I'm wondering if anyone else is having the same minor issues I'm having with the anti-virus solution.
The problem I'm encountering, is that much of the time when I get a virus alert that the netapp and Trend have prevented a virus infection, I can't find any way to tell what the source of the infection was.
From Trend's perspective, all the viruses are found on the scan server, so all my alerts from Trend look like this:
Warning! Virus activity has been detected. { Machine: [MTVESS8TAV02] Product: [ServerProtect for Windows NT] Virus: [PE_ELKERN.D] From: [srvprotect] To: [srvprotect] Action Result: [Clean Success] Virus Found Time [2003/09/09 10:09:05] }
Mtvess8tav02 is one of my netapp virus scan servers.
I've found that sometimes, in the Netapp's message log, I'll find messages identifying the source of the infection like this:
Fri Aug 15 01:24:14 PDT [rpc_0:warning]: CIFS: Virus scanner 10.40.231.71 completed a scan on modified file foo for client 10.40.36.37 (BENDER) as user ntbuild but returned the following status: [0x3e8] and status message: Virus Found!
Unfortunately, I don't always get messages in the Netapp's log. I had a batch of Elkern infection notices today, for example, but there's nothing in the Netapp's log to indicate the possible source of the infection.
Primarily, I'm most concerned with the AV software catching infected files on my server, but secondarily it would be helpful if it gave me some clues as to who the infection source is. I know right now I have an Elkern-infected machine out there, but no clue as yet who it is.
Has anyone else found solutions to this issue? Some settings I'm not aware of, perhaps?