locked
Infected with Virus RRS feed

  • Question

  • Dear All,

    what will you do if server get infected with virus? ( this questiong was asked to me in an interview ) what will be the best answer?


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Tuesday, February 14, 2012 10:59 AM

Answers

  • a) clean infection / make sure it didn't spread on other servers
    b) review security policy (how did the infection happen, prevent it in the future - reduce number of people with access to the server/av software etc.)
    c) restore server from clean backup/reinstall (assume even cleaned the system might still be partly compromised)


    edit: this is what I would naswer, not neccessarily the "best" answer.
    Tuesday, February 14, 2012 11:11 AM
  • Hello,

    if a server is infected then disconnect immediately from the network and scan all domain machines for it, if possible with 2 different AV engines. Also the recommendation is to reisntall that machine to be sure everything is really removed. Of course there are some clenaing tools from AV vendors available but personal i prefer the fresh install as then you can be 100% sure it is not existing on that machine.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 14, 2012 11:14 AM
  • My 2 cents here...

    Make sure only necessary n/w ports are allowed on the infected server and possibly isolate this server from network to prevent the infection spreading over to other servers in infrastructure.

    In addition to above suggestions, download and install Malwarebytes Anti-Malware. Yes, that even works on serevers and effective in removing the infections.


    Please remember to click "Vote As Helpful" on the post if the information is useful to you ! Please remember to click “Mark as Answer” on the post that helps you to fix the issues, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Tuesday, February 14, 2012 11:38 AM


  • Hi,





    If
    my server is infected with virus, I will perform the following troubleshooting steps:





    1. Update the antivirus program definition and
      try to scan the system in Safe Mode or Normal Mode.
    2. According to the virus information you find
      from the Internet, try to remove the infected file, registry and other data
      manually in Safe Mode.
    3. Contact your antivirus program vendor for
      more troubleshooting information.








    After
    removing the virus, try to create some security policies to secure your company
    domain.





    Regards,



    Arthur Li

    TechNet Community Support

    Tuesday, February 14, 2012 2:49 PM

All replies

  • HI,

    If your server get infected with virus, try to remove its traces through an antivirus or manually, if the system stay unstable, it's recomended to reinstall server and have a powerfull antivirus



    Best Regards

    Tuesday, February 14, 2012 11:07 AM
  • a) clean infection / make sure it didn't spread on other servers
    b) review security policy (how did the infection happen, prevent it in the future - reduce number of people with access to the server/av software etc.)
    c) restore server from clean backup/reinstall (assume even cleaned the system might still be partly compromised)


    edit: this is what I would naswer, not neccessarily the "best" answer.
    Tuesday, February 14, 2012 11:11 AM
  • Hello,

    if a server is infected then disconnect immediately from the network and scan all domain machines for it, if possible with 2 different AV engines. Also the recommendation is to reisntall that machine to be sure everything is really removed. Of course there are some clenaing tools from AV vendors available but personal i prefer the fresh install as then you can be 100% sure it is not existing on that machine.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 14, 2012 11:14 AM
  • My 2 cents here...

    Make sure only necessary n/w ports are allowed on the infected server and possibly isolate this server from network to prevent the infection spreading over to other servers in infrastructure.

    In addition to above suggestions, download and install Malwarebytes Anti-Malware. Yes, that even works on serevers and effective in removing the infections.


    Please remember to click "Vote As Helpful" on the post if the information is useful to you ! Please remember to click “Mark as Answer” on the post that helps you to fix the issues, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Tuesday, February 14, 2012 11:38 AM


  • Hi,





    If
    my server is infected with virus, I will perform the following troubleshooting steps:





    1. Update the antivirus program definition and
      try to scan the system in Safe Mode or Normal Mode.
    2. According to the virus information you find
      from the Internet, try to remove the infected file, registry and other data
      manually in Safe Mode.
    3. Contact your antivirus program vendor for
      more troubleshooting information.








    After
    removing the virus, try to create some security policies to secure your company
    domain.





    Regards,



    Arthur Li

    TechNet Community Support

    Tuesday, February 14, 2012 2:49 PM
  • HI,

    If your server get infected with virus, try to remove its traces through an antivirus or manually, if the system stay unstable, it's recomended to reinstall server and have a powerfull antivirus



    Best Regards

    Hi Bourbita,

    Thanks for your reply.

    What steps should i need to take to remove virus traces manually. Please elaborate.


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Wednesday, February 15, 2012 5:14 AM
  • a) clean infection / make sure it didn't spread on other servers
    b) review security policy (how did the infection happen, prevent it in the future - reduce number of people with access to the server/av software etc.)
    c) restore server from clean backup/reinstall (assume even cleaned the system might still be partly compromised)


    edit: this is what I would naswer, not neccessarily the "best" answer.

    Hi FZB,

    THanks for your reply.

    What steps should i take to clean infection. It would be nice if you can tell me in detail.


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Wednesday, February 15, 2012 5:16 AM
  • Hello,

    if a server is infected then disconnect immediately from the network and scan all domain machines for it, if possible with 2 different AV engines. Also the recommendation is to reisntall that machine to be sure everything is really removed. Of course there are some clenaing tools from AV vendors available but personal i prefer the fresh install as then you can be 100% sure it is not existing on that machine.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Hi Meinolf,

    THanks for your reply.

    How can i scan a domain machines with 2 Different AV engines. Should i install two anti-virus? or i have heard some co-operate anti-virus has option for scanning with two different AV engines. I don't know exact answer.


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Wednesday, February 15, 2012 5:20 AM


  • Hi,





    If
    my server is infected with virus, I will perform the following troubleshooting steps:





    1. Update the antivirus program definition and
      try to scan the system in Safe Mode or Normal Mode.
    2. According to the virus information you find
      from the Internet, try to remove the infected file, registry and other data
      manually in Safe Mode.
    3. Contact your antivirus program vendor for
      more troubleshooting information.








    After
    removing the virus, try to create some security policies to secure your company
    domain.





    Regards,



    Arthur Li

    TechNet Community Support

    Hi Arhur,

    Thanks for your reply.

    Are you sure anti-virus work properly in safe-mode?


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Wednesday, February 15, 2012 5:22 AM
  • Hi Arhur,

    Thanks for your reply.

    Are you sure anti-virus work properly in safe-mode?


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Most of them works.

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, February 17, 2012 7:39 AM
  • Hello,

    "How can i scan a domain machines with 2 Different AV engines. Should i install two anti-virus? or i have heard some co-operate anti-virus has option for scanning with two different AV engines. I don't know exact answer."

    There are some options from AV providers to run an online scan for example if your own AV states it clean. Or you use a second AV program, even a trial/free editon should be up to date and that way you have a second option.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, February 17, 2012 7:44 AM