Best Practice To Employ To Mitigate Malware Effects On A Machine can be defined as follows:
Only authorized devices should be allowed: Devices which are pre-approved only should be allowed to connect to main systems. Personal USB, music players smartphones etc should not be allowed to connect. If necessary proper scanning must be done to make sure that device is free of any malware.
Regular updates and patching of operating system: Every organization should form a standard policy for regular updates and patching of all devices. This policy should define procedures which will look for new patches provided by vendor and should name person responsible for smooth patching/update and to monitor the device after update/patching.
Updated Anti-Virus: It is required that anti virus program are set to automatic update so that new virus definitions and scan engine engines are available. It should be monitored that every single device is updated regularly as a single vulnerable machine can result in total security failure.
Changes should be monitored: A policy should be made to make sure that any change will not result in unexpected behavior of devices which could result in security lapse. Effects of every change should thoroughly analyzed and in case of failure A roll back mechanism should be available.
Local firewall on machines: Every machine including mobile and laptop should have a local firewall which will detect the incoming and outgoing data and will keep track of updating of devices.
Scanning for vulnerability: Vulnerability scanning plays a major role in mitigation of threat. In this any tool or script is used to mimic the behavior of malware and then scan results are used analyze which are the loopholes and weak points are available on machines. If any machine is vulnerable, then immediate steps should be taken to secure it.
Web content filter and proxy servers should be used: These steps can prevent user from unknowingly being redirected to malicious sites. Web server is the only server allowed to connect to external internet using HTTP and HTTPS protocol.
Email filter: Filter malicious looking attachment only document extension should be allowed and continuously monitored.
Monitoring of logs: Only anti-virus software, firewalls etc. should not be considered as last measure against malware. Logs of firewalls, proxy server, DNS server etc. should be monitored on daily basis.
What if machines still got infected: If only few machines are infected immediately they should be disconnected from network. All outgoing data to external networks should be immediately ceased. Analyze logs to find out which systems were affected and how. Start analyzing any new software or utility installed if yes try to remove them.