Sophos

Online support

Product maintenance

Contact support

Support services

Enterprise Console: removing viruses over a network

In Enterprise Console, virus disinfection and removal actions are implemented by group or individual computer. The presence of a virus, Trojan, worm, spyware, or other threat, will be indicated by a report in the Alerts column of Enterprise Console. Other articles cover:

What to do

1. Assessing the problem

Before removing viruses, and other threats, you should determine if they can

First, from Enterprise Console, find out what items are present on a computer.

  1. Right-click the computer name.
  2. Select 'View computer details'.
  3. Scroll down to 'Items detected' (or 'Viruses detected').
    • The 'Type' (or 'Virus name') column lists the names of the items found.
    • The 'Details' (or 'Infected file') column lists where the items are on the computer.
  4. Click the name of the item to read its description on the Sophos website.

The description gives information on how the virus, or other program, spreads and what it does.

2. Minor outbreak

You can deal with a minor outbreak from the console using a full system scan with Enterprise Console, version 3, and Sophos Anti-Virus for Windows 2000+, version 7.

If a few computers are affected, do as follows:

  1. Open Enterprise Console.
  2. Select the affected computers or groups (hold down the 'Ctrl' key while selecting).
  3. Right-click your selected items.
  4. Click 'Full system scan'.
  5. Click 'OK' to start the scan. The scan may take some time to complete.
  6. When the scan has finished, right-click your selected items again.
  7. Click 'Clean up detected items'.
  8. Select the viruses, etc., that you want to clean up.
  9. Click 'OK' to start cleanup.
  10. After a short interval, check the affected computers again in the console (right-click and select 'View computer details').
    • If the number of affected computers is steadily increasing, go to section 3 'Preventing further infection', and treat the incident as a major outbreak.
    • Otherwise, deal with other remnants of the outbreak.
  11. If not all items have been cleaned up first time (e.g. not all components were found), you may need to run a second full system scan of affected computers, and repeat cleanup.
  12. Occasionally you might have to deal with remaining items at the local computer.
  13. To remove any outstanding alerts (e.g. viruses reported in shares on other computers), right-click the computer in Enterprise Console, select 'Acknowledge alerts and errors', select any unwanted outstanding alerts, and click 'OK' to clear them.

This should have cleared a minor outbreak.

Note: Automatic virus disinfection will disinfect documents with macro viruses along with the program viruses. Some macro viruses alter the information in documents. Check to see if this might happen in the virus analysis, and replace any affected documents from backups after disinfection.

To deal with a major outbreak, use the instructions in the following sections.

3. Preventing further infection

Where possible, now repeat the full system scan on affected computers (see section 2).

Reverse these changes to your anti-virus policy after the outbreak. The additional checking that these options involve can slow your network, and is not necessary in normal circumstances.

Note: Automatic virus disinfection will disinfect documents with macro viruses along with the program viruses. Some macro viruses alter the information in documents. Check to see if this might happen in the virus analysis, and replace any affected documents from backups after disinfection.

4. Problems to deal with locally

Some worms and viruses change computer operating systems so that if the virus is removed without these changes being reversed, the computer can no longer be used. Sophos Anti-Virus for Windows 2000+, version 6 and above, can disinfect most of these threats successfully via Enterprise Console.

If either of the above is true, you can disinfect any Windows 2000/XP/2003/Vista computers running Sophos Anti-Virus version 6 and above from Enterprise Console. Otherwise, disinfect them locally.

If you have Windows NT computers, or if you are using an earlier version of Sophos Anti-Virus, computers infected by viruses where the registry is changed, so that the virus is run before all executable files (e.g. W32/Yaha-T), must be disinfected locally.

Disinfect with a Resolve tool, where one exists. Otherwise follow the recovery instructions in the virus analysis.

Resolve tools and Sophos Anti-Virus for Windows 2000+, version 6 and above, not only remove, or disinfect, virus files but also reverse registry changes that the virus has made. During a major outbreak of a particular virus, it might be more efficient to disinfect the network using the network disinfection instructions enclosed with the Resolve tool, rather than using the Enterprise Console. Check the virus analysis to see if this is so.

5. Removing viruses with Enterprise Console version 2 and above

Note:

Where possible, viruses should be disinfected, although in the longer term it is safer to replace the repaired files from backups. Trojan and worm files, and virus-infected files that cannot be repaired, should be removed.

You will need to temporarily move your infected computers into a special 'Disinfect' group. Do either of the following:

Which you choose to do will depend on the size of your network.

Then you should set up a specialized disinfection Anti-virus policy (or policies) for your new 'Disinfect' group.

To create the specialized policy, edit a copy of your current Anti-virus policy, and set a scheduled scan of your infected computers:

A. Establishing the policy and scan settings

  1. Creating the policy
    Open Enterprise Console.
    To create the new policy, do as follows.
    • In the Policies pane, right-click your current Anti-virus policy.
    • Select 'Duplicate policy'.
    • Call the policy 'Disinfect'.
    • Right-click your new Disinfect policy.
    • Select 'View/Edit policy'.
    • Click 'On-access'.
    • Check that in the 'On-access behaviour' box, all three options (On read, On write, On rename) are selected.
    • Click the Cleanup tab.
    • Select 'Automatically clean up items that contain a virus'.
    • Check that the 'Do nothing' radio button is selected. (You will delete or move files with a scheduled scan.)
    • Click 'OK'.
  2. Setting a scan
    Then establish the scheduled scan (or scans).
    • In the 'Anti-virus policy Disinfect' dialog, in the 'Scheduled scanning' area of the dialog box, click 'Add'.
    • Give the scan a name, e.g. 'Disinfect', and select a time in the near future.
    • Click 'Configure' to change the scanning and disinfection settings.
    • Click the Cleanup tab.
    • Select your disinfection options.
      • To disinfect files, use 'Automatically clean up items that contain a virus'
      • To remove files, select 'Delete'.
    • Click 'OK' three times to confirm your scheduled scan, and your Anti-virus policy.

Note:

Plan your scan accordingly.

B. Running the scan

Now run your scan.

  1. Apply the policy to your new group(s).
  2. Move your infected computers into the new group. The scheduled scan will start at the appointed time.
  3. When the scan has finished, check the computers for any remaining infected files, and for any files that should be replaced from backup.
    • Right-click the computer and select 'View computer details'.
    • Scroll down the log.
    • Any remaining virus reports are listed in bold type.
      • If the virus is on the computer involved, deal with it locally.
      • If the virus is reported from another computer, deal with it on that computer.
  4. When all viruses have been removed, reapply your old Anti-virus policy to your users and groups.

C. After disinfection

After you have removed the viruses, clear the remaining alerts.

  1. Right-click the computer and select 'Clear alerts'.
  2. In the 'Virus alerts' tab, clear all incidents you have dealt with.
  3. Unsuccessful removal attempts (e.g. on remote computers) will be listed in the 'Sophos Anti-Virus errors' tab. Clear them where appropriate.

You should now have no remaining virus or error alerts in the console.

Move your computers back to their original groups.

Removing viruses with Enterprise Console version 1

Where possible, viruses should be disinfected, although in the longer term it is safer to replace the repaired files from backups. Trojan and worm files, and irreparably virus-infected files, should be removed.

Temporarily move infected computers into an 'Infected' group or, if the problem is widespread, treat all existing groups. Then set up a scheduled scan for the near future which will disinfect, or remove, the viruses.

  1. Highlight the group of computers that you want to disinfect and select 'SAV policy'.
  2. In the 'Scheduled scanning' area of the dialog box, click 'Add'.
  3. Give the scan a name, e.g. 'Disinfect', and select a time in the near future.
  4. Click 'Configure' to change the scanning and disinfection settings.
  5. Click the Disinfection tab.
  6. Select your disinfection options.
    • To disinfect files, use 'Disinfect items that contain a virus'
    • To remove files, in 'Other actions against infected files' select 'Delete'.
  7. Click 'OK' three times to confirm your scheduled scan.

For some outbreaks, you might need to run several scheduled scans. Early ones will disinfect files, and later ones will remove any remaining infected files. You can prepare different named scans (e.g. 'Disinfect', 'Delete') for this.

Note:

Plan your scan accordingly.

When the scan has finished, check the computers for any remaining infected files, and for any files that should be replaced from backup.

  1. Right-click the computer and select 'View computer details'.
  2. Scroll down the log.
  3. Any remaining virus reports are listed in bold type.
    • If the virus is on the computer involved, deal with it locally.
    • If the virus is reported from another computer, deal with it on that computer.
  4. When all viruses have been removed, disable the scheduled scans.

After you have removed the viruses, clear the remaining alerts.

  1. Right-click the computer and select 'Clear alerts'.
  2. In the 'Virus alerts' tab, clear all incidents you have dealt with.
  3. Unsuccessful removal attempts (e.g. on remote computers) will be listed in the 'Sophos Anti-Virus errors' tab. Clear them where appropriate.

You should now have no remaining virus or error alerts in the console.

Move the affected computers back to their original groups.

If you need more information or guidance, then please contact technical support.