I was lucky enough to take care of both desktops and servers. Here's why: I had about 150 local users and 150 remote (taken care by people over there, but with personnel changes, I became at one point the sole in charge on antivirus management for them too) and about 4 servers local and 4 remote (same story). Taking care of the file servers wasn't as complicated as it was for the desktop. I figure it is still easier and shorter to make them manually since there's only 8 of them, besides since your servers are your balls, you want to keep an eye on it when you install software on it. But I did find several little things that would get me a real web where any known virus couldn't trip into without me knowing it. The server version of McAfee supported a feature called McAlert. Basically, this worked by setting up a share on a server where users have write-access. McAfee puts a file there that serves the purpose of alert queuing. The server "listens" to the file. You set up your McAfee clients simply by specifying the share path in UNC format in the McAlert configuration window. Whenever VShield (live scanner) or VirusScan (file scanner) trips on a virus or detects virus-like activity, it would pipe information to the file on the server. The message could then be sent to you through various ways (SMTP mail, alphanumerical pager, network broadcast,...). Take the time to look at what kind of message you can send to yourself. The default message is often futile and nearly useless. Look if you can customize it with variables, such as username, machine name, file infected, virus name, ... The more precise the message you get, and the more you know your users and your systems, the more easily you will be able to determine the severity of the threat. 90% of the time, it's no big deal, so you kind of get used to it. I coupled the effect of this by pointing all log files from the various stations to one single log file (actually 2, 1 for VShield and 1 for VirusScan). These log files can be in the same directory than the message-queue file, they do not interact. This is not fiction, this is quite easy if you apply yourself to it. I have tried to explain some of this to some of my co-workers, supposedly equal in our job descriptions and pre-requisites, only to be confronted to a gazed look. More about that later.
So this is the kind of setup I had. All PCs up to date in terms of antivirus software, updated automatically, a quick mean to react to emergencies, instant knowledge of virus activity by e-mail and pager, and shortcuts on my desktop on my two log files. The log files actually provided me with more information than the e-mail/pager. The Alert would tell me the machine name, which would tell me what building is located the infected machine, along with the time and the virus name. The log files gave the time, the status (infected, cleaned, clean-error,...) the user name and the full path of the infected file. Here are samples of the two files:
VShield Master Log File Sample
2/19/98 3:50 PM Infected adrichar C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 3:51 PM Clean Error adrichar C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 3:51 PM Infected adrichar C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 4:23 PM Infected rwyllie C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 4:23 PM Clean Error rwyllie C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 4:23 PM Infected rwyllie C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 4:24 PM Clean Error rwyllie C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/19/98 4:24 PM Infected rwyllie C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\EICAR.COM EICAR-STANDARD-AV-TEST-FILE
2/23/98 7:42 AM Infected fserrano C:\WINDOWS\TEMP\CONTRAT (1).TXT CAP
2/23/98 7:43 AM Cleaned fserrano C:\WINDOWS\TEMP\CONTRAT (1).TXT CAP
2/23/98 7:43 AM Infected fserrano C:\CONTRAT-FRANCE CAP
2/23/98 7:43 AM Cleaned fserrano C:\CONTRAT-FRANCE CAP
2/23/98 9:27 AM Infected fserrano C:\WINDOWS\TEMP\CONTRAT (1).TXT CAP
2/23/98 9:37 AM Cleaned fserrano C:\WINDOWS\TEMP\CONTRAT (1).TXT CAP
2/23/98 9:37 AM Infected fserrano C:\WINDOWS\TEMP\CONTRAT.TXT CAP
2/23/98 9:37 AM Cleaned fserrano C:\WINDOWS\TEMP\CONTRAT.TXT CAP
2/23/98 9:51 AM Infected wmsippel C:\MY DOCUMENTS\CONFID-1.DOC CAP
2/25/98 11:47 AM Infected smaloney C:\WINDOWS\TEMP\MOVINGPACK.DOC CAP
26/02/98 8:59 AM Infected sirianni A:\ NYB
26/02/98 8:59 AM Cleaned sirianni A:\ NYB
26/02/98 9:03 AM Infected sirianni A:\ NYB
26/02/98 9:07 AM Infected sirianni A:\ MONKEY_B
VirusScan Master Log File Sample
2/23/98 1:31 PM Scan Started danfair On Demand Scan
2/23/98 1:31 PM Scan Complete danfair On Demand Scan
2/23/98 4:56 PM Scan Started rwyllie On Demand Scan
2/23/98 5:02 PM Scan Complete rwyllie On Demand Scan
2/24/98 9:35 AM Scan Started gbergogn On Demand Scan
2/24/98 9:35 AM Scan Complete gbergogn On Demand Scan
2/25/98 7:48 AM Scan Started ldollimo On Demand Scan
2/25/98 7:48 AM Scan Complete ldollimo On Demand Scan
2/25/98 9:55 AM Scan Started amorcom On Demand Scan
2/25/98 10:06 AM Scan Complete amorcom On Demand Scan
25/02/98 1:08 PM Scan Started KDEGRACE On Demand Scan
25/02/98 1:08 PM Infected KDEGRACE C:\PROGRAM FILES\CAERE\OMNIPAGEPRO80\OpFor70.Dot PROBABLE MACRO (No Remover Available)
25/02/98 1:08 PM Scan Complete KDEGRACE On Demand Scan
2/25/98 5:38 PM Scan Started lague On Demand Scan
2/25/98 5:38 PM Scan Complete lague On Demand Scan
2/26/98 7:22 AM Scan Started rwyllie On Demand Scan
2/26/98 7:28 AM Scan Complete rwyllie On Demand Scan
26/02/98 10:37 AM Scan Started KDEGRACE On Demand Scan
26/02/98 10:38 AM Infected KDEGRACE C:\PROGRAM FILES\CAERE\OMNIPAGEPRO80\OpFor70.Dot PROBABLE MACRO (No Remover Available)
26/02/98 10:38 AM Scan Complete KDEGRACE On Demand Scan
26/02/98 10:40 AM Scan Started KDEGRACE On Demand Scan
26/02/98 10:49 AM Infected KDEGRACE C:\Program Files\Caere\OmniPagePro80\OpFor70.Dot PROBABLE MACRO (No Remover Available)
26/02/98 10:51 AM Scan Complete KDEGRACE On Demand Scan
This is as concise as you could get. When you know your people and what place they work at, and you see a particular virus spread in a particular location, it doesn't take time to launch a phone call with the concerned people right away. In the event that the virus is detected but not cleaned, you may be able to stop the infection right there, dealing with only one machine instead of 30 (or 300, or 3000). The ability to be able to pinpoint to the file location also helps a great deal. Even if the user is far away and never seen you before, the fact that you talk to him like you're right there over their shoulder protecting them removes any computer fear even in the most techno-impressionnable personae. Some sort of good Big Brother. You ask them about the origin of said file, and suggest proper action. If the file came by e-mail, then immediately mail back to the originator saying that attached file is infected. Reply to all if multiple recipients. Make sure to specify to upgrade to a more recent version of software. And when you do this, remind your users that they should send such messages on your request only. Users can actually do all that, explain to them over the phone, calmly, and let them reply to their own mail. You don't want to put your fingers in others people mail. That's like putting your fingers in the brown stuff. Ok, if the infected file came on a disk, or was already on hard disk before, of course you want to scan all hard drives on the infected PC. Scan all related diskettes (don't go on a scanning frenzy just for one diskette, but if the user says "It came with these", you want to scan "these"). This is a bit trickier. Even tough more and more people uses computer everyday as part of their jobs, that doesn't necessarily make them one bit more computer-literate. So giving instructions over the phone on how to start a scanning job can be done, but sometimes can be cumbersome. If the user happens to be on your floor, or your building, give yourself a chance and go do it yourself. And you better take the stairs too, I'm sure you won't mind the extra exercise.
So we can see from these log files that I have been playing a few times with the EICAR test virus (this is provided to simulate virus presence to test antivirus configurations). We see that some people are stuck with some macro virus (Concept, Cap, and the Laroux are some of the most persistent viruses I have seen), and someone brought some old diskettes back to the office, infected with "oldies" like NYB and Monkey_B. VirusScan also detected possible macro infection, but couldn't match it with any such known virus. Turns out that the macro was legit. Also, some expected entries do not show, namely the Cleaned entries that should complete the pair with Detected for wmsippel, smaloney and sirianni. Some entries obviously gets lost in the void, probably colliding with it predecessor and dying on the shock. Networking can be so cruel. With experience, you get to know which viruses actually get cleaned even if you don't have full proof. Common sense here indicate that the second infected diskette infected with NYB should be cleaned if the first one was, right? So either a message is simply missing, either the second diskette was scanned on a different machine that was not fully up to date. From my e-mail/pager message, I knew that both diskettes were scanned on the same machine. So the message must have been lost. Just to make sure, I actually checked (I had plenty of time, since it was a quiet day, as usual), and all the diskettes were actually cleaned. The counters in VShield proved me right. These samples don't show any example of it, but I sometimes would get alert about a temp file in c:\windows\temp. That was telling me that the infected file is an attachment received in Lotus Notes. Instead, if the file was in c:\progra~1\netscape\..., then you know the attachment is in Netscape. This may sound trivial, but again it is really useful when dealing with people. Some people were using both mail clients on their machine, so when you call them and say:"Hi [username real name here], I am calling you about a file attachment you just received about two or three minutes ago in your Lotus Notes account, it is/was infected with a virus. Could you please contact...", to a lot of people this seems as if I had told them down to the exact penny how much money they have in their pockets.
6. McAfee Customer Support
8. Strategies to adopt
Table of contents