locked
How do you scan a virus infected computer? RRS feed

  • Question

  • Hey Guys,

    i've been working for a rather big company in the client infrastructure management and we're currently struggling with the offline scanning functionality on Windows 7 devices.

    First some basic information about our environment:

    We have Lenovo as our Desktop and Laptop vendor.

    We are using the X1, X2xx, T4xx, T5xx and P50 Laptops as well as

    the M9xx, P5xx Desktops.

    Some time ago Lenovo introduced the NVMe drives with the M900, the P50 and the X1 Carbon and thats were the problems began.

    If a device gets a positive virus detection the device is taken off the network and is not allowed to join back in until a offline virus scan from two different companys has run on the system. With the new NVMe drives, the so called rescue cd's lost their functionality. They won't detect the drives.

    We then tried to find another AV company which brings support for NVMe drives but we found out that none out of ~15 tested rescue cds (even Microsoft Offline) has such support.

    We're now planning to just delete and reinstall suspicious devices until we find a better way of not leaving the user 1-2 days without a device or giving them a new one.

    For Windows 10 it will get a bit easier because of the built-in offline scan functionality but why doesn't the stand-alone version from Microsoft support NVMe drives?
    I had to manually import the drivers into the WinPE (?) so that the harddrive was at least detected. Then we have the problem, that you have to update the virus definitions within the PE and this is not possible due to network restrictions.

    So now to my question:

    How to you guys handle possibly infected computers at your company?

    Thanks in advance for any feedback! 

    Daniel


    Monday, March 27, 2017 11:35 AM

All replies

  • I believe there is problem with policies in your network.

    I believe you should discuss this with Lenovo and I believe these policies come from third-party vendor.

    I believe you need to handle this by writing some scripts that when such condition detected, then it restart and boot offline scanner from hard drive. Such scenario is possible using Microsoft DaRT:

    https://technet.microsoft.com/en-us/windows/hh826071.aspx

    Monday, March 27, 2017 4:32 PM
  • Hi Daniel,

    I searched and found Windows 7 could support NVMe drives after installed the following hoxfix.

    Update to add native driver support in NVM Express in Windows 7 and Windows Server 2008 R2
    https://support.microsoft.com/en-us/help/2990941/update-to-add-native-driver-support-in-nvm-express-in-windows-7-and-windows-server-2008-r2

    Try to installed the hoxfix and check the issue again.

    Best regards,
    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Joy-Qiao Thursday, March 30, 2017 2:35 AM
    Wednesday, March 29, 2017 1:48 AM
  • Hi Daniel,

    I searched and found Windows 7 could support NVMe drives after installed the following hoxfix.

    Update to add native driver support in NVM Express in Windows 7 and Windows Server 2008 R2
    https://support.microsoft.com/en-us/help/2990941/update-to-add-native-driver-support-in-nvm-express-in-windows-7-and-windows-server-2008-r2

    Try to installed the hoxfix and check the issue again.

    Best regards,
    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hey there,

    thanks for the feedback, but unfortunately this is not what i meant with NVMe support.

    We DO have support for NVMe within Windows 7 but for offline scanning a suspicious device (turning device off, boot a Antivirus CD) we do not have a feasible way to achieve this.

    Even the Windows Defender Offline Scan (https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc) does not support NVMe drives when booting it. You have to manually import a NVMe driver into the WinPE of the Offline Scanner 

    Thursday, March 30, 2017 10:47 AM
  • Hi Daniel,

    “You have to manually import a NVMe driver into the WinPE of the Offline Scanner ”
    Will the NVMe drive be detected in WinPE?

    As far as I know, the NVMe drive needs the system to support it. For Windows 7, we need to install an update as I pointed out before to support it. So I suspect it won't be supported by WinPE. As for the offline scanning of Windows Defender, I think it is just likely a customized WinPE with Windows Defender.
    Anyway, you could try to add the NVMe driver to that WinPE then check the symptom again.

    For an injected machine, I think perform a full scan in safe mode would be enough unless the basic system services have been injected.

    Bests,
    Joy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 9:46 AM