cancel
Showing results for 
Search instead for 
Did you mean: 

Virus Source Analysis

Highlighted
Aspirant

Virus Source Analysis

we are managing our clients through FSPM console. whenevenever virus incident occurs, F-Secure antivirus sometime delete infected file, quarantined infected file, rename infected file and sometime f-secure take no action in infected file. For analysis of virus, we want to change the setting in FSPM console in such a way that F-Secure antivirus should not delete infected file automatically. After doing this setting we will be able to take out the infected file from infected client for analysis purpose.

Now, my query is:-

from where we can do such settings in FSPM console so that infected file should not be deleted automatically.?

2 REPLIES
F-Secure
F-Secure

Re: Virus Source Analysis

Hello ravi12,

 

In Policy Manager Console - Settings (Standard view) > Real-time scanning find the section "Action on malware detections". Uncheck the check box "Decide automatically" and select the "Custom action on infection" and "Custom action for spyware" you wish.

If you don't want local users to change your selections, don't forget to lock settings.

 

Best regards,

Vad

Superuser

Re: Virus Source Analysis

The setting should be "Report only".
This will cause no action and no change, but still the file is blocked from opening/execution (Quarantined-in-place).
Keep in mind: this might cause othe sideeffects as repeated alerts, eventlog to fill up, repeated error messages from calling program.

F-Secure is using different actions depending on the filtype but also on the question if theis file is new or existed before. By changing to "Report only", this logic is dectivated and from now on the file will be treeted as "existed before".

Example: a malicious file in "Temporary Internet" is usually being deleted right away, as it is new. A file in "Program Files" will likely get quarantined.
Now the malicious files in "Temporary Internet" will stay where they are.

No idea what you want to find in that investigation, but the default setting is well chosen by R&D

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de