Hi Sean,
One hunch on the lockup could be that the Virus somehow does not allow you to read/check attributes on the file. Are you able to browse to the file itself and look up its properties? I would definitely recommend opening up a TAC case and have them assist you with this. It should only quarantine machines where the EXE exists. -Prem From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Hennessey, Sean Sent: Wednesday, April 08, 2009 4:57 PM To: [email protected] Subject: URGENT! Help needed Hi all - We have a problem. A virus has broken out on our campus and I'm trying to create a rule that checks for its payload, if found, quarantines the system and forces an Anti-Virus update and scan. So far I can't even get it to just quarantine the system. With it in place (checking for the existence of a file called "c:\MarioForever.exe"), it is quarantining all systems in the role this is applied to, and then it's just locking - it's not allowing the computer to update Anti-Virus or anything. Also, I have an either/or rule checking for the existence of Symantec AV Corporate v10+ or Symantec Endpoint Protection v11+ and on one system it's failing the checks saying it has a "Symantec unknown product" and gives the version number of the SEP installation. This seems to be working for pretty much everything else. We are currently pushing out SEP to all systems through AD so I'm not sure if it's part of the installation of something else screwing this up. Any ideas? Please?!? - Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hennessey, Network Engineer Network and Information Security Systems Administrator Office of Technical Support University of Portland w: (503) 943 7877, c: (503) 710 6347 For all of your technology support needs, please contact the University of Portland helpdesk at x7000, or from off campus at 503.943.7000. They can also be reached via email at [email protected] <blocked::blocked::blocked::mailto:[email protected]> . This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately, and delete the communication and any attachments.
