SSE - finding a Virus that keeps reappearing on CIFS.
Following recent deployment of SSE in my company we have discovered a virus that even after successful deletion still keeps creeping back onto the same place in the CIFS shares.
The virus is W32.Changeup, this particular virus manifests as a <username>.exe file which is toggled as a hidden/system file on the CIFS area.
We can set vscan off on the filer and manually remove it, but it seems to keep popping back up...
Does SSE block writing of infected files, or are they only scanned post write ? If the former then how is this file repeatedly reappearing on the filer.
We are still trying to track down which PC is causig the infection as it probably has an issue with its local client AV software that needs resolving. This is made more difficult by the fact that its appearing in a CIFS area where file searches are quite widely used, triggering alerts pertaining to anything searching the folder where its hidden itself. This results in lots of log hits from clients that are not actually infected !
Currently SSE is set to "Scan and Repair" (as during testing we didnt want it just flying off the handle and deleting files)
If we set this to "scan and repair or delete" will this only treat virus infected files or will it also start deleting container violations (that on the whole appear to valid files)