As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Troubleshoot to find possible infected files if a virus is not detected
Technical Articles ID:
KB53094
Last Modified: 2022-08-09 16:51:34 Etc/GMT
Environment
All Trellix desktop and server antivirus products for Microsoft Windows
Summary
This article describes procedures and locations to help you find suspicious files when an infection is not detected by your antivirus products.
Possible symptoms include:
Suspicious computer behavior such as high CPU usage on unrecognized processes
Significantly increased network traffic or bandwidth use
New services added or existing services removed
Unable to access network resources such as shared drives
Applications cease to function or files can't be accessed
Unexpected registry keys added
Internet Explorer homepage changed without permission
IMPORTANT: Because of the wide variety of malware and other threats, we are unable to provide a list of all possible infection symptoms. If you suspect that your system is infected and the specific symptoms are not listed, still take all available precautions. Ensure that your DAT files are up to date and run an on-demand scan or command-line scan of your system. If the infection is not detected, follow the procedures in this article to collect suspicious file samples and submit them to Trellix Labs.
This article includes references to some third-party tools. For instructions on using them, we recommend that you use the Help files for the third-party products.
Contents:
Click to expand the section you want to view:
Ensure that you use the latest DAT and Engine files
Download the current DAT and Engine from the Security Updates website:
If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Install Microsoft security updates
Install the latest Microsoft Security updates to prevent exploits of security vulnerabilities. Ensure that the latest updates and fixes are downloaded and installed. You can configure Windows to perform these actions automatically.
Configure products for scanning
Verify that you have configured the on-access and on-demand scanners to:
Scan for Spyware
Scan for Potentially Unwanted Programs
Confirm that you have enabled the following options:
NOTE: Some of these options are only available in VirusScan Enterprise. See the product guide for your product for details and instructions.
Run an on-demand scan with all scan settings enabled
Perform a full on-demand scan of all files with the primary action set to Clean. See the product guide for your product for details about how to configure an on-demand scan. For VirusScan Enterprise, click Start, Programs, McAfee, On-Demand Scan, Start.
Run scan.exe with the latest Beta DAT files
If the on-demand scan and the standard DAT files do not detect the infection, it might be detected with the additional signatures in the Beta DAT files.
If the on-demand scan still fails to detect any threats:
Search Windows configuration files for any suspicious entries.
Search the startup programs group for any items or applications you do not recognize.
Check common registry locations for suspicious entries.
Use Windows Explorer to check common directory locations for malicious files.
Check the Windows Scheduler for entries you do not recognize.
Use other Trellix and third-party tools to discover malicious activity.
Locate suspicious files
Startup folders and registry locations are most likely to contain suspicious entries. Examine the following locations.
CAUTION: This article contains information about opening or modifying the registry.
The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Do not run a REG file that is not confirmed to be a genuine registry import file.
System Configuration files:
Win.ini
This file was used by earlier versions of Windows and used during system startup. With Windows 7 and later, details stored in this file are now placed in the registry.
System.ini
This file is a Windows Initialization file used primarily with earlier versions of Windows. But, this INI file is still used for backward compatibility in later versions of Windows.
Autoexec.bat
This file is used during the system startup and retained on later versions of Windows for backward compatibility. It is stored on the root of the system drive. This batch file executes commands at startup.
Config.sys
This file is a legacy Windows ASCII text file that contained configuration directives which can be accessed using msconfig.
To view the systems configuration using msconfig:
Press Windows+R, type msconfig,and press Enter.
Examine the Startup items tab.
Examine the win.iniand system.inientries.
Startup Group
When looking at folders, change the view to Details, and use the Date created column to arrange files:
\documents and settings\all users\Start Menu\Programs\Startup
Use IceSword rootkit detector to analyze the registry.
Click Start, McAfee, On-Demand Scan, Start to run an on-demand scan.
If On-Demand Scanning fails to detect a threat, use the free FPortand Vision utilitiesto monitor activity. NOTE: The following third-party utilities can also be useful for logging malicious file activity:
Process Explorer
TCPView
ProcMon
Autoruns
RootkitRevealer
Gather suspicious samples. Collect into one location any files or methods listed above that you feel indicate that a file is suspicious. Ensure that all sample files are included in a single password protected .zip file. Set the password to infected. Submit samples to Trellix Labs. Upload the sample through the ServicePortal or Platinum Portal. For instructions, see KB68030 - Submit samples to Trellix Labs for suspected malware detection failure. Collect and submit Minimum Escalation Requirements (MER) tool results for your products: Run the MER tool for your products. For details about the MER tool list for security products, see KB59385 - How to use MER tools with supported products. Provide the Results.tgz file when you contact Technical Support.