Sophos Control Center: removing viruses

You can use Sophos Control Center for virus disinfection and removal over your network. The presence of a virus, Trojan, worm or spyware will be indicated by a virus report in the Alerts column of Sophos Control Center. Other articles cover:

• removing viruses locally in Windows
• removing viruses with emergency command line scanners.

Note: When removing viruses you will have to change your anti-virus settings. Make a note of them before doing so, where possible. Alternatively, use the recommended (default) settings afterwards.

What to do

1. Assessing the problem

Before removing viruses, you should be aware if they can

• make changes to the setup of, or documents on, your computers
• spread internally via shared folders on your network
• take administrator rights, or otherwise damage your network.

From Sophos Control Center, find out what viruses are present on a computer.

1. Right-click the computer name.
2. Select 'View computer details'.
3. Scroll down to 'Viruses detected'.
   • The 'Virus name' column lists the names of the viruses found.
   • The 'Infected file' column lists where the viruses are on the computer.
4. Click the name of the virus to read its description on the Sophos website.

Check the threat analyses for information on how it spreads and what it does.

2. Preventing further infection

• Network shares
  If a virus that spreads across network shares is reported in anything other than an email or internet cache folder, enable on-write scanning until you are sure that the virus is not spreading internally.
• Fast-spreading viruses
  If a disinfectable executable file virus is spreading across your network, enable on-access virus disinfection until it has been completely removed.

Reverse these changes after the outbreak. The additional checking that these options involve can slow your network, and is not necessary in normal circumstances.

Note: Automatic virus disinfection will disinfect documents with macro viruses as well as program viruses. Some macro viruses alter the information in documents. Check to see if this might happen in the threat analysis, and after disinfection replace any affected documents from backups.

3. Problems to deal with locally

Some worms and viruses change computer operating systems so that if the virus is removed without these changes being reversed, the computer can no longer be used. Sophos Anti-Virus for Windows 2000+, version 6, as supplied with Sophos Anti-Virus Small Business Edition (SBE), can disinfect most of these threats successfully via Sophos Control Center.

• Check if the recovery instructions say that the virus can be disinfected using Sophos Anti-Virus version 6.
• Check the date in the field 'Protection available since'. Is it earlier than June 2006?

If either of the above is true, you can disinfect any Windows 2000/XP/2003/Vista computers running Sophos Anti-Virus version 6 from Sophos Control Center. Otherwise, disinfect them locally.

For local disinfection, disinfect with a Resolve tool, where one exists. Otherwise follow the recovery instructions in the threat analysis.

Resolve tools and Sophos Anti-Virus for Windows 2000+, version 6, not only remove, or disinfect, virus files but also reverse registry changes that the virus has made. During a major outbreak of a particular virus, it might be more efficient to disinfect the network using the network disinfection instructions enclosed with the Resolve tool, rather than using the Sophos Control Center. Check the threat analysis to see if this is so.

4. Removing viruses with Sophos Control Center

Note: Full cleanup (of registry entries, dropped files, etc.) is only available on Sophos Anti-Virus for Windows 2000+, version 6 and above. You may need to take further measures with other versions. Check the threat analysis for details.

Where possible, viruses should be disinfected, although in the longer term it is safer to replace the repaired files from backups. Trojan and worm files, and virus-infected files that cannot be repaired, should be removed.

• Some viruses can infect a file multiple times. Ensure that you do not set the console to delete files that could have been disinfected, by running a checking scan after your disinfection scan. The number of remaining infected files should be the same.

After making a note of your current anti-virus settings, edit them for disinfection.

1. In the Sophos Control Center lefthand pane, select 'Configure scanning'.
2. Click 'On-access'.
3. In the 'On-access behaviour' box, select all three options (On read, On write, On rename).
4. Click the Cleanup tab.
5. Select 'Automatically clean up items that contain a virus'.
6. Check that the 'Do nothing' radio button is selected. (You will delete or move files with a scheduled scan.)
7. Click 'OK'.

Now establish a scheduled scan.

1. In the 'Configure scanning settings' dialog, in the 'Scheduled scanning' area of the dialog box, click 'Add'.
2. Give the scan a name, e.g. 'Disinfect', and select a time in the near future.
3. Click 'Configure' to change the scanning and disinfection settings.
4. Click the Cleanup tab.
5. Select your disinfection options.
   • To disinfect files, use 'Automatically clean up items that contain a virus'
   • To remove files, select 'Delete'.
6. Click 'OK' three times to confirm your scheduled scan, and your Anti-virus policy.

For some outbreaks, you might need to run several scheduled scans. Early ones will disinfect files, and later ones will remove any remaining infected files. You can prepare different named scans (e.g. 'Disinfect', 'Delete') for this.

Note:

• Files will be automatically deleted. You are not given a chance to confirm.
• All computers will be included in the scheduled scan.
• If you have numbers of multiply infected files, you may need to run several disinfection scans before deleting the remaining files.
• Files that are locked by the operating system of an infected computer cannot be removed remotely.
• Computers may need to be rebooted for disinfection to complete.
• Removal will only be visible in Sophos Control Center. The workstation user will see nothing.

Plan your scan accordingly.

Now run your scan.

1. The scheduled scan will start at the appointed time.
2. When the scan has finished, check the computers for any remaining infected files, and for any files that should be replaced from backup.
   • In Sophos Control Center, right-click the computer and select 'View computer details'.
   • Scroll down the log.
   • Any remaining virus reports are listed in bold type.
     • If the virus is on the computer involved, deal with it locally.
     • If the virus is reported from another computer, deal with it on that computer.
3. When all viruses have been removed, reapply your old anti-virus settings.

After you have removed the viruses, clear the remaining alerts.

1. Right-click the computer and select 'Clear alerts'.
2. In the 'Virus alerts' tab, clear all incidents you have dealt with.
3. Unsuccessful removal attempts (e.g. on remote computers) will be listed in the 'Sophos Anti-Virus errors' tab. Clear them where appropriate.

You should now have no remaining virus or error alerts in the console.