Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1658 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Infected With Confiker A and D - Unable to get rid of it

ITSUAC

Hello,

We have been using Sophos Enterprise Console and Endpoint security for sometime protecting all of our domain computers. However the last few weeks we have been overrun by the Confiker-A and Confiker-D Viruses. Sophos is picking them up and saying its cleaned them but they keep coming back on the same machines and even appearing on new machines. We have followed all of microsofts instructions and the pcs have the hotfix KB958644 and also tried differet wways of removing the virus but it is still bein persistent. Has anyone had the same problem and if so how can we get rid of it once and for all?

Many Thanks

James

:2815


This thread was automatically locked due to age.
Parents
  • 0

    Countless times I've come across this in our clients networks.

    I once had a client which 'reinstalled' sophos (against recommendation) on all the machines on his network to ensure all machines had Sophos.(+-200 machines)


    When he eventually listened, he realized he had ten machines without Sophos on them. They were his cctv machines.

    They had picked this up on their firewall/proxy but didnt take to much note.

    Tracking is the way to go for a scenario like this. I havent tried WireShark yet but we have used others.

    We used a free program 'Advanced Port Scanner' to scan for ports 8192, 8193 and 8194 on his IP ranges.

    All the machines that didnt repsond. either didnt have Sophos or it wasnt reporting (complying with the policy) correctly.

    (This is important as stated on the site)
    (took under 2 minutes to list the machines)

    If you have AD account lock outs there is a procedure on the Microsoft website, but there is fine print.
    We used a program called 'Account lockout Examiner' - its free aswell. You dont need to install it on the serve either :)

    This will show you which account is locked out (gives you optiont to unlock - bonus) and which machine locked it out.

    Between the 2 above programs we could narrow down the search for the ...... undesired (for polite term) machine from more than one day to 30 minutes.

    Unfortunetly it doesnt stop there. There will be other threats like this in the future.

    Ensuring Sophos is on every machine in the network will help to get eyes on what is happening.

    This might be an excellent time to install NAC to. :)

    :2835
Reply
  • 0

    Countless times I've come across this in our clients networks.

    I once had a client which 'reinstalled' sophos (against recommendation) on all the machines on his network to ensure all machines had Sophos.(+-200 machines)


    When he eventually listened, he realized he had ten machines without Sophos on them. They were his cctv machines.

    They had picked this up on their firewall/proxy but didnt take to much note.

    Tracking is the way to go for a scenario like this. I havent tried WireShark yet but we have used others.

    We used a free program 'Advanced Port Scanner' to scan for ports 8192, 8193 and 8194 on his IP ranges.

    All the machines that didnt repsond. either didnt have Sophos or it wasnt reporting (complying with the policy) correctly.

    (This is important as stated on the site)
    (took under 2 minutes to list the machines)

    If you have AD account lock outs there is a procedure on the Microsoft website, but there is fine print.
    We used a program called 'Account lockout Examiner' - its free aswell. You dont need to install it on the serve either :)

    This will show you which account is locked out (gives you optiont to unlock - bonus) and which machine locked it out.

    Between the 2 above programs we could narrow down the search for the ...... undesired (for polite term) machine from more than one day to 30 minutes.

    Unfortunetly it doesnt stop there. There will be other threats like this in the future.

    Ensuring Sophos is on every machine in the network will help to get eyes on what is happening.

    This might be an excellent time to install NAC to. :)

    :2835
Children
No Data
Unfiltered HTML