Press Corner and Not Only

Threats are said to come like a bolt from the blue. But that’s only in the saying. In life as well as in nature, we notice those grey and low clouds that mean it’s going to rain. No, we cannot drive them away, but in cyberspace, the Bitrix web anti-virus will help us do it.

You get a virus alert from the web anti-virus. What to do in this case?

First Step – During which We Find out if This is a False Alert or not

First, you need to find out whether there is a link to a virus on the site or if this alert is just false.

The work of the anti-virus is based on the heuristic analysis of potentially dangerous blocks in the html code. The number of false virus alerts is minimum, but, unfortunately, they happen.

So, the key difference between blocks actually containing links to viruses and legitimate ones causing false alerts is that the legitimate blocks were added by your programmer. Who added the "viral" blocks, and where they came from - you do not know.

In general, the recognition of "viral" and legitimate blocks may be a non-trivial task. Scanning these blocks with personal anti-viruses, as a rule, does not work, because such blocks of html code actually doesn’t contain viruses or Trojans, but contain only links to them.

Second, and Final, Step – If the Virus Alert is False

So, if you are sure that the block which made the web anti-virus response is legitimate and doesn’t have any link to a virus download, then that was a false alert. Then you need to take a line from this block (reasonably lengthy and unique) and add it to the exclusion list of the web anti-virus. As a result, the anti-virus will stop responding to any blocks containing this unique line.

Second Step, and Final, Step – If the Virus Alert is Not False

If the block contains a link to a virus, it’s a little bit difficult. Because the presence of third-party code on your server means that there was an intrusion on to the web server, and the attacker could have gotten access to the files on it. In most cases, the presence of "viral" blocks which make the Bitrix web anti-virus response, means that any computer belonging to your administrator, webmaster or programmer, etc. with access to the server via FTP (SSH, SFTP, etc.), has a virus, and that the server password has been stolen.

When a virus is detected on the site, you have to check all the computers of the people who have access to the site (including the control panel of the Bitrix software) with personal anti-virus software.

After the computers have been cured, you must change all the server passwords (FTP, SSH passwords, including the root password, if you have root access to the server; the database passwords, the passwords of the users having access to the control panel.).

Then you should clean the third-party code on the server. The easiest way to track the files changed is to use the Bitrix file integrity control. But this should be used only if you have been periodically running file integrity monitoring.

If you don’t use the file integrity control, then search for all the changes made by the hacker may be a rather a serious task.

To search for such changes, one should search through all the files on the server, containing the lines from the block which the web anti-virus responded to. Search and manual checking of the files recently changed is necessary. Then analysis of the server http logs.

That’s it.

Have a nice working day! If you see any clouds, then hopefully they will be only like the ones in the picture above !