TROUBLESHOOTING
advertisement
TROUBLESHOOTING Agenda This section covers • Most common cases • Disinfection related problems • Installation problems • General tips • Specific cases Page 2 MOST COMMON PROBLEMS Failed Disinfection The virus and spyware definition databases are outdated • Download latest databases Manual disinfection is required • Some viruses use advanced techniques to hide and attach themselves to files and can be disinfected only with specific tools Infected file is read-only or user lacks permission to access the file • If the Scan Wizard does not have access to the file, start the computer in safe mode and log on with an account that has administrative rights and run the scan again Page 4 Failed Disinfection File is on a CD or inside an archive. • You cannot disinfect or delete files on CD or inside archives False alarm • In general, the product does not indicate a harmless file, but false positives happen from time to time • Send the sample to F-Secure A new type of virus might have been detected on your computer • Send the sample to F-Secure Page 5 Location Based Disinfection Often the location of the infection is more important that the name of the infection • Check where the infected file is located and disinfect based on that • Special locations include mailbox files,Internet Explorer cache folder, Java cache folder, the Recycle Bin, temporary folders, compressed files, System Volume, System Restore and Master Boot Record (MBR) Page 6 Infected Internet Explorer Cache Folders Infected Internet Explorer cache folders are quite common • These folders are used to store files that Internet Explorer has downloaded from the Internet (images, HTML pages, executable and script files). Removing infection • Open Internet Explorer and select "Tools" menu, click "Internet Options" submenu and then click "Delete Files" button in the appeared dialog box under "Temporary Internet Files". After that Internet Explorer cache folders are emptied. Page 7 Infected Java Cache Folder Another place where infections can be found is inside the Java cache folder How to remove infections? • Access the Java cacke folder (e.g. with Windows Explorer), select all files and subfolders and delete them. • As this folder contains only cached files, no actual data is lost in this operation. Page 8 Infection in System Restore Files F-Secure Anti-Virus has detected a virus in the "System volume information" or the "_RESTORE" folder, but it cannot disinfect, rename or delete the infected file(s)? What can be done to get access to those files? • System Restore is a feature of Windows XP and Windows ME and if the virus infects the computer, it is possible that the virus could be backed up in the system restore folder. Disinfecting those files requires special attention. Page 9 Archives and Temporary Files Removing infections from archives • AVCS doesn’t automatically disinfect inside a archives • Extract the archive (real-time protection will scan the extracted content) and then repack the cleaned files Cleaning temporary folders • Go to the temporary folder where the infection was detected, select all files and subfolders and delete them • The files are temporary, so you do not lose any information! Page 10 Removing Internet Explorer Trojans The best way to be safe from such trojans (e.g classloader exploit) is to make sure that Internet Explorer is up-to-date • Even with updated IE the trojans are sometimes downloaded, but cannot activate How to remove existing trojans? • Update your Internet Explorer using Windows update to prevent any further infections • Clear the Internet Explorer temporary file cache • Scan the computer with FSAVCS to remove any other the downloaded components Page 11 Reappearing Virus or Worm Why does a virus or worm reappear even though I just deleted it? • Malware (worm, trojan, backdoor etc.) is able to access shared folders behind weak passwords (e.g. Randex) • Create strong passwords for existing shares (remove unnecessary accounts) • It is recommended to avoid shared folders (use file servers to share data!) • Configure personal firewalls to not accept any inbound connections (even from local network) • If the virus warning keeps reappearing every time you start a browser, check your default home page • Your browser might have been hijacked Page 12 Installation Problems Some viruses block antivirus installations • Disinfect the computer first before starting the installation • The Klez virus is removed automatically during installation Conflicting software is installed • Remove all other antivirus and firewall products (Sidegrade module should be able to detect and remove most conflicting software automatically) No administrative rights on current The host doesn’t meet the system account requirements • Update the computer or use an older version of the software Page 13 GENERAL TIPS What to Do in a Case of Virus Outbreak 1. Disconnect the infected computer form network • If infections keeps spreading, the whole network should be taken down 2. Check if you are dealing with a real infection or a false alarm • Scan the infected computer with the latest virus definitions update • If the infection is identified exactly (e.g. variant description), then you are dealing with a real infection • In case of a possible new virus or boot sector virus image, send the file sample to F-Secure 3. Check the virus description from the PMC (Outbreak Tab) or directly from the F-Secure Web. Download disinfection tools, if needed 4. Once the virus infection is under control (no spreading in the local network anymore!), you can take the network back into use Page 15 Further Resources Support pages • http://support.f-secure.com/enu/corporate/ Run FSDiag before contacting support • FSDiag collects important information about the system configuration and system errors, that can be sent to F-Secure or the partner for analysis Page 16 F-Secure Diagnostics Tool FSDIAG.EXE Diagnostics tool included in the installation package • Collects important system information (eg. logfiles) to an archive on the local disk Access points • C:\Program Files\F-Secure\Common\ fsdiag.exe • Fsdiag.tar.gz in the same directory Page 17 Analyzing FSDIAG System information • osver.log Internal alerts • logfile.log • hardware.log • netstart.log • system.evt Network information Conflicting Software • appliation.evt • reg_run.log • ipconfig.log • route.log Firewall overview • fulldiag.htm Virus definitions update information • header.ini • daas.log Page 18 SPECIFIC CASES Problems with Defragmentation, Analyzing or Writing CDs Burning CDs, running defragmentation or disk analysis while real-time scanner is running might create problems (corrupted disks, hanging processes) • Real-time protection always causes some overhead on file I/O, which can cause problems for time-critical file operations such as creating CD-R/CDRW images • Disable real-time scanning (or unload program) before starting the operation Page 20 Scanning Time Exceeded Errors in the logfile.log about files exceeding the scan limit. • ”Scanning of D:\EXAMPLE.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. the network connection was under heavy load during the scan).” • This can be changed with central administration. • Change policy setting "Limit Scanning Time" (found under scanning options). Please note that this might have negative impact on performance of your system (recommended value is 25 seconds). Page 21 Error 506 Errors with string "error=-506" appear in the logfile.log • The error message is only cosmetic. If the computers are under centralized management, it is caused by forcing some settings as final in (locked). • Changing the locked settings (security level or similar) from the local user interface causes errors to appear. • The security level is not actually changed because the setting is locked, it just produces the errors in log. Page 22 Summary This section covers • Most common cases • Disinfection related problems • Installation problems • General tips • Specific cases Page 23
