Find Info on Virus Outbreaks with Tweets   

So we had a virus outbreak here yesterday that got us worried. Within half an hour of each other, pretty much every machine on our network, including all the servers, had reported they had detected and cleaned Win32/Hotbar, one of those adware-related toolbars. Even machines that had no users logged on, which usually means the infection is spreading through the file system – meaning a high level account has been compromised. Worrying stuff.

We use Microsoft's ForeFront EndPoint Protection (FEP), which is centrally controlled through System Centre Configuration Manager (SCCM), and raises alerts through System Centre Operations Manager (SCOM). It was Operations Manager that led us to the true cause of the outbreak. It has a rollup view of security events related to FEP for each protected server. Looking at this, we could see that just before the "malware" was detected, each server had triggered a definition update. It was the process of installing this new definition that had triggered the alert that malware had been found, before the temp file containing the definition was deleted. ForeFront was finding a virus in its own files.

Panic over then – but could it be that simple? For peace of mind, we needed to know if rogue definitions were the problem, or if it was something more serious. Now we don't know anyone else who's running FEP, and didn't fancy waiting on the phone for Microsoft. The usual course of action, a Google Bing search, would be no use – if someone's written about this particular incident in the hour since the definitions came out, it's still going to be several days at least before its crawled, index and available for searching.

Twitter is the only way to go in situations like this. Two quick searches ("ForeFront" – too broad, "FEP" – bingo) brought back a couple of IT bods who were experiencing the same thing, and were tweeting about it, trying to find others. This collective reporting of the incident, plus the fact we all seemed to have reached the same conclusion, was mutually reassuring. So thanks to Twitter, and in particular @coreyhawk, @bencc, @wubadudub and @SecurityRon, I for one left work on time (still kicked off a full scan job though!).

PS: ForeFront is a very good antivirus (this was the first outbreak we've ever had). All antivirus products occasionally suffer from bad definitions – another vendor's famously deleted Windows startup files a few months back – so this incident certainly won't stop us using it. It's because the reporting capabilities and alerting are so good that we were able to quickly identify the cause of the problem after all.

You can follow me @andywalman.

Technical Info:

For those that are interested, here are the details from Operations Manager:

%%860 has detected malware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Adware:Win32/Hotbar&threatid=6204

Name: Adware:Win32/Hotbar

ID: 6204

Severity: Medium

Category: Adware

Path: file:_C:\Windows\Temp\AC876D7B-AE94-46A4-A43A-897416F58A21-Sigs\7E408C61-9AE3-4EDF-8388-AB9F7E9D11FFmpasdlta.vdm.old.temp

Detection Origin: %%845

Detection Type: %%822

Detection Source: %%818

User: NT AUTHORITY\SYSTEM

Process Name: C:\Windows\System32\MpSigStub.exe

Signature Version: AV: 1.109.37.0, AS: 1.109.37.0, NIS: 0.0.0.0

Engine Version: AM: 1.1.7104.0, NIS: 0.0.0.0