I also recall an issue with Exchange on the newer version of CE dealing with
"Tombstones" created by Exchange but this involved old mail accts. popping
back up and being unavailable to Real Protect since it could not log in to
the acct.

Tom, have you looked at the info store on the exchange server(s) for this
user's acct.? There could be a residual of a file (in a temp folder
somewhere) that keeps creating the alert. I have seen evidence of Exchange
regenerating old mail that had already been delivered to the private folder.

I don't know that a definition rollback will do it but it is definitely
worth a shot. Without a doubt having the user blow out the temp folders
(including those under :\WINNT\Temporary Internet Files\Content IE5\ may
prove useful since IE and Exchange both make multiple temp images of files.
You might also want to peek into the registry (since there was an actual
infection) and the ini files.

One thing to note is that a scanner may report several instances of a
virus/worm what-have-you but it will take repeated scans/cleans to actually
remove the bugger out. Essentially, if a malware is detected run scans
until nothing reports at all (making sure to use the latest signatures).

Regards,
Rob

-----Original Message-----
From: Patrick Andry
To: O'Reilly, Tom
Cc: ''focus-mssecurityfocus.com' '
Sent: 9/24/01 8:13 AM
Subject: Re: Quick Norton AV question

O'Reilly, Tom wrote:

>Since we're taking Norton here maybe someone can help me. I use Norton
Corp
>Ed 7.51 on my clients and I have certain clients that always seem to
have a
>status of virus found in SSC. I reset the status, but soon they end up
>virus found again. If I do a complete scan of their hard drive
including
>the quarantine from my machine they have no infected files. Also the
log
>will show the virus being found several times with the action being
left
>alone in every instance. I find this weird, because I have clean as
the
>primary action and quarantine as the secondary so I don't understand
why it
>could be left alone. I search their hard drive for the file listed and
it
>isn't there anywhere. What am I missing here?
>
>Thanks,
>Tom
>

I have run into this also. First thing I do is roll back the virus
definition files. If this doesn't work, I have the user clear his
temporary internet files, empty his e-mail (We run Exchange, and if the
user has his e-mail open, I get two alerts, one for his machine, one for

the server), and reboot. If the message still keeps showing up, I
start monitoring his web-surfing. NAV can pick up virus code from
visited web sites, and I had one case where one of my users decided he
would start researching vb viruses on company time. Every time he
checked out source, NAV flagged it.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]