230 likes | 382 Views
TROUBLESHOOTING. Agenda. This section covers Most common cases Disinfection related problems Installation problems General tips Specific cases. MOST COMMON PROBLEMS. Failed Disinfection. The virus and spyware definition databases are outdated Download latest databases
E N D
Agenda • This section covers • Most common cases • Disinfection related problems • Installation problems • General tips • Specific cases
Failed Disinfection • The virus and spyware definition databases are outdated • Download latest databases • Manual disinfection is required • Some viruses use advanced techniques to hide and attach themselves to files and can be disinfected only with specific tools • Infected file is read-only or user lacks permission to access the file • If the Scan Wizard does not have access to the file, start the computer in safe mode and log on with an account that has administrative rights and run the scan again
Failed Disinfection • File is on a CD or inside an archive. • You cannot disinfect or delete files on CD or inside archives • False alarm • In general, the product does not indicate a harmless file, but false positives happen from time to time • Send the sample to F-Secure • A new type of virus might have been detected on your computer • Send the sample to F-Secure
Location Based Disinfection • Often the location of the infection is more important that the name of the infection • Check where the infected file is located and disinfect based on that • Special locations include mailbox files,Internet Explorer cache folder, Java cache folder, the Recycle Bin, temporary folders, compressed files, System Volume, System Restore and Master Boot Record (MBR)
Infected Internet Explorer Cache Folders • Infected Internet Explorer cache folders are quite common • These folders are used to store files that Internet Explorer has downloaded from the Internet (images, HTML pages, executable and script files). • Removing infection • Open Internet Explorer and select "Tools" menu, click "Internet Options" submenu and then click "Delete Files" button in the appeared dialog box under "Temporary Internet Files". After that Internet Explorer cache folders are emptied.
Infected Java Cache Folder • Another place where infections can be found is inside the Java cache folder • How to remove infections? • Access the Java cacke folder (e.g. with Windows Explorer), select all files and subfolders and delete them. • As this folder contains only cached files, no actual data is lost in this operation.
Infection in System Restore Files • F-Secure Anti-Virus has detected a virus in the "System volume information" or the "_RESTORE" folder, but it cannot disinfect, rename or delete the infected file(s)? What can be done to get access to those files? • System Restore is a feature of Windows XP and Windows ME and if the virus infects the computer, it is possible that the virus could be backed up in the system restore folder. Disinfecting those files requires special attention.
Archives and Temporary Files • Removing infections from archives • AVCS doesn’t automatically disinfect inside a archives • Extract the archive (real-time protection will scan the extracted content) and then repack the cleaned files • Cleaning temporary folders • Go to the temporary folder where the infection was detected, select all files and subfolders and delete them • The files are temporary, so you do not lose any information!
Removing Internet Explorer Trojans • The best way to be safe from such trojans (e.g classloader exploit) is to make sure that Internet Explorer is up-to-date • Even with updated IE the trojans are sometimes downloaded, but cannot activate • How to remove existing trojans? • Update your Internet Explorer using Windows update to prevent any further infections • Clear the Internet Explorer temporary file cache • Scan the computer with FSAVCS to remove any other the downloaded components
Reappearing Virus or Worm • Why does a virus or worm reappear even though I just deleted it? • Malware (worm, trojan, backdoor etc.) is able to access shared folders behind weak passwords (e.g. Randex) • Create strong passwords for existing shares (remove unnecessary accounts) • It is recommended to avoid shared folders (use file servers to share data!) • Configure personal firewalls to not accept any inbound connections (even from local network) • If the virus warning keeps reappearing every time you start a browser, check your default home page • Your browser might have been hijacked
Some viruses block antivirus installations Disinfect the computer first before starting the installation The Klez virus is removed automatically during installation The host doesn’t meet the system requirements Update the computer or use an older version of the software Conflicting software is installed Remove all other antivirus and firewall products (Sidegrade module should be able to detect and remove most conflicting software automatically) No administrative rights on current account Installation Problems
What to Do in a Case of Virus Outbreak • Disconnect the infected computer form network • If infections keeps spreading, the whole network should be taken down • Check if you are dealing with a real infection or a false alarm • Scan the infected computer with the latest virus definitions update • If the infection is identified exactly (e.g. variant description), then you are dealing with a real infection • In case of a possible new virus or boot sector virus image, send the file sample to F-Secure • Check the virus description from the PMC (Outbreak Tab) or directly from the F-Secure Web. Download disinfection tools, if needed • Once the virus infection is under control (no spreading in the local network anymore!), you can take the network back into use
Further Resources • Support pages • http://support.f-secure.com/enu/corporate/ • Run FSDiag before contacting support • FSDiag collects important information about the system configuration and system errors, that can be sent to F-Secure or the partner for analysis
F-Secure Diagnostics Tool FSDIAG.EXE • Diagnostics tool included in the installation package • Collects important system information (eg. logfiles) to an archive on the local disk • Access points • C:\Program Files\F-Secure\Common\ fsdiag.exe • Fsdiag.tar.gz in the same directory
System information osver.log hardware.log netstart.log system.evt Network information ipconfig.log route.log Firewall overview fulldiag.htm Internal alerts logfile.log Conflicting Software appliation.evt reg_run.log Virus definitions update information header.ini daas.log Analyzing FSDIAG
Problems with Defragmentation, Analyzing or Writing CDs • Burning CDs, running defragmentation or disk analysis while real-time scanner is running might create problems (corrupted disks, hanging processes) • Real-time protection always causes some overhead on file I/O, which can cause problems for time-critical file operations such as creating CD-R/CD-RW images • Disable real-time scanning (or unload program) before starting the operation
Scanning Time Exceeded • Errors in the logfile.log about files exceeding the scan limit. • ”Scanning of D:\EXAMPLE.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. the network connection was under heavy load during the scan).” • This can be changed with central administration. • Change policy setting "Limit Scanning Time" (found under scanning options). Please note that this might have negative impact on performance of your system (recommended value is 25 seconds).
Error 506 • Errors with string "error=-506" appear in the logfile.log • The error message is only cosmetic. If the computers are under centralized management, it is caused by forcing some settings as final in (locked). • Changing the locked settings (security level or similar) from the local user interface causes errors to appear. • The security level is not actually changed because the setting is locked, it just produces the errors in log.
Summary • This section covers • Most common cases • Disinfection related problems • Installation problems • General tips • Specific cases