How to find that infected file and LocalCopy folder filling up RRS feed

  • Question

  • FCS keeps finding the W97M/Marker.T virus on one of my file servers. Each day it dutifully cleans it off. I'd like to get to the bottom of where it's seeing it but there doesn't appear to be any place that shows where it found the virus.

    Also, as a result of all those cleans, the LocalCopy folder on the server under C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\ keeps filling up with the results of each clean, presumably putting them here, into quarantine. I've got my quarantine settings to delete things older than 2 days and yet this folder is full of old files.

    Has anyone seen this behavior before?
    Orange County District Attorney
    Thursday, July 31, 2008 9:11 PM

All replies

  • Hi Sandy

    I have not seen this behavior but you can use tools on the Microsoft\sysinternals site to track where the file is originating or linked to.  You can use process monitor to see the process and its location and also filemon which lets you see in real time what the server or process is doing or starting from.  Another tool is regmon that lets you view the registry that is being accessed in realtime but this might be a bit more difficult.

    Monday, August 11, 2008 11:25 AM