troubleshooting. page 2 agenda this section covers most common cases disinfection related problems...
TRANSCRIPT
TROUBLESHOOTING
Page 2
Agenda
This section covers
• Most common cases
• Disinfection related problems
• Installation problems
• General tips
• Specific cases
MOST COMMON PROBLEMS
Page 4
Failed Disinfection
The virus and spyware definition databases are outdated
• Download latest databases
Manual disinfection is required
• Some viruses use advanced techniques to hide and attach themselves to files and can be disinfected only with specific tools
Infected file is read-only or user lacks permission to access the file
• If the Scan Wizard does not have access to the file, start the computer in safe mode and log on with an account that has administrative rights and run the scan again
Page 5
Failed Disinfection
File is on a CD or inside an archive.
• You cannot disinfect or delete files on CD or inside archives
False alarm
• In general, the product does not indicate a harmless file, but false positives happen from time to time
• Send the sample to F-Secure
A new type of virus might have been detected on your computer
• Send the sample to F-Secure
Page 6
Location Based Disinfection
Often the location of the infection is more important that the name of
the infection
• Check where the infected file is located and disinfect based on that
• Special locations include mailbox files,Internet Explorer cache folder, Java cache folder, the Recycle Bin, temporary folders, compressed files, System Volume, System Restore and Master Boot Record (MBR)
Page 7
Infected Internet Explorer Cache Folders
Infected Internet Explorer cache folders are quite common
• These folders are used to store files that Internet Explorer has downloaded from the Internet (images, HTML pages, executable and script files).
Removing infection
• Open Internet Explorer and select "Tools" menu, click "Internet Options" submenu and then click "Delete Files" button in the appeared dialog box under "Temporary Internet Files". After that Internet Explorer cache folders are emptied.
Page 8
Infected Java Cache Folder
Another place where infections can be found is inside the Java cache
folder
How to remove infections?
• Access the Java cacke folder (e.g. with Windows Explorer), select all files and subfolders and delete them.
• As this folder contains only cached files, no actual data is lost in this operation.
Page 9
Infection in System Restore Files
F-Secure Anti-Virus has detected a
virus in the "System volume
information" or the "_RESTORE"
folder, but it cannot disinfect, rename
or delete the infected file(s)? What
can be done to get access to those
files?
• System Restore is a feature of Windows XP and Windows ME and if the virus infects the computer, it is possible that the virus could be backed up in the system restore folder. Disinfecting those files requires special attention.
Page 10
Archives and Temporary Files
Removing infections from archives
• AVCS doesn’t automatically disinfect inside a archives
• Extract the archive (real-time protection will scan the extracted content) and then repack the cleaned files
Cleaning temporary folders
• Go to the temporary folder where the infection was detected, select all files and subfolders and delete them
• The files are temporary, so you do not lose any information!
Page 11
Removing Internet Explorer Trojans
The best way to be safe from such trojans (e.g classloader exploit) is
to make sure that Internet Explorer is up-to-date
• Even with updated IE the trojans are sometimes downloaded, but cannot activate
How to remove existing trojans?
• Update your Internet Explorer using Windows update to prevent any further infections
• Clear the Internet Explorer temporary file cache
• Scan the computer with FSAVCS to remove any other the downloaded components
Page 12
Reappearing Virus or Worm
Why does a virus or worm reappear even though I just deleted it?
• Malware (worm, trojan, backdoor etc.) is able to access shared folders behind weak passwords (e.g. Randex)
• Create strong passwords for existing shares (remove unnecessary accounts)
• It is recommended to avoid shared folders (use file servers to share data!)
• Configure personal firewalls to not accept any inbound connections (even from local network)
• If the virus warning keeps reappearing every time you start a browser, check your default home page
• Your browser might have been hijacked
Page 13
Installation Problems
Some viruses block antivirus installations
• Disinfect the computer first before starting the installation
• The Klez virus is removed automatically during installation
The host doesn’t meet the system requirements
• Update the computer or use an older version of the software
Conflicting software is installed
• Remove all other antivirus and firewall products (Sidegrade module should be able to detect and remove most conflicting software automatically)
No administrative rights on current account
GENERAL TIPS
Page 15
What to Do in a Case of Virus Outbreak
1. Disconnect the infected computer form network
• If infections keeps spreading, the whole network should be taken down
2. Check if you are dealing with a real infection or a false alarm
• Scan the infected computer with the latest virus definitions update
• If the infection is identified exactly (e.g. variant description), then you are dealing with a real infection
• In case of a possible new virus or boot sector virus image, send the file sample to F-Secure
3. Check the virus description from the PMC (Outbreak Tab) or directly from
the F-Secure Web. Download disinfection tools, if needed
4. Once the virus infection is under control (no spreading in the local network
anymore!), you can take the network back into use
Page 16
Further Resources
Support pages
• http://support.f-secure.com/enu/corporate/
Run FSDiag before contacting support
• FSDiag collects important information about the system configuration and system errors, that can be sent to F-Secure or the partner for analysis
Page 17
F-Secure Diagnostics Tool FSDIAG.EXE
Diagnostics tool included in the
installation package
• Collects important system information (eg. logfiles) to an archive on the local disk
Access points
• C:\Program Files\F-Secure\Common\ fsdiag.exe
• Fsdiag.tar.gz in the same directory
Page 18
Analyzing FSDIAG
System information
• osver.log
• hardware.log
• netstart.log
• system.evt
Network information
• ipconfig.log
• route.log
Firewall overview
• fulldiag.htm
Internal alerts
• logfile.log
Conflicting Software
• appliation.evt
• reg_run.log
Virus definitions update
information
• header.ini
• daas.log
SPECIFIC CASES
Page 20
Problems with Defragmentation, Analyzing or Writing CDs
Burning CDs, running defragmentation or disk analysis while real-time
scanner is running might create problems (corrupted disks, hanging
processes)
• Real-time protection always causes some overhead on file I/O, which can cause problems for time-critical file operations such as creating CD-R/CD-RW images
• Disable real-time scanning (or unload program) before starting the operation
Page 21
Scanning Time Exceeded
Errors in the logfile.log about files exceeding the scan limit.
• ”Scanning of D:\EXAMPLE.EXE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. the network connection was under heavy load during the scan).”
• This can be changed with central administration.
• Change policy setting "Limit Scanning Time" (found under scanning options). Please note that this might have negative impact on performance of your system (recommended value is 25 seconds).
Page 22
Error 506
Errors with string "error=-506" appear in the logfile.log
• The error message is only cosmetic. If the computers are under centralized management, it is caused by forcing some settings as final in (locked).
• Changing the locked settings (security level or similar) from the local user interface causes errors to appear.
• The security level is not actually changed because the setting is locked, it just produces the errors in log.
Page 23
Summary
This section covers
• Most common cases
• Disinfection related problems
• Installation problems
• General tips
• Specific cases