Small Business Server 2008 virus scan options
We had to power up an old server, which had Symantec Cloud v15 (I was able to get definitions updated) and scan = No malicious / virus detected. A user needed to access an old program that is no longer in use, and that requirement has been filed. However our Checkpoint router has detected infected computers on that day (The SBS 2008 and the computer that needed to connect). Malware was detected on the workstation and removed (Emotet variation detected by Checkpoint UTM), and Trojan generic by malware scanners not Symantec. The user is not certain if he opened an e-mail that may have contained something or clicked on a website link. MS Malicious Removal Tool will not run on the SBS2008 for some reason even though it is listed as supported OS for the tool. I have run EMOTET scanners and found nothing on the workstation. The SBS2008 does not have any open connections from the outside world.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may not need Exchange, but it's installed by default. It's probably still active in some form.
As you still got infected with Symantec Endpoint active, it's a sign it's not working properly. So do the off line virus scan still.
As you still got infected with Symantec Endpoint active, it's a sign it's not working properly. So do the off line virus scan still.
The only solution that would be truly acceptable is to put the SBS 2008 server on it's own network (simple switch) and a single workstation that only connects to the SBS server. I would not connect it to the Internet. Then scan the server/workstation with several tools including Malwarebytes. BleepingComputers.com also offers a number of free tools looking for Rootkits etc.
But the SBS 2008 server is end of life/end of support. Get a new solution in place for the data from the old program and shut it down
But the SBS 2008 server is end of life/end of support. Get a new solution in place for the data from the old program and shut it down
ASKER
The server had not been in service for over a year. The cloud version was updated first thing before the user connected, but it still doesn't detect anything. Only the UTM detects activity on that server as Emotet. Exchange, SQL, etc... software does come installed, but it was intentionally removed by the previous IT. I will be turning off the SBS server today if no further information can be collected from it. It was a decommissioned server long ago.
So far none of the utilities/scanners will run on that server. I am going to contact Checkpoint today to see if they can provide any thoughts specific to their detection.
So far none of the utilities/scanners will run on that server. I am going to contact Checkpoint today to see if they can provide any thoughts specific to their detection.
You don't need to place the workstation on the same vlan with the SBS as it might get infected. Instead, you can place the SBS 2008 on a separate VLAN and allow only TCP port 3389 (or 443, used by RWW if Remote Web Workplace will get the job done) to the SBS and nothing initiated from it should be allowed to enter the company network. If placing the SBS on a separate VLAN is not an option, ex. a small company etc, you can place a SOHO router in front of it - the SBS being on the public interface.
In addition, I would not allow mapping local drives with RDP so the the user shouldn't be allowed to download anything on the local machine - whatever happens on the SBS 2008, stays on the SBS. If data needs to be transferred, it can be saved to a flash drive connected to the SBS and then inspected by you - like scanned etc.
In addition, I would not allow mapping local drives with RDP so the the user shouldn't be allowed to download anything on the local machine - whatever happens on the SBS 2008, stays on the SBS. If data needs to be transferred, it can be saved to a flash drive connected to the SBS and then inspected by you - like scanned etc.
ASKER
While none of these responses answered the question, only Kimputer followed the actual question. The server was taken down again, and no virus was found. Since the removal of the virus on the workstation, I have not seen any events in the UTM relating to this.
The only thing I was looking for was a virus scanner that could still run on SBS 2008. Please add comments if you know of any for others in the future. Symantec Cloud v15 works and Kaspersky removal tool worked. All others I tested failed.
The only thing I was looking for was a virus scanner that could still run on SBS 2008. Please add comments if you know of any for others in the future. Symantec Cloud v15 works and Kaspersky removal tool worked. All others I tested failed.
ASKER
The current server and workstations are fully licensed Symantec Endpoint. I will be turning the server off again real soon, but looking for clues as to what I am actually dealing with.