This is a little weird...

[reynolwi]

Ok I have a remote workstation at one of my branch sites that mysteriously disables its LAN Connection. The users at that site do not have access to modify LAN Connections so they can't disable it and I am running sophos and have done a complete system scan of that entire network, all the computers and servers and did not find any viruses or trojans. How is this humanly possible that a computer is disabling its LAN connection?

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[Turkbear]

Hi,
One thought ( a wild one I admit) - Is there an anti-virus/anti-spyware program on that workstation that might be set to stop internet/network traffic if a suspicious action/process is detected?





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[xwb]

Yes

Under the properties of the network card, there is a power management setting which is ticked by default. Something like allow the computer to conserve power by switching off the network card. If you can't see the tab, click on the configure button.

 

[reynolwi]

I use sophos for antivirus on all servers and workstations. I had sophos do the deepest system scan on this workstation it took 2 hours cause i had it check EVERYTHING and told it to scan twice. it didnt report back that it found anything and sophos client firewall or sophos antivirs isnt set to stop internet/network traffic because there is no optio for that.

I do not have power management features running on this workstation if i remember right but I will look. all of our workstations stay on 24/7 pretty much so they only power management settings that are on is the turn display off after 10 mins.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[Sympology]

before leaping down the "it's spyware" option. Change the cable to the pc. Update / reinstall the NIC drivers and check the connection to the switch.

Most people spend their time on the "urgent" rather than on the "important."

 

[goombawaho]

I would change the cable (easy fix), then disable the power management in device manager as mentioned. Then wait and do the drivers if no improvement.

But also look at the firewall/network settings under your sophos.

Finally, never trust one single anti-malware program to find what you might have in terms of bugs. Install and run MalwareByte's Anti-Malware and run that to get a 2nd opinion on malware.

 

[cdogg]

reynolwi,
Realize that the power management settings that are being referred to are the ones located under the network adapter's properties in Device Manager. However, it's not likely to be the issue.

Other things to check:

1. Failed backup routines - can cause the network connection to drop into a disabled state

2. Bad port on the switch

3. Damaged ethernet cable (as already mentioned)

4. Corrupt driver or registry setting


If you get to #4 without any success in resolving the issue, it may be time to reimage the workstation. Do a clean install of Windows. You'll end up wasting more time troubleshooting this as a software issue than you probably will reloading it from scratch.

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Einstein
[tab][navy]For posting policies, click [/navy]here.

 

[tlcscousin]

I assume workstation is a desktop not a laptop.
Try shutting down the screensaver power options set it all to never.

 

[reynolwi]

the workstation is a desktop. the workstation is also located 4 hours away so me physically getting to this machine is not totally easy.

in all honesty i have tried other anti-malware programs but sophos has always found stuff that the others didnt and got rid of it easier. sophos does anti-virus and anti-malware and I have it setup to do on-access scanning when a file is read or written to. it is constantly scanning the computers basically 24/7 and does full scans at 3am every night. we use sophos because of some government contracts and they recommended sophos to us and it has be awesome software.

now as for the cable, i had it replaced a week ago when i replaced the vpn router. i replaced all the network cables when i was there to ensure problems didnt arise. this computer has done this before twice before i replaced everything and the lasttime it did it windows had installed some updates. i checked the computer last night and it did not install any updates recently. the drivers check out and are upto date with their latest release.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[tlcscousin]

It is not something like a user thinking he should disconnect from the network when he logs off and because they use dialup normally, disables the NIC

 

[reynolwi]

no the users do not have access to disable network cards. they are locked out from the network connections control panel applet. they have broadband internet so they have never used a dialup connection.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[tlcscousin]

I have seen this happen quite a bit after service pack 3 but i never really looked for a cure as it seemed to go away on its own, possibly a windows update resolved it.
(i am on a help desk and it is customers that were complaining about it. Why they always figure Internet support is supposed to fix all computer issues is beyond me).

 

[BadBigBen]

How is this humanly possible that a computer is disabling its LAN connection?

I've seen networks that turn off computers, and then some that did that for the network cards...


also there are some SP3 installs that have problems with certain types of ROUTERS (older hardware)...

disables its LAN Connection

How, does the NIC disappear or does it just loose IP adresses?


in the former case: throw in a cheap NIC card and retest...

in the latter case: do the following:

Start, Run, CMD to open a command prompt:

In the command prompt window that opens, type the following commands:

Reset TCP/IP stack to installation defaults, type:
netsh int ip reset reset.log

Reset WINSOCK entries to installation defaults, type:
netsh winsock reset catalog

Reboot the machine.

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[Torturednacho]

What type of anti-virus is on the machine? I know that in Symantec there is an option to "Disable LAN" if the virus definitions are more then XXX Days out of date. Just tossing that out there.

 

[reynolwi]

ive said many times we use sophos products for antivirus and antimalware.

in all honesty i have tried other anti-malware programs but sophos has always found stuff that the others didnt and got rid of it easier. sophos does anti-virus and anti-malware and I have it setup to do on-access scanning when a file is read or written to. it is constantly scanning the computers basically 24/7 and does full scans at 3am every night. we use sophos because of some government contracts and they recommended sophos to us and it has be awesome software.

I understand what you are saying about that option in symantec but we stopped using anything symantec years ago because of some problems.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[reynolwi]

ok it did it again... completely disabled its nic card. i am looking thru the events logs carefully to see if i notice something and i have started a deep full system scan on every drive on that machine with sophos.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -

Network Error:
Hit any user to continue

 

[cdogg]

reynolwi,
Did you miss Ben's suggestion to install a cheap NIC? I understand it's four hours away, so you would likely need to have it shipped to you. Plan on keeping it long enough to troubleshoot. Physical access is becoming more and more of a priority in this situation.

If the end user cannot go without that workstation, then I don't know what to tell you except that a replacement or spare computer will need to be shipped to them first perhaps, so that the problematic one can be worked on. The reality here is that you can quite easily end up wasting days on end troubleshooting this issue remotely hoping that it is software related (it's already been more than a week), and then you find out later that it was a hardware issue.

The money question: Is that worth your time over the cost of shipping?

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Einstein
[tab][navy]For posting policies, click [/navy]here.

 

[cdogg]

By the way, all this "deep" scanning is causing a lot of wear and tear on the drives. You've already done that twice according to an earlier post.