RE: Quick Norton AV question

From: Poma, Greg (GPoma@capricap.com)
Date: 09/25/01


Message-ID: <9B10BC5A1C5AD511BD6E00306E06494106AA2B@irvinemail>
From: "Poma, Greg" <GPoma@capricap.com>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Subject: RE: Quick Norton AV question
Date: Mon, 24 Sep 2001 15:25:24 -0700

This is quickly fixed. It involves the Quarantine server either denying new
entries or not being configured. The SSC console often reports the "new"
virus infections at the time the grc.dat file is updated from the client's
group server, from what I've seen. Typically I have found "Updated (x)
configuration items" in the event log of the affected system at the time of
new virus infection.

The fix (preferred):
 1) Install and configure the Quarantine server. This requires both the
Quarantine server and the Quarantine Console.
 2) Configure the Quarantine Console to listen on IP or SPX, your choice.
Make sure to set a port #.
 3) Set your configuration group's Quarantine options to use Scan and
Deliver. Use the NetBIOS name of the server and IP or SPX port to connect
to.
 4) Wait 48 hours.
 5) Go through the Virus Log for each system reporting a virus. Attempt to
delete the offending files remotely. For each workstation that this does
not work on, you much manually go to the workstation, open the Norton
AntiVirus Corporate application, and manually delete all items in the
Quarantine.
 5) In the future, you will be able to delete or restore the files as
necessary. Use the quarantine console to view and delete quarantined items.
NOTE: The items are still kept quarantined on the client system, however,
when you view the Virus Log, you will be able to permanently delete the
items, without visiting the machine.

Your other option is to manually clear the virus Quarantine directory on
each system every time it reports a virus. This is obviously very time
consuming.

-Greg

-----Original Message-----
From: O'Reilly, Tom [mailto:oreilt@jacobsons.com]
Sent: Friday, September 21, 2001 2:02 PM
To: 'Kinsey, Robert'; 'Gullett, Chris '; ''Panger, Erick' ';
''focus-ms@securityfocus.com' '
Subject: RE: Quick Norton AV question

Since we're taking Norton here maybe someone can help me. I use Norton Corp
Ed 7.51 on my clients and I have certain clients that always seem to have a
status of virus found in SSC. I reset the status, but soon they end up
virus found again. If I do a complete scan of their hard drive including
the quarantine from my machine they have no infected files. Also the log
will show the virus being found several times with the action being left
alone in every instance. I find this weird, because I have clean as the
primary action and quarantine as the secondary so I don't understand why it
could be left alone. I search their hard drive for the file listed and it
isn't there anywhere. What am I missing here?

Thanks,
Tom

-----Original Message-----
From: Kinsey, Robert [mailto:Robert.Kinsey@Veridian.com]
Sent: Friday, September 21, 2001 2:16 PM
To: 'Gullett, Chris '; ''Panger, Erick' '; ''focus-ms@securityfocus.com'
'
Subject: RE: Quick Norton AV question

Chris wrote...

>Norton Corp Ed quarantined the file the first time it was found. Then a
>definition update came in, which scans the quarantine folder to see if
>any files in quarantine can now be cleaned and restored. Since the file >in
quarantine could not be cleaned it was "Left Alone".

And this will also generate another alert and listing in the Virus History
(both on the client AND on the SSC if used).

>This will happen every time a definition comes in until you either
>delete the file from quarantine or it's cleaned and restored.

>When you run a manual scan the quarantine folder is NOT scanned.

Once you have scanned and ensured you are not infected (hopefully) you can
delete from the Quarantine folder. If an essential file is in there you
haven't been using it any way and it should not be used either. This will
remove a file the AV cannot clean. Also, if you are using the SSC you
should also remove the virus status off the client and Parent.

Good luck.

rob



Relevant Pages

  • RE: Quick Norton AV question
    ... Subject: Quick Norton AV question ... Ed 7.51 on my clients and I have certain clients that always seem to have a ... status of virus found in SSC. ... the quarantine from my machine they have no infected files. ...
    (Focus-Microsoft)
  • RE: Quick Norton AV question
    ... Since we're taking Norton here maybe someone can help me. ... Ed 7.51 on my clients and I have certain clients that always seem to have a ... status of virus found in SSC. ... the quarantine from my machine they have no infected files. ...
    (Focus-Microsoft)
  • Re: hacktool.rootkit
    ... | This would lead one to think Symantec has wrongly identified a Virus ... | I wonder if similar reports of Hacktool.Rootkit are a result of Norton ... Note that all AV applicvations will suffer False Positive declarations from time to time. ... just has to download the corrected signatures and the restore the file from quarantine. ...
    (microsoft.public.security.virus)
  • RE: Quick Norton AV question
    ... Subject: Quick Norton AV question ... status of virus found in SSC. ... the quarantine from my machine they have no infected files. ... (both on the client AND on the SSC if used). ...
    (Focus-Microsoft)
  • Re: Is this a virus
    ... if that swen file is in quarantine it is safe to leave it there. ... > I'm running XP Pro and Norton AV. ... > screen was jumping caused by some CPU activity. ... > appears to relate to the SWEN virus. ...
    (microsoft.public.security.virus)