Malware Detection at OSU

Oregon State University utilizes a device on our network called FireEye. This device monitors the network for patterns of activity a computer displays when it is infected with malware, or has been compromised by hackers.

When the FireEye device detects signs of malicious activity, it sends an alert to the OSU Computer Helpdesk, who, in turn, sends a notification to the registered owner of the computer. The user is then responsible for contacting the Helpdesk to resolve the issue. This document outlines that notification process.

Please Note: While every attempt will be made to resolve the situation through this process, there may be instances where the availability, confidentiality, or integrity of the OSU network or the data residing therein is placed at risk by the activity discovered on the device. In such cases, network access for that system will be blocked prior to notification.

 

Notification Process

OSU notifies users when a malware infection is detected on their computer. Users must come in for help, or inform the Helpdesk that the infection has been removed.

Notifications include technical details on the infection and give users information on how to clean their own computers. Please note that the notifications will be from security@oregonstate.edu and will be followed with an email from osucomputerhelpdesk@oregonstate.edu detailing options you have to clean your computer.

Network access disabled notification:

If the user does not come in for help or notify the OSU Computer Helpdesk and they continue to receive notifications from security@oregonstate.edu then the user’s network access will be disabled and a notification of the access restriction will be sent.

A user is not typically disabled until after three notifications have been sent, but there are circumstances that will extend the amount of notifications before loss of network access, such as a long period of time between malware notifications from FireEye.

 

Example Malware Notifications

Below are examples of the notification e-mails sent to users, which can be used as reference to ensure these are not fake emails or phishing attempts.

Example from Security:

Hello [Customer Name],


OSU's network security group has detected malware activity originating from your machine.
This is most likely due to a malware or virus infection on your machine.  Please check you
machine for viruses and malware and remove any infections.  If infections are not removed
and further malware related activity is found on your machine, you risk your network
access being disabled until the infection is removed.

Details about the potential infection are listed below:


Details
Malware last detected: [Date] [Time]
IP: [Customer’s leased IP at time of detection]
Hostname: [Customer’s hostname on network]
MAC Address?: [Customer’s Hardware address]
ONID Username: [Customer username]
Zone: [Zone customer’s computer was assigned to]
Malware: [Type of infection detected]
Attacker's Info: [IP address? and port infection is communicating through]

For more details on this infection, visit
https://mil.fireeye.com/edp.php?sname=Trojan.Koredos


For help removing this infection on your own, see
http://oregonstate.edu/helpdocs/protect-your-computer

If you would like assistance removing the infection please contact the OSU Computer
Helpdesk -
Phone: 541-737-3474
(Web: http://oregonstate.edu/is/client-services/och/)

Note: This report is for your information and a copy is provided to the OSU Computer
Helpdesk. (If you are reasonably sure that this report is a false positive, no action or
response is required).

 

Example from the OSU Computer Helpdesk:

OSU’s Network Security group (security@oregonstate.edu) sent you an e-mail recently informing you about a possible malware infection on your computer. The OSU Computer Helpdesk wanted to check in with you and see if you have been able to remove the infection.

Because network security is a priority for personal and network safety, careful procedures are in place to quarantine potential infections. If no response is received from you after multiple notifications, the Helpdesk will disable your network access. Multiple warnings will be provided before access is disabled and it is easy to restore your network access by contacting the Helpdesk to inform them you have cleaned the infection yourself, or for help removing the infection.

Please be aware that if you clean the infection yourself, you must inform the Helpdesk that the infection is resolved. If  you don't respond to this email and your computer is still reporting as being infected, the Helpdesk will disable your network access after three notifications.

Clean it yourself -

You can also find out more information on how to remove infections here: http://oregonstate.edu/helpdocs/protect-your-computer


If you clean your computer, please respond to this email that you have cleaned your computer. If you receive another notice after reporting that you have cleaned the computer your network access will be disabled and you will be notified.

Students with laptops - 

If you still need assistance, please come to our Walk Up Helpdesk, located on the main floor of the Valley Library. It is open 8AM-9PM Monday through Thursday, 8AM-7PM Friday, and 3PM-7PM Sunday. You can also give us a call at 541-737-3474.


Students with desktop computers living in the dorms -

Call the OSU Computer Helpdesk at 541-737-3474 for guidance and further assistance.


If you do not have an anti-virus program on your computer -


You can get Symantec Endpoint Protection for free with your ONID account. If you already have an antivirus program, please use Malwarebytes to double check that you do not have viruses on your system.

How to use Malwarebytes - Malwarebytes download page

How to install/obtain Symantec endpoint protection - video tutorial of how to install Symantec Endpoint Protection

You can go to http://oregonstate.edu/helpdocs/security/viruses for more information on viruses.


Please let us know if you have any questions or concerns.

If you are forwarding your email to another account, please make sure to check your spam folder for the messages we are contacting you about.