Endpoint Protection

Hi all,

I found out that a file server has been infected with so many instances of the virus of W32 silly DC. There should be an approximate of 100000 instances. What are the steps that i should take to remove all those instances?

Any help is appreciated.

hi,

you may need to check for the update of the system with Micorosft patches, Symantec virus definition. Remove the fileserver from network till you ensure the system is cleaned ( after scanning in safe mode).

Also information from link might be helpful for any threats

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062705355948

http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=3

Thanks for your reply. According to the above URL, i have to disable the system restore. But my virus definitions are up-to-date. What do you advise?

the threats which you posted are worm, which spreads across network. The fileserver might be detcteing the threats when infected machine trying to copy the threat on fileserver. So you may need to ensure all systems are updated with latest signature.

You should alos be using IPS module on thes systems which will stop the threats ( provided it has the signature)

you may also enable the risk tracer to know the source of the infection.

I noticed on the server that only the antivirus and antispyware features are only installed. Proactive and network protection features were not installed. do you think this is causing so many problems?

Yes, it is not a good idea to ust  have  AV/AS on any computer, including servers. 

By not having Proactive threat Protection, you are missing on application and device control feature.

See this:

http://service1.symantec.com/support/ent-security.nsf/docid/2010050810365948?Open&seg=ent

Also, you must have NTP too. The Intrusion prevention is one of the best features offered by SEP.