Well 3 days without a problem.
Doesn't look good for Sophos, I'm not going to try it in the Production LAN so as soo as I get a chance Im going to set up a VM with just S2K3 and Sophos, put the SIMs .NET installer on it and kick off an agressive scan with the delete option enabled.
I am happy to report that everything is rebuilt and is back up and running normally.
We are still in the process of analysing the failure but here are a few items of key interest.
On the 23rd March Sophos released a new virus definition file for the Sality strain of viruses.
A few days later the first member server failed with what appeared to be an OS failure.
Subsequent server failures occured almost a month later but all in rapid sucession to each other.
Within 24 hrs no less than 8 servers had been reduced to worthless "Air Warmers"....
After OS rebuilds, scans of the data files returned many "Suspicious Files" all reporting to be possibly infected with the Sality Virus.
All of the affected files were contained in the Capita Sims application and client setup packages.
These files are NOT infected but will trigger a false positive.
The servers continued to self destruct with nothing else installed to the OS drives other than W2K3R2 and Sophos AV.
Only by turning OFF! the Sophos "Delete" option has normal service returned.
I will emphasise again, the correct setting for Sophos clean up on Servers is "Do Nothing".
In fact this is the preferred setting on all scans.
If a virus is detected it will be blocked from execution and logged.
Then only after a full scan has been completed will you be able to choose the clean up option from within the console.
According to Sophos they will be releasing a completely new interface later this year and some of the "Ambiguous" options and descriptions have been addressed such as the "Do Nothing" statement.
I helped a school recently who had been infected with sality on their SIMS server and like yourself it started to corrupt executable files within SIMS but in this case it didn't delete them as per your findings but it still rendered the box useless.
That's really useful info Kim.
I wonder if there are any more cases out there?
Are the Capita files actually infected with it? Is it a false positive as I think?
Either way that is at least three cases I have found where this has happened this month.