locked
virus found but where is the source? RRS feed

  • Question

  • Hello,

    Multiple reports:

    Alert Instance Detail

    ID Time Generated Event Description 
    20003 3/12/2014 12:10:00 AM Microsoft Forefront Client Security has identified a re-infected computer:
    Version = 1.0.1703.0
    Window start time = 3/9/2014 12:10:00 AM
    Window end time = 3/12/2014 12:10:00 AM
    Event count = 66
    Threat ID = 2147685148
    Threat name = Virus:Win32/Expiro.CD 
    
    Virus Definitions Version
    1.167.1782.0 (Virus Definitions built on 3/12/2014 3:45:18 AM)
    Spyware Definitions Version
    1.167.1782.0 (Spyware Definitions built on 3/12/2014 3:45:18 AM)
    Antimalware Engine Version
    1.1.10302.0
    Security State Assessment Engine Version
    1.0.1710.103
    Security State Assessment Definitions Version

    1.0.1710.103

    Alert
    Instances
    Last Raised
     Security Issue (5)
    2
    3/10/2014 12:05:00 PM
    5
    3/12/2014 12:10:00 AM
    5
    3/12/2014 12:10:00 AM
    1
    3/12/2014 12:10:00 PM
    1
    3/12/2014 12:10:00 PM

    If I run a SCAN if ound the virus and cleaned it..

    then still

    all of them reports a virus... but if I run FCS SCAN on the server I could not find it anymore... why?

    but tomorrow morning it will be here again!!! how to identify the source of this virus?

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Wednesday, March 12, 2014 8:58 PM

Answers

  • Found the source on a share and propagation to others ...

    7 days of daily clean up took care of it...


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Marked as answer by Felyjos Wednesday, March 19, 2014 3:39 PM
    Wednesday, March 19, 2014 3:39 PM