Author Topic: Playing Whack-a-Mole / action of endpoint?  (Read 535 times)

0 Members and 1 Guest are viewing this topic.

Offline tcorey

  • Newbie
  • *
  • Posts: 2
Playing Whack-a-Mole / action of endpoint?
« on: October 03, 2017, 02:13:26 AM »
I administer a small network with 1 server machine and 10 workstations. Server is running Hyper-V with 1 client session functioning as our primary server. We use Avast Endpoint Protection hosted on our Hyper-V instance and Avast client installed on all machines including both host and client of the server machine. I have our network set to run a deep-scan every night, and every 1-3 nights a machine or two are infected with the same item: Win32:VBCrypt-AGT [Trj]. It seems to go in rounds, systematically working its way to different machines over a 2-3 week time period.

Background: IT is not my only job, it's one of many hats, and everything I've learned has been self taught. So while I know my way around very well and have significant knowledge on networks and admin, there are probably some things I understand fully but don't know the correct lingo to match. I ask your patience in this.

By the time I arrive to review logs etc. in the morning, there is no evidence of any infection on the machines. However, there is also nothing in the virus chest for me to clean out, and the processes that were "caught" are still running, but presumably clean (known existing programs - Word, Outlook, and other programs we run in the background often).

I have all machines set to run a boot-time scan whenever rebooted, and have run boot-time scans in the morning after an infection has been found, only for everything to turn up "clean". I've run multiple other mainstream antivirus scans to be triply-sure... only to have another "hit" on the nightly scan.

Two questions... (a) with Endpoint Protection, is it actually cleaning the virus from these running processes that are initially found to be "dirty" then later "clean"?, (b) any tips/pointers on ridding this from our network environment entirely? It *seems* that it's getting caught as soon as it tries to take root, but it does have me very concerned.

Thank you.