Well, maybe. LEt's see if my peers here, or Symantec knows what's up.
About a month ago (MAYBE UNRELATED!) a user in a particular office hit a web site that "infected" his computer. SEP didn't find it, I did manually through remote means, and it appeared the machine was clean.
The office has been experiencing really slow network and web performance. We've noted on the switch (a Cisco 2950) that some of the ports were showing huge amounts of TRANSMIT packets. Our ISP said that at one point we were using 75% of our UPLOAD bandwidth. This is a small office with like 20 computers in it, and only half of those in use at one time.
Well, yesterday a person said they could not login. The message was the logon service wasn't running. Remote logons failed, RPC failed, etc. Can't even push the RU6 MP2 upgrade because of the lack of logon service.
Today another computer in the same office has the same issue - we started to get nervious and met about it. When we left the meeting (1 hour) FOUR more computers stopped the logon service.
Last week we had an IT person go to that office and run MalwareBytes antimalware and full SEP scans (not at the same time, but you know what I mean) she spent the day there running scans, and installed MBAM and it said "nothing found". Manual checks for hidden stuff came up clean.
However, we know something is up - 6 computers in that office suddenly can't be logged on to, and remote access to them is gone.
Last week when we'd shut down a switch port that was showing a lot of transmit traffic, a few minutes later another port would show large outbound traffic. It was like it moved around. It's not coming down the VPN tunnel, but seems web-bound.
Thoughts? SEP says clean, MBAM says clean!