5 Replies Latest reply on Apr 13, 2011 1:41 AM by pato

    Issue with Virus/Malware in PsTool

      Hey People,


      VSE detected and deleted succesfully a virus/alware in our corporate network on 2 different machines but it's recurring almost on a weekly basis as if it's spreading to different locations.

      He either gets deleted in the VSS or on SysInternal/PsTool i.e. "d:\Tools\SysInternal Tools\PSTool 1.94\Pstools.zip\psexec.exe\00012438.EXE" has anyone experienced same issues with this kind of malware/virus?

      We have run On Demand Scan 3  times (on a weekly basis) already and have On Access Scan on.

      Both machines are running  Windows 2003 R2 Standard SP2. VirusScan 8.7i P4 (no anti-spyware module) with the latest DAT from 29th March. Any ideas?


        • 1. Re: Issue with Virus/Malware in PsTool

          To add AntiSpyware functionality and protection, use your grantnumber to upgrade to VSE 8.8. This has full AntiSpyware built in.



          • 2. Re: Issue with Virus/Malware in PsTool

            PSTool is part of the Microsoft Sysinternals Suite, it is classified by McAfee as a remote admin tool.  See http://technet.microsoft.com/en-us/sysinternals/bb896649 for details to verify if the file detected is this tool.  The reason for the multiple detections might be someone using it to remotely manage a computer.

            • 3. Re: Issue with Virus/Malware in PsTool

              Thanks for the tips guys


              We've rolled out VSE 8.8 unfortunately the problem still persists and it seems like the malware is spreading even more. Machines which were not affected are now affected too.
              @aladdin9, I'm aware what PSTool is but these exe files within zipfiles get recognised by mcafee as malware and get deleted. But they're coming back in different locations within the PSTool directory.


              Any other ideas? :-/

              • 4. Re: Issue with Virus/Malware in PsTool

                Is this really the path of the tool that shows up in the On Access log?   d:\tools\... ? Malware wouldn't usually copy itself there, so do you know how that file is getting there?  Is it's purpose legitimate?  Then you need to figure out an exclusion for it.  Would anyone else be doing some work on those servers that use psexec?  Maybe an exact copy of the log that shows the malware would be helpful, like just the part displaying the .exe on it.

                • 5. Re: Issue with Virus/Malware in PsTool

                  Do you maybe have a software delivery in your company? It sounds like the client(s) have installed the Sysinternals (Microsoft) PSExec Tool via a packet distribution. This packetdistribution probably fixes the "broken" installation once a week after Mcafee has deleted this probably allowed tool.

                  Could you show me from the local Mcafee Logfile the entry? I like to see if it's a specific policy in your Mcafee - Unwanted Programs Policy which could block "Remote Administration Tools" (where PSExec is probably a part of).