Guidelines in cleaning virus outbreaks

General guidelines in cleaning virus outbreaks (PE_) using OfficeScan

- 更新於:
- 13 Mar 2020
- 產品/版本:
- 作業系統:
- N/A N/A

Biological viruses operate by attaching themselves to healthy cells (hosts) and using them to propagate. Computer viruses do the same, only that it involves files in your computer. When an infected file is executed, the virus code is also executed infecting other files and sometimes delivering additional payload. This is the reason why viruses spread fast.

These are the most common virus families detected by Trend Micro:

PE_RAMNIT
PE_SALITY
PE_VIRUX
PE_PARITE
PE_Chir
PE_WINDEX
PE_FLOXIF
PE_MOFKSYS
PE_CORELINK
PE_URSNIF

Target files vary from one virus family to another. For example, PE_RAMNIT.DEN-O infects .exe and .dll files while PE_SALITY.RL-O infects .exe and .scr files.

Learn what to do in the event that a virus outbreak occurs in your network.

Apply the recommended settings

Applying the recommended settings offers the best protection against malware. Please refer to the KB article on the best practices in configuring OfficeScan for malware protection.

Temporarily disable the scan exclusion until the outbreak is stopped

There’s a high possibility that scan exclusion maybe preventing OfficeScan from cleaning infected files. Temporarily disable the scan exclusion to ensure that OfficeScan will be able to scan and clean all files/directories including itself.

Log on to the OfficeScan management console.
Go to Agents > Agent Management.
In the Agent Tree, select the OfficeScan Server/Domain/Computer.
Go to Settings > Scan Settings > Real-time Scan Settings.
Uncheck Enable scan exclusion.
Do the same for the other scan types:
- Manual Scan Settings
- Scheduled Scan Settings
- Scan Now Settings
Click Save.

Identify and clean the infection sources

Change the file extension of ATTK from .exe to .com. This will prevent certain viruses like PE_SALITY from infecting it.

Export the Virus/Malware Logs.
Check for infection sources under the Infection Source column.
Clean the infection sources using ATTK and ensure that they have OfficeScan Agent installed

Should you need additional recommendation, submit the Virus/Malware Logs to Trend Micro Technical Support for analysis.

Check for Unmanaged Endpoints

Computers that do not have antivirus software installed are prone to infection. They could potentially compromise other computers in the network.

The Unmanaged Endpoints in OfficeScan can be found under Assessment > Unmanaged Endpoints. It can display computers with the following status:

Managed by another OfficeScan server
No OfficeScan agent installed
Unreachable
Unresolved Active Directory assessment

Run a regular security assessment to check for Unmanaged Endpoints and install OfficeScan agent on unprotected computers.

What to do when OfficeScan fails to clean an infected file

Ensure that you are using specific scan action for Virus. The recommended scan actions are:
- 1st scan action: Clean
- 2nd scan action: Quarantine
Unlike Trojans or Worms which can immediately be deleted or quarantined, the the 1st scan action for Virus should be Clean - OfficeScan will attempt to remove the virus code that was injected into the file. If the 1st scan action is different, ex. delete, then you will not be able to recover the file which may be critical to your system/application.
A bandage pattern maybe required for the cleanup. Submit the infected file to Trend Micro Technical Support for analysis.