try setting the following Access Protection rule on the client systems: Prevent remote creation of autorun files. I suspect, someting keeps copying the file to the clients and however you try removing it, it reappears. Also, an autorun,.inf file content may or may not be known to Virusscan yet to consider it a part of a trojan/virus.
for autorun files to execute, there is a registry setting on enabling/disabling in Windows.
For the other two files I think setting herustics on and enabling Artemis on at least Low level (and with an internet connection to let it function), can result in identifying them.
Thanks for your response to my questions, but how do you exactly do what you have just mentioned on the issues with regards to the autorun.inf and the other two viruses, please give more details as I'm still new with McAfee environment.
I will assume you have a standalone VirusScan on your computer.
Please open VirusScan console and right-click on Access Protection line and select Properties. In the left hand pane select Anti-Virus Standard Protection. In the right hand pane click on Block and Report of "Prevent remote creation of autorun files".
I recommend you also click on block and report of "Prevent registry editor and Task Manager from being disabled" (I had once a trojan that did both).
In the left hand pane select Common Maximum Protection. In the right hand pane select block and report of "Prevent programs registering to autorun". This is a double edge sword, though. It prevents tropjans (and legitim programs) programs to register to a LOT of autorun places, including the startup folder. Also some programs routinely register themselves to cleaning up after their installation in the registry Run/RunOnce key, which this setting also prevents.
Press OK as many times as needed to close the dialog windows.
As for Artemis/heuristics, I assume that you have VirusScan Enterprise 8.7 Patch 1 at least, because this is the version that Artemis is available in on-access scans. (It was available in on-demand scans without PAtch 1).
Whit the VirusScan Console still open, right-click On-Access Scanner and select Properties. In General Tab, you will see Heuristic network check for suspicious files. Set Sensitivity Level to at least Low (which effectively where Artemis starts to work; Very Low equals to DAT heuristics). Note that general heuristics must be enabled fro Artemis to work (All Processes\Scan Items\Heuristics - check both).
I attach here a technote on Access Protection for you to get a deeper insight.
5345wp_tops_vse_ap_0109s.pdf 433.6 K
Your information is very useful for us
Can you please guide us that how to create access protection policies for clients to block autorun.inf virus from Mcafee EPO 4.5
Thanks in Advance
Thank you very much for the information, now what I have realised is that this particular computer that is giving a hussle about the autorun.inf, has not installed the Patches 1 on it and the rest of other computers have installed patches on them, how can I tackle this problem to make sure that the patches are installed on this computer?
here it is (I suppose):
1. Menu\Policy\Policy Catalog...
2. select Product: VirusScan Entperprise 8.x,
3. select Category: Access Protection;
4. select policy that you use (=in effect on your computers), Edit Settings.
5. select Workstation or Server from drop-down box above.
6. make sure Access Protection Settings is set to Enable Access Protection.
7. select one category at a time from Categories in Access Protection rules below and check "block" and "notify" for the desired rule according to my previous description.
Repeat 5-7 if needed for the other platform.
Press Save when finished.
Some topic here deals with blocking access to existing autorun.inf files by creating user rules in Access Protection. This is a different approach to a potentially different problem, but you might be also interested. See http://community.mcafee.com/message/112689#112689
I think Patch 1 is hardly available now on McAfee download portal, but you can download Patch 2 from there and use it the same. This single computer could be a pilot for Patch 2 in your environment.
The patch can be checked in to ePO 4.x and if you have an update task, where "Patches and service packs" option is set, then clients will pull the patch and install them.
You can also install manually the patch.
If the above conditions are all met, but the patches do not install, review McScript.log and look for errors at the time the update task was run.
Thanks once again, will try that and let you know what was the outcomes...
I have installed patches 2 on the client's computer and followed all the instructions you gave me earlier on but still the message keeps popping in on the screen: "Found G:/autorun.inf and deleted", but what I did for now I have disable the "Show the Alert message when virus detected and cleaned" under the OAS properties, but I want the permanent solution because I believe this is just a interim solution to the problem.
Please help further...