Re: INfected files in VSS

From: Gavin (gavin_at_inteNOrproSPAMm.com)
Date: 07/21/04 

Date: Wed, 21 Jul 2004 19:46:55 -0400

Hi Trev,

The virus got it BECAUSE it's excluded ; )

What happened is that the virus wasn't scanned or captured via the hard
drive because it was excluded, HOWEVER, the VSS version of the file WAS
scanned because Trend is seeing it as a proper file, but not one that's part
of your exclusion list.

This seems to be popping up more lately. Diligent planning and configuration
of quarantined directories, mail queue's, etc are essential. 

-- 
Gavin [SBS Consultant]
<< SBS ROCKS !!! >>
"Trevor OE News" <thetrev68 @ hotmail.com> wrote in message 
news:ua8mNn1bEHA.2844@TK2MSFTNGP12.phx.gbl...
> Gavin,
>
> I don't see your post below, but I had the same thing happen in the last 2 
> days.  I solved it by disabling shadow copies and re-enabling it.  The 
> shadow copy tab is in the properties of your hard drive when you 
> right-click it in windows explorer.
>
> In my case, Trend announced WORM_NETSKY.P was in the following folder:
>
> Infected file: \Device\HarddiskVolumeShadowCopy69\Program 
> Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_1af3611001c46dbd00004549.EML
>
> The notice repeated every time VSS ran.  Same for you?  It also killed my 
> nightly backup with an "access denied" message.
>
> Note: I do have the mailroot folder excluded from OfficeScan.  I'm not 
> sure yet how the virus got in.
>
> -Trevor
>
> "Gavin" <gavin@inteNOrproSPAMm.com> wrote in message 
> news:exSuPW1bEHA.904@TK2MSFTNGP09.phx.gbl...
>> If an infected file ends up in System Restore under Windows XP, the 
>> proper way to get rid of it is to turn OFF system restore, which deleted 
>> the "cached" files, and then turn it on again.
>>
>> What is the similar procedure in SBS 2003 where an infected file - 
>> although deleted from the drove - is still "hanging out" in the volume 
>> shadow copy stored data - or will it disappear at the next refresh?
>>
>> (Note; See my post below regarding this happenstance)
>> -- 
>> Gavin [SBS Consultant]
>>
>> << SBS ROCKS !!! >>
>>
>>
>
>

Relevant Pages

  • RE: mydoom
    ... While still in safe mode, delete the infected file manually. ... For more information on the email-based virus W32/Mydoom@MM, ... improve the security in Outlook and other Office programs. ... but it can be obtained by installing the Outlook E-mail ...
    (microsoft.public.security.virus)
  • Re: win32.oneraw.AS
    ... | that the infected file is in a zip file. ... | another virus scan. ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (alt.comp.anti-virus)
  • Warning: A possible virus has been detected in one of your messages.
    ... A virus or an infected file has been detected in a message: ... Subject: Protected Mail System ... Please update your virus detection software and clean ...
    (freebsd-questions)
  • Re: confused here
    ... >> i got a virus on my PC last year on Azearus BT and wiped my HD and lost ... > well, there are torrent sites, and there are torrent sites. ... certain what infected file did it, or that it was something that was ... *Anyone else remember those stupid emails that used to be forwarded ...
    (rec.music.gdead)
  • Re: Need help removing Backdoor.ProRat virus
    ... after logging in, delete the file ... >> I've read about this nasty thing...any help removing it is ... > infected file would be a good idea too. ... > MS also has a service to help with virus and other malware problems. ...
    (microsoft.public.windowsxp.newusers)