Intel,Altiris Group

  • 1.  Possible Virus on Domain controller

    Posted Jan 13, 2010 06:55 AM
    Hi there

    I came into work this morning to find out that not 1 or 2 users got locked out of their windows accounts but every single user. I checked the domain controller and saw that everyone had been locked out. I unlocked them all and then not 5min later people started getting locked out again. I tried doing various different scans with Anti-Viruses including Endpoint protection and I cannot seem to find anything whatsoever. I am officially stuck. I assume it is a virus as has been going on all day.

    Please may someone help me out urgently.

    Thanks


  • 2.  RE: Possible Virus on Domain controller

    Broadcom Employee
    Posted Jan 13, 2010 07:15 AM
    looks like downadup symptom.
    You need to install MS08-067 patch to all the systems in the network.

    http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648


  • 3.  RE: Possible Virus on Domain controller

    Posted Jan 13, 2010 07:19 AM
    I thought its a possibility that it might be that specific virus but im not sure do you reckon the patch will be able to resolve that??? and would I have to install it on every single machine that has End Point protection???

    Thanks


  • 4.  RE: Possible Virus on Domain controller

    Broadcom Employee
    Posted Jan 13, 2010 07:23 AM
    yes, this is windows vulnerability, having only AV does not help in much of the cases. Becuase there would be systems in the network which might have been updated or AV is not functioning.



  • 5.  RE: Possible Virus on Domain controller

    Posted Jan 13, 2010 07:24 AM

    The 5 Steps of Virus Troubleshooting

     


  • 6.  RE: Possible Virus on Domain controller

    Posted Jan 13, 2010 07:32 AM
    @pete - Well as I said I ran 2 different anti-viruses and still did a complete network scan and full update... and still did not find anything.

    @ AravindKM - What would the best possible solution be to actually locate and eradicate this virus if it is one as I cannot find anything... and either this Virus is well hidden or it is there and something just isn't right because I have to unlock people's accounts every 5min and it's frustrating.


  • 7.  RE: Possible Virus on Domain controller
    Best Answer

    Posted Jan 13, 2010 08:55 AM
    Hi guys

    Thanks for the Assistance I managed to resolve the issue using a program called Netwrix Account Lockout Examiner. What it does is when its installed on the actual domain controller you input a locked username like Administrator for example and the program refreshes and gives you the exact location of the attacking source works like a charm. Then you just go to that machine and Scan the machine and Eradicate the virus from there with your AV.

    Thanks