Network admin ethics: deleting infected files

What are the precedents or accepted ethical standards for what a computer network administrator is supposed to do when he discovers virus-infected files in a user’s file area?

I have a home network with family members as users, and a file server. I do regular backups of the file server, using a computer that also runs virus protection software. During today’s routine backup, the virus protection software reported several files in my daughter’s area were infected and unrepairable, so I deleted them without opening or otherwise messing with them, and told her after the fact. I was afraid of losing more if I left them there, but now I feel a little for damaging her things without her permission.

But are there any prevailing standards that dictate a sysadmin would do something different? And what might it be?

…now I feel a little guilty for damaging…

Who “owns” the network and what are the policies governing its use? At work, the IT infrastructure is owned our our agency. The content belongs to the agency, even though it is created by staff. Common courtesy says a sys admin should at the very least inform a user’s content is infected, but at the end of the day, the rules exist before the user has access. And those rules state that infected files may be deleted without prior notification.

However, in the case of a home network, perhaps it is time to have a family discussion, including how to safely use computers, the network and the Internet. As long as everyone using your home network knows and understands the house rules, well … :slight_smile:

I agree with Duckster. Authority is delegated to an administrator by the owner of the asset, be it network, hardware or software. If the owner of the asset has delegated that authority or approves of the policy, then the administrator has the right.

At home, I believe any heads of household would qualify as owners. Unless your daughter bought her computer herself. In that case, you have the guilt-free right to isolate her virus-ridden computer from the rest of the network, but maybe not the right to delete things from it without her permission.

And educating all users about the risk of viruses/spyware/adware and the ease of infection never hurts.

No matter who owns and who administers the network; any administrator who simply deleted user files without any chance of recovery is likely to find a list of very angry complaints landing on his boss’ desk. There are other courses of action.

I would have isolated the offending files first. They can’t do harm if no-one and nothing can access them. Then do some research;

  • what’s the virus? You need to know this if you want to be sure you’re clear of it. Deleting a file is only treating a sympton, it may not be the solution.

  • is it a user created file, (e.g. Word document etc), some dumb downloaded freebie or a system file? This would determine my next move. User files are unique, and may be irreplacable and essential. You may have to find a way of disinfecting the file (or revert to backup). On the other hand; dumb freebies can go hang and system files can be replaced.

  • where did the file or virus come from? If you don’t find this out you may find yourself back at square one by tomorrow and no-one will have learned anything from the experience.

Take the middle path: “Quarantine” the infected files. This tucks them away where they can’t be accessed with permission (and the viruses are no longer capable of running). So if a file is actually needed, e.g., a document, it can be restored, processed in a non-infectible manner, etc.

However, if you’re not an expert and the AV software doesn’t know how to do the cleaning for you, restoration of such a file is probably beyond your ken.

Check your AV software for how it does a “quarantine”. Also check for updates later, as a new virus might not have a cleaning method now but one could be added later.

At work, I’m the sysadmin. Viruses are dealt with according to predefined policy, which users have read and signed a document to say that they have read it. Emails are cleaned automatically or blocked if they can’t be cleaned and the user is notified. Documents get automatically cleaned or quarantined. Quarantined documents receive individual attention and are manually cleaned or restored from backup.

In the past few years, the main problem has not been viruses but network worms.

Futile Gesture, ftg and qts describe useful standards or at least give useful advice - things I wish I had thought of.

I should have quarantined the files instead of deleting them. They were word processing documents. While the antivirus software (Norton Antivirus) reported that they couldn’t be repaired, I know enough to be able to read a file byte by byte and recover the long strings of text - and the fact that she was using them suggests they were able to print. I did react on the basis of fear that the infection would spread, and since I depart for almost a week today I didn’t want things snowballing when I couldn’t intervene. But I could have done more to prevent loss of the information.


Live and learn.

In re the other comments, it’s my house, my network, I’m the only one who administers it, and she’s using an old computer of mine, too - which I didn’t touch. If any of these things weren’t true, the transgression would have been even more graceless! But we didn’t have rules and education in place.

Anyway, thanks for some excellent experience and expertise.