Video Screencast Help

SSE - finding a Virus that keeps reappearing on CIFS.

Created: 15 Sep 2011 • Updated: 15 Sep 2011 | 10 comments

Following recent deployment of SSE in my company we have discovered a virus that even after successful deletion still keeps creeping back onto the same place in the CIFS shares.

The virus is W32.Changeup, this particular virus manifests as a <username>.exe file which is toggled as a hidden/system file on the CIFS area.

We can set vscan off on the filer and manually remove it, but it seems to keep popping back up...

Does SSE block writing of infected files, or are they only scanned post write ? If the former then how is this file repeatedly reappearing on the filer.

We are still trying to track down which PC is causig the infection as it probably has an issue with its local client AV software that needs resolving. This is made more difficult by the fact that its appearing in a CIFS area where file searches are quite widely used, triggering alerts pertaining to anything searching the folder where its hidden itself. This results in lots of log hits from clients that are not actually infected !

Currently SSE is set to "Scan and Repair" (as during testing we didnt want it just flying off the handle and deleting files)

If we set this to "scan and repair or delete" will this only treat virus infected files or will it also start deleting container violations (that on the whole appear to valid files)

regards
Rob

Comments 10 CommentsJump to latest comment

Benc_Smith's picture

Hi Rob,

For NetApp, yes the Filer should kick off a scan request if a new file is uploaded, a current file is modified/saved, or if a current file is accessed and the defs it was previously scanned with are out-dated.  If Scan Engine is configured to "Scan and Repair" that would explain why we are not deleting the file. Though the file should be blocked, and users should not have access to the file.

With NetApp, when a new file is uploaded the Filer locks the file until it receives a verdict (clean/infected) from the scanner.  If Scan Engine says to block the file, or says the file is infected, the NetApp Filer will block access to the file.  Though the blocked/infected file will remain on the Filer.  NetApp leaves it up to Scan Engine to delete infected files.  Keep in mind the file has to initially be written to the Filer first before Scan Engine can scan it, but like I mentioned the file is blocked until the Filer gets a clean verdict from Scan Engine.

Thanks,
Ben

robskij's picture

Thanks Ben, thats answered in part....

What about the last bit...

"If we set this to "scan and repair or delete" will this only treat virus infected files or will it also start deleting container violations (that on the whole appear to be valid files)"

regards

Rob

Benc_Smith's picture

Hi Rob,

If we are configured to "scan and repair or delete", Scan Engine will only delete infected files.  The only exception is encrypted files.  By default if we run into an ecrypted file we will delete it, since we will not be able to scan it.  I would normally advise customers to uncheck this setting, but just be aware that b/c the file is encrypted we cannot do anything with it.  The settings is Policies -> Filtering -> Container Handling, under "Encrypted Container Handling".  Though for any other container violations, for example max extract tiem limit, malformed container, etc, Scan Engine will not delete them.  Rather, by default, they will just be blocked.  Also note that if Scan Engines into a scan error, like the Decomposer 17 you reported, we do not delete the file but again the file is blocked until the Filer receives a clean verdict. 

Thanks,
Ben

robskij's picture

We did originally have the "Delete Encrypted Containers" enabled but it seemed to go off off on one and start deleting valid .pdf files all over the place.... this also seemed like very stange behaviour as they were not protected or encrypted pdf's

The switch itself I had overlooked as the GUI running on 2008 with java 5 collapsed theviews section by default so I wasnt even aware that there were any other filtering options !

This has now been disabled to prevent further fallout, our estate is full of password protected/encrypted zips etc...

regds

Rob

Benc_Smith's picture

Regarding the .pdf file, if you know the name of the file(s), I would suggest checking the Scan Engine log file to see what was logged for that file.

Thanks,
Ben

robskij's picture

OK as we have recently re-enabled vscan following an OnTap upgrade on our filers this mystery virus has started reappearing....

Fri Oct 14 15:36:57 BST 2011, An infection has been found Event Severity Level : Warning Scan Rule : Repair or delete viruses File name : \\?\UNC\192.168.x.x\ONTAP_ADMIN$\vol\vverylongpathname\username.exe File status : NOT REPAIRED Component name : TEMP_FILE_019AED08 Component disposition : INFECTED Virus name : W32.Changeup Virus ID : 8657 Virus definitions : 20111013.025 Client SID : S-1-5-21-320318436-277146499-3611779707-21529 Client Computer : PC-PCNAME Client IP : 10.x.x.x Scan Duration (sec) : 0.016 Connect Duration (sec) : 0.125 Scan Engine IP address : 192.168.x.x Scan Engine Port number : 0 Uptime (in seconds) : 149315

The scan engine is set to scan and repair or delete... yet all of these log statments mention "NOT REPAIRED"... the file in question does not appear to be in the location mentioned, we have even checked with hidden/system and protected O/S file view enabled...

But it keeps coming back.,.. even after running full client end AV scans on the PC's in question

Any ideas... we are running out of ideas...

When this initially popped up about 10 weeks ago the first 2 PC's we checked were detached and scanned and had a whole load of infections cleaned up.... this doesnt seem to be the case with the current access attempts....

OK its a low risk virus but its raising alerts against our operational team which thery are quite rightly becoming a little agitated with. If we cnat clear it up then they might be less diligent at responding should another outbreak of a more serious nature were to ever happen !

I'd appreciate any suggestions....

regards
Rob
 

BenDC's picture

Not repaired only means it was unable to repair the file. This means it was unable to remove the virus from the file. Also the file it seems to be having an issue with a temp file so it may be gone by the time we attempt to remove it or by the time you attempt to access otherwise.

MackSRQ's picture

I'am having the same problem here as well.  Has anyone figured out how to completely eliminate this yet?

TSE-JDavis's picture

The Scan Engine can only scan files uploaded to the NAS. You will need to investigate which client is uploading the virus and clean or reformat it.

MackSRQ's picture

In my environment I had only 20 infected with this and I used the Power Erasor to remove.  Not sure what you would do  in a larger scale but this is what I was able to do.