virus got through the network, infected one pc and put us on the blacklist
Posted on 2008-10-17
On tuesday, one of my sites that I look after, got infected with a number of viruses. Specifically, just one system was infected but after the virus came in, it started running some kind of spam engine. When I notified by the user that something strange was going on, I imediately pulled the network cable. There were hundreds of Symantec message send errors on the screen and there must have been a large number that got sent out because shortly after that, the users started getting some non delivery emails on some of the messages that they were sending out.
Anyway, all the computers are running the same version of SAV v10.0 including the windows 2003 server. The server has the workstations locked down to prevent disabling of the services. We are running our in-house email using exchange 2003 and the SAV is also configured for that. Updates are done every 4 hours
The users are running the same version of antivirus. This particular pc is running the latest version of Spybot also with the Teatimer in the tray.
So with these two programs running, I would expect that the user should not have had any issues with viruses but she did. It started when she opened an attachment regarding a plane ticket - E-ticket.zip. That is when her computer started to go crazy. (Someone in her office had booked her a plane ticket to Ottawa and she thought that this was the confirmation - an innocent mistake)
This morning, I just loaded an evaluation program of GFI MailSecurity. GFI MailEssentials is already installed. With the GFI MS, it is supposed to stop all viral attachments before they hit the users email.
I have all the log files from the infections if you would like to see them but the users computer is all cleaned up.
So my questions are;
1. with what she has running on her pc, should the antivirus program have caught this before it was too late?
2. should I be looking at a different corporate program?
3. this is the 2nd time that I have seen this happen so what can I do to reduce the possibility of this happening again.