At work, we must solve user problems at all times. The user’s problems are as follows
这个病毒一个小时定时复制到C盘,安全软件可以查杀,但是生成这个文件的程序找不到
When encountering this kind of problem, it is impossible to judge what is going on based on what the user said. First, let the user upload the log.
Then the user sends a log
病毒防护,文件实时监控,发现病毒Virus/Almanahe.a!src, 已处理
操作进程:System
病毒路径:C:\setup.exe
病毒名称:Virus/Almanahe.a!src
病毒ID:A79AB283EE7EA771
操作结果:已处理
This log actually contains a lot of points. The user’s problem can be solved through this log. Let’s analyze it below.
First look at the poison name:
Virus/Almanahe.a!src
The main type is infectious virus. We have to remember what characteristics the infectious virus has, for example, it can infect files, have worm characteristics, etc.
Look at the operation process: system
If it is system, not system.exe, it means that it is a system process with ring 0 permission, and the operation process is system, basically there are two possibilities.
The operating file is the driver of the machine
Operation request is SMB share
If the Almanahe infectious virus has not been analyzed, we can search
From the picture above, we can see that this virus will spread through sharing
Above, the incident is basically sorted out. It is roughly that other machines are infected with Almanahe virus, and files are copied to machines under the same local area network through blast sharing, which will lead to repeated reports of viruses by users.
At this time, you can give the user a reply:
通过报毒日志看出Almanahe感染型病毒是从共享传过来的,可以使用安全软件设置ip协议控制,阻止入站139,445端口,看看是哪台机器重复访问本机共享,找到后可以使用全盘查杀清除病毒