Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tracking the source of a virus

Status
Not open for further replies.
licarse

licarse

IS-IT--Management
Sep 22, 2005
65
US
Hi,

Something strange is happening on our LAN. Suddenly, some computers (including mine) started to detect some other(s) computer(s) trying to infect them. Infections haven't been successful, as Norton always delete security risks/viruses.

However, it's annoying that whenever a computer detects a virus, users start to get anxious and think that their computers were infected. The typical scenario is this:

1. Computer A says that a virus has been detected (for instance, a troyan, a virus, etc. in the hard disk) and that the risk has been eliminated.

2. A technician checks the computer. No virus is found.

All computers in the network are up-to-date with security patches (all running XP SP2), and virus definitions are also up-to-date.

My only guess is that maybe one (or maybe more, but it is not likely) computer got somehow infected, and it is trying to infect others. Is there any way to trace the source easily, like using some kind of software?
 
Sort by date Sort by votes
Is this network on a Windows domain, or is it just a small network of PCs in a workgroup? I'm sure that'll make a difference. I would think that there are logs kept on the domain server somewhere that would keep track of that sort of thing, or that it could be enabled.

Also, just in case, you are aware that SP3 is the latest service pack from MS, right? I know that corporations cannot always be up to the minute updated to the service packs due to concerns about issues with all the various applications accross various PCs, but if that is no concern, you might want to make sure all PCs are updated to SP3.

--

"If to err is human, then I must be some kind of human!" -Me
 
Upvote 0 Downvote
Thanks for your prompt reply kjv1611.

Yes, it is a windows domain, it is running on 2003 server.

Domain logs are not showing up anything abnormal... that's why I wanted to get some advice on software for tracking the source.

And yes, I'm aware of SP3, but as you said, we can't install it right now... however, all other patches are already installed on all pcs and servers.
 
Upvote 0 Downvote
Setup on a spare machine, let it record ALL the local network traffic.

When the next alert happens, you can correlate that with the recorded network traffic, and hopefully figure out who's sending the problem data which triggers the virus scanners.



--
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
281
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
259
2ffat
2ffat
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
234
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
764
Yoko Littner
Yoko Littner
CDIV
  • Locked
  • Question
port 8080 monitoring -Trend micro deep security agent
Replies
0
Views
200
CDIV
CDIV

Part and Inventory Search

Sponsor

Back
Top