My company recently started using VSE on our small LAN. The LAN is part of a distributed control system and historic data servers. After installing VSE on 3 computers I found we had several viruses. I have scanned all networked drives from one centeral PC, but the virus keep coming back and now one of the historic data servers hard drive is full.
What is the best way to go about removing a virus from a LAN?
How do I scan all nodes and keep the virus from moving to another node?
Any advice would be greatly appreciated.
To scan all nodes, you can create a scheduled task in ePolicy Orchestrator to run a scan nightly or weekly on all nodes that are in ePO. If you haven't deployed ePO, and are licensed for it, it is enormously helpful. If you're new to the McAfee ecosystem, ePO is the central console for most mcafee products. A program separate from VSE gets installed on endpoints called the McAfee Agent and that talks to ePO. From ePO you can centrally define AV policy, and do things like schedule nightly or weekly AV scans with uniform settings, and move security from an ad hoc process to something more repeatable.
Now the bad news: any responsible forensic computer specialist is obliged to tell you that "Flatten and rebuild" is the gold standard for malware recovery for your network's infected machines. This means repartitioning, reformating the drives, and reinstalling the OS from known clean media, reloading drivers and programs, applying all vendor OS updates and those to third party software (such as Adobe goodies, Java if god forbid your enterprise require it), installing an updated AV such as VSE, and only then moving data from the once infected system after scanning the data drive from the pristine, known clean and fully patched system.
I wish I had better news, but this is how you remove malware from a network. Anti-virus is, these days, at best, a baseline detection for known malware variants. If you're extremely lucky, maybe it will manage to clean a widely known variant of malware, but understand that Anti-virus technologies can only block the malware they know about, and given the crushing load of new malware variants and polymorphic code in malware, there's just no way that AV can be expected to clean up what may be in many cases infections with several different pieces of malware.
In addition, take a long hard look at the patching process in your small network. If you haven't had AV until now, odds are good that these machines are not getting operating system updates on a timely basis, or getting the crucial third party software updates. Any machine that has internet access from which anyone runs an email or web browsing client needs to be religiously patched at both the Windows update level, Office updates, but also Adobe Flash/Reader any Apple cruft that's crept in, and Java (remove it from any machines unless you have a specific business need, and if you do, patch it religiously) to stand even a fighting chance against today's threats. With control systems this can be easier said than done as many can be hostile to software updates. In that case, consider whitelisting technologies like McAfee Application Control (formerly Solidcore) or Bit9 (a competing produt). These flip the AV axiom on its head and instead of trying to look for a universe of known-bad, whitelisting software allows only known-good programs and publishers' code to run on the system. It works very well for machines that don't change much, and can be managed even on desktops though boy that's a struggle.
on 7/17/14 8:03:06 AM CDT
I'm new to McAfee and we haven't had AV implemented on our DCS. I am researching ePolicy Orchestrator. Checking OS compatibility etc. Can I install the McAfee agent remotely or do I have to install it locally at each PC?
I agree with you, but I'm trying to avoid "Flattening and rebuilding".
Thanks for your advise.
You can install the MA from ePO. You can do an AD synch or install a rogue system detector and deploy the agent or add the machines manually (via IP or hostname) in ePO and deploy the Mcafee Agent.
I would take the files not deleted (not action taken) and send to McAfee Labs to get analysed an see if you can get an extraDAT.