS Client Services and Support. The strategy was put in place toward the end of 2008 to protect Harvard networks from hidden software which may be installed on computers without user's knowledge. Also called malware, the software could be used to damage networks, hijack sensitive information or commandeer network computers to send junk email to thousands of people.

Under the new policy, Harvard University Information Systems (UIS) staff monitors campus networks in search of unusual activity, which could indicate an infected computer. Once identified, Bernhard said, the computer is blocked from accessing the network. If the infected computer is registered to HCL, a notice of the disconnection is send to HCL ITS staff. Within minutes, ITS staff identifies the affected computer, and notifies the user of the quarantine. In all, Bernhard said, the process may take just 15 minutes.

"There have been two instances where a problem was brought to our attention," Bernhard said. "Most people don't even know their computer is infected with malware. In some instances, you can visit an innocuous Web site, and someone can secretly slam malware onto your machine. It may not be immediately apparent to the operator."

Ultimately, Bernhard said, a computer infected with malicious software will begin to show telltale signs, such as slower operation and unusual network activity. Once unusual network behavior appears, Bernhard said, UIS staff quarantines the computer until the reason for the unusual activity can be found.

"When we are notified of a quarantine, we assign a technician to contact the person and tell them to stop what they're doing, and we go over there immediately to see what is going on, and repair the problem," Bernhard said.

By far the easiest solution to the problem of malware, Bernhard said, is to simply re-set the computer's software to its original configuration, a process that often takes less than an hour. While software exists to remove malware, the programs sometime report a system has been disinfected when, in fact, the malicious programs are still present. Resetting a workstation is the only way to ensure the malware has been completely removed.

The process, however, only works if the computer's user hasn't saved any information "locally," on their computer's hard drive. Following HCL Computing guidelines on saving data only to network drives simplifies the repair process, Bernhard said, and ensures data files are secure and backed up.

"We prefer that people use the network drives to store data. In the event a system needs to be re-set, the data is secure and the user's roaming profile helps bring the workstation back to where it was prior to being compromised," he said. "That way, if something goes wrong, your files are on the server. We can fix your computer and have you back up and running within an hour or less."

"The costs of exposing sensitive data continue to skyrocket, and the potential for harm to an institution of higher education like Harvard cannot be measured," said Information Technology Services Director Deb Morley. "The system monitoring and quarantining of computers infected with malware by FAS IT is an attempt to identify systems that might contribute to a break in network security and exposure of confidential data. We appreciate the cooperation of our users in dealing with these issues."