To add AntiSpyware functionality and protection, use your grantnumber to upgrade to VSE 8.8. This has full AntiSpyware built in.
PSTool is part of the Microsoft Sysinternals Suite, it is classified by McAfee as a remote admin tool. See http://technet.microsoft.com/en-us/sysinternals/bb896649 for details to verify if the file detected is this tool. The reason for the multiple detections might be someone using it to remotely manage a computer.
Thanks for the tips guys
We've rolled out VSE 8.8 unfortunately the problem still persists and it seems like the malware is spreading even more. Machines which were not affected are now affected too.
@aladdin9, I'm aware what PSTool is but these exe files within zipfiles get recognised by mcafee as malware and get deleted. But they're coming back in different locations within the PSTool directory.
Any other ideas? :-/
Is this really the path of the tool that shows up in the On Access log? d:\tools\... ? Malware wouldn't usually copy itself there, so do you know how that file is getting there? Is it's purpose legitimate? Then you need to figure out an exclusion for it. Would anyone else be doing some work on those servers that use psexec? Maybe an exact copy of the log that shows the malware would be helpful, like just the part displaying the .exe on it.
Do you maybe have a software delivery in your company? It sounds like the client(s) have installed the Sysinternals (Microsoft) PSExec Tool via a packet distribution. This packetdistribution probably fixes the "broken" installation once a week after Mcafee has deleted this probably allowed tool.
Could you show me from the local Mcafee Logfile the entry? I like to see if it's a specific policy in your Mcafee - Unwanted Programs Policy which could block "Remote Administration Tools" (where PSExec is probably a part of).