Cal Poly
Information Security  
Skip to Content
C a l i f o r n i a   P o l y t e c h n i c   S t a t e   U n i v e r s i t y  
Home > Viruses and Spyware > Virus Reporting and Response Procedures
:: Information Security: Top Ten
:: What Employees Should Know
:: What Everyone Should Know
:: What Technical Support Staff Should Know


:: Policies
:: Report a Violation
:: Contact Us

 
 
Virus Reporting and Response Procedures

How do I report an infected on-campus computer?

1. Shut down your computer as quickly as possible.

2. Contact your LAN Coordinator with detailed information on why you suspect the computer is infected.

3. If your LAN Coordinator is not available or you do not have one, contact the ITS Service Desk at 756-7000.

Based on the availability of staffing and severity of impact, technical staff will respond to your service request.

How do I report an infected off-campus or personal computer?

1. Shut down your computer as quickly as possible.

2. From another computer, visit the Cal Poly software page for software downloads and links to vendor sites.

3. If no other computer is available, contact your LAN Coordinator with detailed information on why you suspect the computer is infected.

4. If your LAN Coordinator is not available or you do not have one, refer to your local Yellow Pages for computer repair and service centers.

How do I report an infected email message?

If the originating machine is located at Cal Poly, the campus antivirus gateway has already identified the machine and reported it to the appropriate support staff for action. In most cases, the gateway will delete the infected attachment and add a warning to the message before it is delivered. Unless the message was sent by someone you know, your best course of action may be to just delete it. However, if you want to report it, follow these instructions.

If the virus originated from off-campus and you wish to report it to the Internet Service Provider of the infected machine, you will need to review the message's full ARPA headers. The "Received:" headers provide the actual path of the message from the sending machine to its destination (read from bottom to top, start to end). The "From:" sender and return path headers may be forged and are not reliable on infected messages.

If you still have problems viewing, interpreting or forwarding headers, please contact the Help Desk at (805) 756-7000 and they will put you in touch with someone who can walk you through it.

If, based on the header information, you have determined that the message originated from a machine at Cal Poly, no further action should be taken.

If the message originated from a machine off-campus, see how to report a virus to an off-campus ISP.

For more information, see also:

If the infected computer is not on-campus, how do I report it to an off-campus Internet Service Provider (ISP)?

For most well-known ISPs (e.g. America OnLine, Earthlink, Verizon, Yahoo, Hotmail, etc.), forward the message and full ARPA headers to "abuse" for that ISP. Examples: abuse@verizon.net, abuse@yahoo.com, abuse@aol.com, abuse@charter.net, etc.

NOTE: The incident date and time should reflect when the email was sent.

If the time zone is not indicated, it can be determined by the number starting with a minus sign immediately after the time, e.g., during standard time, -0800 is Pacific Standard Time (PST), -0500 is Eastern Standard Time (EST). During Daylight Savings Time, most time zones would be one less, e.g., Pacific Daylight Time (PDT) would be -0700.

The offender's IP address is the originating machine in the last "Received:" header. Example: Received: from (yada.blah.net [XX.XXX.XXX.XX]) by something.net with SMTP id# for someaddress@calpoly.edu; date; time (timezone). The number in brackets "[XX.XXX.XXX.XX]" indicates the originating IP address. If included, the originating host's name is to the left of the originating IP address within the parenthesis. In the example above, "blah.net" would be the ISP. If no host name is included, please refer to What if the Originating Machine is only described by an IP Number? for information on how to determine the originating ISP.

For lesser-known ISPs, forward the message and full ARPA headers to "abuse" and "postmaster" for that ISP. Examples: abuse@blah.net and postmaster@blah.net.

If you have any questions regarding these procedures, contact abuse@calpoly.edu.

How does Cal Poly handle a potentially infected computer on its network?

If a computer connected to the Cal Poly network is suspected of being infected based on reports from internal and/or external sources, Information Technology Services (ITS) will immediately block the computer from accessing the network. The LAN Coordinator and/or user will be notified and ITS will work with the department to repair the problem. Once the computer is confirmed to be clean of viruses and updated with the latest operating system patches and antivirus software and definitions, ITS will unblock the computer and restore network access. This process is necessary to prevent the spread of viruses to other computers. For more information, please see:

  1. Procedure for Removing Network Devices From the Cal Poly Network [PDF]
  2. Virus Response Information and Procedures [Under Development]
  [return to top]
Cal Poly Home | Cal Poly Find It | Get Adobe Reader | MS Office Converters & Viewers
 


Information Security: Top Ten | What Everyone Should Know | What Employees Should Know | What Technical Support Staff Should Know

Policies | Report a Violation | Contact Us | Search


Last Update:

05/16/2007
Information Security
California Polytechnic State University
San Luis Obispo, CA 93407
805.756.2258
security@calpoly.edu