Virus Source Analysis

ravi12

we are managing our clients through FSPM console. whenevenever virus incident occurs, F-Secure antivirus sometime delete infected file, quarantined infected file, rename infected file and sometime f-secure take no action in infected file. For analysis of virus, we want to change the setting in FSPM console in such a way that F-Secure antivirus should not delete infected file automatically. After doing this setting we will be able to take out the infected file from infected client for analysis purpose.

Now, my query is:-

from where we can do such settings in FSPM console so that infected file should not be deleted automatically.?

Vad

Hello ravi12,

 

In Policy Manager Console - Settings (Standard view) > Real-time scanning find the section "Action on malware detections". Uncheck the check box "Decide automatically" and select the "Custom action on infection" and "Custom action for spyware" you wish.

If you don't want local users to change your selections, don't forget to lock settings.

 

Best regards,

Vad

MJ-perComp

The setting should be "Report only".
This will cause no action and no change, but still the file is blocked from opening/execution (Quarantined-in-place).
Keep in mind: this might cause othe sideeffects as repeated alerts, eventlog to fill up, repeated error messages from calling program.

F-Secure is using different actions depending on the filtype but also on the question if theis file is new or existed before. By changing to "Report only", this logic is dectivated and from now on the file will be treeted as "existed before".

Example: a malicious file in "Temporary Internet" is usually being deleted right away, as it is new. A file in "Program Files" will likely get quarantined.
Now the malicious files in "Temporary Internet" will stay where they are.

No idea what you want to find in that investigation, but the default setting is well chosen by R&D