Scanning the c drive remotely won't pick up threats in memory and may well reduce performance considerably

If you setup a memory scan to scan periodically during the day, then have a query on your dashboard to show all detections via memory scan for the last day.

That will give you good information.

You can use various tools to clean machines: such as starting off with rkill, tdsskiller, rootkit revealer/gmer/backlight, malwarebytes, superantispyware etc etc - run from safe mode.

Let face it- if machines get infected users are going to get interrupted. Or you backup the data and reimage the machine, depending on which takes less time and resources.

All:   decided to license a few workstations worth of Trend's workstation antivirus and do the remote file scanning for this second opinion use.  Thanks for all the feedback!

@obelicks - thanks for the link to Sardu--that does look like an excellent resource for standalone machines to run and map a drive remotely for scanning or when you can reboot to a CD image.  I'll definitely check that out.

jmcleish, thanks for the response as well.  Totally agreed that such scanning misses memory which can definitely be the only harbinger to infection for threats that don't touch the disk for any persistence.  In my use case here, we'd already have run mcafee including  a memory scan on the machine, and it'd have been reboot since prior detections.  Just having something remote to check out the disk's contents therefore is the thought.

But I'd never thought of scheduling on-demand scans of "memory for rootkits" and "running processes" only during the day... that actually sounds like a hell of a good idea.  What schedule do you use in your environment and how many nodes?  Is there a noticeable performance impact to users or is it pretty transparent?

All good advice, and part of what we'll do on certain hosts I'm happy to report.  The variable is time, of course.  🙂  so, I wouldn't look at that as a different angle so much as a complementary one.

In many cases, you get one detection or two that looks like it got handled, a followup VSE scan comes back clean, but you still have some suspicions.  Being able to remotely scan a machine out of band with another scanner would be another due diligence feather in the cap that both doesn't require much technician time, and is a highly repeatable automated process.

The more I think about this, the more I want to stand up a dedicated virtual machine that does nothing but get used to remotely mount drives of suspect systems and scan them with a competitor's product.

Also have a look at GetSusp https://community.mcafee.com/groups/getsusp30-beta-feedback

It's still in Beta, but is very promising. I have been able to find some active threats using the tool.

Hi Mike, thanks for the response.  David Lippman's multi_av.exe is something I've used in the past on personal boxes, and is actually somewhat the motivation for the question (what a great concept -- 4 command line scanners built into one!).  On the downside though, its trustworthiness is an issue (the source code's never been published as far as I know), and its legality with respect to copyright and licensing is unfortunately specious at best.  There has never been a terribly stable home for that tool over the many years I've been following it, and I suspect that may be mostly due to copyright infringement and cease and desist activity.  It's now hosted in  Switzerland.   But, boy do  I wish there was a tool like that that was legit, vetted and useful in a corp environment.

But I may need to revisit the most current version on a test box and attach an http proxy to it and see what it's grabbing and from where, since as I recall, it's just pulling down the latest versions of several free command line scanners.   Potentially grabbing one of those 4 scanners and using that as my 2nd opinion command line scanner might do the trick.