Using a variety of tools, and eventually resorting to the event log (which, with hindsight, would have been a very good place to start), I tracked down the virus reports - they referred to a very old read-only archive of emails (pre-2004) that originally resided on the server (hence no previous record of infection), an archive that included some interesting emails received during my tenure as security manager (Data Integrity Manager, even!) at a prior employer. We were being subjected to a very amateur pen test, and one of the methods used was to send in keylogger software in the guise of an 'important security update from the CIO'.
Needless to say, this failed on several counts: no way was I going to let executables in via email, the AV scanner picked it up anyway, the source address was so obviously false, and I hope I'd educated everyone enough so they wouldn't run executables (though that latter is always questionable).
Anyway, I should give OneCare full marks for finding this stuff, long after I'd forgotten it. But I won't, because of the travails I had to go through to actually identify the problem files.
No comments:
Post a Comment