Do you have your on-access policy set up correctly? If a virus is jumping off of a USB stick McAfee should detect and stop it. Make sure On-Access is at least scanning on write, Also, are you sure it's a real infection and not a false positive? When you go to the list of systems showing up in the EPO server and you click on them, do they all show the same file on each system as infected?
Policy is set to scan all files on READ+WRITE
Files infected are DLLs and EXEs, so I am pretty sure it is not a false-positive.
Any other thoughts???
I've had a couple of machines infected with Ramnit that produced 30,000 infections from one box.
Check out the source machine to see how many boxes there are.
Ramnit is a file infector and infects lots of files- html, dll and exe if i remember.
better to wipe machine and reimage.
(or clean with boot disk- remove data and reload image)
Create a query- dulpicate the "all threats detected in 24 hours" but change the label from "threat name" to "threat target host name" and that will show you what actual machine have detections.
Really mucks up your stats!!
In the end it was a new trojan which was reporting as worm Ramnit.a
After much monitoring I have isolated the file and uploaded to McAfee (wdexplore.exe). Extra.dat came last Friday and was incorporated on dat 6305.
Situation is under control now.