Virus found on a domain computer... What to do!¿

2

0

Possible Duplicate:
Computer is infected by a virus or a malware, what do I do now?

We have a user that got several viruses. It has been deleted and cleaned but now, I need to find how she got these viruses on her computer.

I would like to know what you use to check, remotely, what can be the cause of this issue.

  • Internet logs (Browsing history)
  • Cookies
  • Tools to analyse
  • Tools that can check remotely all intrusion possibility.

I'm also looking for software that can extract info on the remote computer that can give me hints or info regarding this.

Hope this question won't be closed. It might be a good idea to write here everything to do when a virus is found on a PC on a domain but need to clean and check logs remotely.

Regards,

David.

r0ca

Posted 2010-10-07T18:36:55.747

Reputation: 5 474

Question was closed 2012-03-07T17:40:57.940

1Come on! This question deserve a LOT of upvotes :) – r0ca – 2010-10-07T18:57:35.797

Answers

1

We periodically get viruses which install themselves into user's profiles. While these viruses don't run with admin privileges, they do get copied to every computer the user logs in as, and can send and receive data on the network, which is almost just as bad.

To detect the viruses, we scan the the fileserver where our user profiles are stored with antivirus software, and actively monitor the network for virus activity using an array of tools such a snort and firewall IP blacklists.

When we discover a virus, we make sure it is wiped from the user's roaming profile, and reimage any computers that got the virus installed in the user's local profile (which is stored on that computer, and not the fileserver).

Darth Android

Posted 2010-10-07T18:36:55.747

Reputation: 35 133

1

I'd first look at whether she was somehow running as an administrator. Running as an unprivileged user is the most important way to avoid catching viruses.

Then I'd check your SUS server or in System Center, if you have them, because the #2 way to catch a virus is to use a machine that's not fully patched.

Next up is to make sure her antivirus software was up to date. Note that this is not nearly as important as the first two items - running fully-patched and unprivileged will do far more to preventing malware infection than antivirus software will. However, there's no point even thinking about looking at things like internet logs or cookies until you've checked all three of these.

Joel Coehoorn

Posted 2010-10-07T18:36:55.747

Reputation: 26 787

Yes I have a WSUS server. The computer is fully (99%) updated. And she is not local admin but good idea! +1 – r0ca – 2010-10-07T18:43:25.107

Asked: 2010-10-07T18:36:55.747

Viewed: 378 times

Active: 2010-10-07T19:05:45.683