1 2 Previous Next 14 Replies Latest reply on Mar 5, 2010 8:57 AM by sgrimmel

    VSE8.7 attacked by autorun.inf virus

      Hi,

       

      Recently I scanned one of client's computer with  VSE8.7i to delete autorun.inf; the deletion was succesfull but the  message keeps on coming back as "found autorun.inf and deleted", I tried  to restart the computer and again the message keeps on coming back,  what could be the problem.

       

      And also the following  viruses were not detected by VSE 8.7i:

       

      zerx.exe   -  Trojan

       

      ise.exe     -   IRC Backdoor Trojan

       

       

      I was running the DAT file 5899 and scanning the computer in order to  remove the above viruses and I can't delete them, please advise.

        • 1. Re: VSE8.7 attacked by autorun.inf virus
          Attila Polinger

          Hi,

           

          try setting the following Access Protection rule on the client systems: Prevent remote creation of autorun files. I suspect, someting keeps copying the file to the clients and however you try removing it, it reappears. Also, an autorun,.inf file content may or may not be known to Virusscan yet to consider it a part of a trojan/virus.

          for autorun files to execute, there is a registry setting on enabling/disabling in Windows.

           

          For the other two files I think setting herustics on and enabling Artemis on at least Low level (and with an internet connection to let it function), can result in identifying them.

           

          Attila

          • 2. Re: VSE8.7 attacked by autorun.inf virus

            Hi Attila,

             

            Thanks for your response to my  questions, but how do you exactly do what you have just mentioned on the  issues with regards to the autorun.inf and the other two viruses,  please give more details as I'm still new with McAfee environment.

            • 3. Re: VSE8.7 attacked by autorun.inf virus
              Attila Polinger

              Hi Samuel,

               

              I will assume you have a standalone VirusScan on your computer.

              Please open VirusScan console and right-click on Access Protection line and select Properties. In the left hand pane select Anti-Virus Standard Protection. In the right hand pane click on Block and Report of "Prevent remote creation of autorun files".

              I recommend you also click on block and report of "Prevent registry editor and Task Manager from being disabled" (I had once a trojan that did both).

               

              In the left hand pane select Common Maximum Protection. In the right hand pane select block and report of "Prevent programs registering to autorun". This is a double edge sword, though. It prevents tropjans (and legitim programs) programs to register to a LOT of autorun places, including the startup folder. Also some programs routinely register themselves to cleaning up after their installation in the registry Run/RunOnce key, which this setting also prevents.

               

              Press OK as many times as needed to close the dialog windows.

               

              As for Artemis/heuristics, I assume that you have VirusScan Enterprise 8.7 Patch 1 at least, because this is the version that Artemis is available in on-access scans. (It was available in on-demand scans without PAtch 1).

              Whit the VirusScan Console still open, right-click On-Access Scanner and select Properties. In General Tab, you will see Heuristic network check for suspicious files. Set Sensitivity Level to at least Low (which effectively where Artemis starts to work; Very Low equals to DAT heuristics). Note that general heuristics must be enabled fro Artemis to work (All Processes\Scan Items\Heuristics - check both).

               

              I attach here a technote on Access Protection for you to get a deeper insight.

               

              Attila

              • 4. Re: VSE8.7 attacked by autorun.inf virus

                Dear Attila,


                Your information is very useful for us


                Can you please guide us that how to create access protection policies for clients to block autorun.inf virus from Mcafee EPO 4.5


                Thanks in Advance


                Yours Faithfully


                Dinesh Vinay

                • 5. Re: VSE8.7 attacked by autorun.inf virus

                  Hi Attila,

                   

                  Thank you very much for the information, now what I have realised is that this particular computer that is giving a hussle about the autorun.inf, has not installed the Patches 1 on it and the rest of other computers have installed patches on them, how can I tackle this problem to make sure that the patches are installed on this computer?

                  • 6. Re: VSE8.7 attacked by autorun.inf virus
                    Attila Polinger

                    Dear Dinesh,

                     

                    here it is (I suppose):

                     

                    1. Menu\Policy\Policy Catalog...

                    2. select Product: VirusScan Entperprise 8.x,

                    3. select Category: Access Protection;

                    4. select policy that you use (=in effect on your computers), Edit Settings.

                    5. select Workstation or Server from drop-down box above.

                    6. make sure Access Protection Settings is set to Enable Access Protection.

                    7. select one category at a time from Categories in Access Protection rules below and check "block" and "notify" for the desired rule according to my previous description.

                     

                    Repeat 5-7 if needed for the other platform.

                     

                    Press Save when finished.

                     

                    Some topic here deals with blocking access to existing autorun.inf files by creating user rules in Access Protection. This is a different approach to a potentially different problem, but you might be also interested. See http://community.mcafee.com/message/112689#112689

                     

                    Attila

                    • 7. Re: VSE8.7 attacked by autorun.inf virus
                      Attila Polinger

                      Dear Samuel,

                       

                      I think Patch 1 is hardly available now on McAfee download portal, but you can download Patch 2 from there and use it the same. This single computer could be a pilot for Patch 2 in your environment.

                      The patch can be checked in to ePO 4.x and if you have an update task, where "Patches and service packs" option is set, then clients will pull the patch and install them.

                       

                      You can also install manually the patch.

                       

                      If the above conditions are all met, but the patches do not install, review McScript.log and look for errors at the time the update task was run.

                       

                      Attila

                      • 8. Re: VSE8.7 attacked by autorun.inf virus

                        Attila,

                         

                        Thanks once again, will try that and let you know what was the outcomes...

                        • 9. Re: VSE8.7 attacked by autorun.inf virus

                          Attila,

                           

                          I have installed patches 2 on the client's  computer and followed all the instructions you gave me earlier on but  still the message keeps popping in on the screen: "Found G:/autorun.inf  and deleted", but what I did for now I have disable the "Show the Alert  message when virus detected and cleaned" under the OAS properties, but I  want the permanent solution because I believe this is just a interim  solution to the problem.

                           

                          Please help further...

                          1 2 Previous Next