+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 19 of 19
MIS Systems Thread, Sims / Sophos this morning - A Warning in Technical; Bugger. I really had hoped it was a false positive. Recieved this back from Sophos. Matt, Thanks for contacting Sophos ...
  1. #16
    mattcharlton's Avatar
    Join Date
    May 2007
    Location
    Bradford
    Posts
    23
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Bugger.

    I really had hoped it was a false positive.

    Recieved this back from Sophos.

    Matt,
    Thanks for contacting Sophos Support.
    In regards to this infection in particular.
    I have discussed this with a colleague who can remember more details about this threat. Our thoughts are that it would be odd to suddenly get a false positive on Parite-B. It is pretty persistent nowdays, so may well reappear - perhaps via email, or even associated with another infection.
    Since any of the newly infected files become a valid sample, it would be best if you submitted a copy of one of the files to SophosLabs - that way we can confirm the infection.

    This threat is a file infector, which spreads by shares - so there must be one or more unprotected machines on the network. That is something you will have to verify.
    Lastly, as to the deletion of your files - it is unfortunate. Sophos is set by default to do nothing when disinfection fails - for this very reason. You may wish to examine this listing of the remainder of defaults for AV and HIPS settings, in comparison with the remainder of your network settings.
    Meanwhile, to submit a sample of the file, you can reply to this email, provided you zip and protect the file first. Here is a link for doing that online, if you prefer:
    Submitting samples of suspicious files to Sophos
    If you do choose to submit the sample, please use the case reference from this email in the submission: [#902153]. That way, I will be able to track your submission of the file.

    If you have any further questions, please reply to this email.
    First time I've had a virus infection on the network in five years. Gutted.

    Guess I'd better not put the overtime sheets in just yet.

  2. #17

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65


    I was hoping my link would lead to you being able to say "Phew, it's all OK..."

    Sounds like FSecure can clean it up - I assume there'll be other similar standalone cleaners - ftp://ftp.f-secure.com/anti-virus/tools/f-parite.txt

    First port of call should be tracking down where the infections come from - who has write access to the shares and how this could have happened, otherwise after cleaning up the server either with a tool or by restore from backup it'll likely pop right back up.

    Good luck!

  3. Thanks to OutToLunch from:

    mattcharlton (2nd June 2008)

  4. #18
    mattcharlton's Avatar
    Join Date
    May 2007
    Location
    Bradford
    Posts
    23
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks again mate.

    Problem we've got is the Sims share and apps share are mapped for all staff.

    We're trying to nail it down but from looking at the Sophos log (something I don't do enough), its showing infections on the sims server from 14/5/08 - the infected files are in the setups folder and it was the night I was trying to do the sims may update (before it was pulled) after it had already failed for our sims administrator due to a signature mis-match. The signature didn't match because it was infected with a virus evidently.

    The may update didn't get pulled because it was infected with a virus did it?

    I presume now that the infected machine is a registration workstation and that the may update has now infected all registration machines if not all classroom machines.

    We're going to be pulling a late one. Basically disconnecting everything at 3pm, clean the servers, make sure sophos is activated fully on them, start working through the 900 workstations we have and go from there.

    I really can't believe this has happened.

  5. #19
    mattcharlton's Avatar
    Join Date
    May 2007
    Location
    Bradford
    Posts
    23
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Server cleanup is going well, that f-secure thing did the trick.

    Need to work out what we're going to do site wide now. Making sure sophos is set up properly on the servers with full on-access scanning set up. Going to work out a way to run that app on login and we'll just log everything in (quicker than re-imaging - just).

    Maybe re-image the registration machines that will need a sims update on them anyway.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. sophos v7 and SIMS.net
    By kevin_lane in forum Windows
    Replies: 5
    Last Post: 7th June 2011, 09:47 AM
  2. [CLOSED] Bug/Error: 2 Errors this morning
    By DSapseid in forum EduGeek.net Site Problems
    Replies: 1
    Last Post: 26th March 2008, 09:17 AM
  3. I 'm ging to pay for this in the morning
    By ITWombat in forum General Chat
    Replies: 4
    Last Post: 16th June 2006, 09:30 AM
  4. Warning all Sophos Users
    By mrtechsystems in forum Windows
    Replies: 23
    Last Post: 27th September 2005, 12:20 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •