I don't know the details of that specific trojan or the details of you setup, but something is bringing those infections back.
-Are the infections re-occurring on the same device or showing up on different devices? maybe system restore is bringing the file back. Try a full scan with artemis set to high or very high to see if it finds something, this needs to be done online. You can also try running mcafee stinger in safe mode. http://www.mcafee.com/us/downloads/free-tools/
-Have you ruled out a false positive? create an exception
-Consider enabling scriptscan if it is not enabled
Agree with Andre,
Also our process makes sure that everything is patched (windows/office/java/adobe) and up to date, that normally fixes several issues.
I think most of the malware guides tell you to delete the system restore on the computer if it gets malware for that exact reason.
Worse case is that we take the machine off the user and wipe it. A good lesson for other users to be more careful with their systems :-)
You'll find a process running with the name of xyyqehq.exe or similar, kill it. That is what keeps dropping "FakeAlert-WinWebSec!env.h".
Thank you all for your answer. The problem is there is not only one virus that gets reported but there are different kind of viruses from time to time on different machines. We have set the policy to delete any infected file as soon as it is found by Mcafee. EPO console shows that the infected machine deletes the virus as the machine has the latest DAT necessary for that particular virus. But the number of these viruses sometimes is from 200- 1000 and they are being deleted evertime. It gets annoying.
I wanted to know is there anything that I should be doing if the EPO notifies that the virus was found on the machine and it gets deleted ?
I generally ask my Desktop team to do the following if the same machines shows more than 5 times, even the virus gets deleted.
1.) Run a manual scan
2.) Update with latest DAT, Microsoft Patches (if not already there)
3.) Reboot the machine
4.) Re-Scan and put it back on the network if it comes clean.
Many times they will not find anything by manually scanning the machine using McAfee Virus Scan. Please advise.
So our process for malware handled (deleted) by mcafee is to check what versions they are running of all the software and update. We find that microsoft updates dont really do much these days. The real benefit is when you update adobe reader /flash player/ java and other random 3rd party junk like that.
We have an automated rule to run a full scan after detected malware (although its disabled at the moment due to an issue...)
Our real focus is on malware thats not handled by mcafee.
Also if you have site advisor i would deploy this as well (with just default policies of enabled) this blocks about 300 events to stupid sites which are mainly typo's.
it is not the client's fault if it detects and deletes a virus. It is not everytime an indication of a vulnerability of the same client if it is prone to infections. for example an infected source on the network has been using an administrator account to copy infection to shares, then it is not the victim to blame for it.
I'd like to ask if you use the Access Protection feature of Virusscan. I'm slowly becoming an evangelist of it since that many times I am trying to draw attention of certain peers here to it. Using the proper Access Protection rules prevents the very first step of an infection many times. On the other hand it does not depend on antivirus signatures.
Fakealert-type viruses can also be blocked by an Access Protection rule and certain trojans infecting browsers, too.
If you take the task of complementing your AV policy with Access Protection rules then you'll find it is your good companion. Fisrt, many infections can be prevented, second many infected hosts (the ones whose DAT's aren't current enough to detect) can be noticed by just the AP rule events that ePO collects.
General review of your virusscan policies, ref: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22940/en_US/vse_880_best_practices_guide.pdf
If you don't have a proxy and/or security appliance for your internet access, do use site advisor.