Auto-reboot

[Abigail Miller]

I installed MS AntiSpyware on workstations at a client and
set them to automatically scan every day at 11am (because
apparently a user must be logged in for it to run, unlike
Windows Updates). The schedule is also set not to display
scan progress or scan results, and to automatically
quarantine/remove whatever it finds. As I'm sure we all
know, there is some malware that, when found and removed
by MS AntiSpyware, causes AntiSpyware to ask if you want
to reboot your computer before it regenerates - I assume
it's only specific pieces of malware because most of the
time you can remove malware and then continue on without
rebooting. My problem is this: I guess because I have
AntiSpyware set to not disturb the user while scanning, a
few systems have rebooted themselves after the scan was
completed, much to the users' surprise.

Now, how would I go about fixing this? Do I have to train
the users how to manually deal with the scan results? Or,
because the malware was found and dealt with already, will
it never reboot again (because the realtime agent will
find it when it tries to install rather than finding it on
a scan)? Thanks for any help you can provide.

 

[Bill Sanderson]

Tough question.

I'd recommend that on the systems which rebooted, you restart in safe mode
and do full, deep scans until one comes through clean. (i.e. if they are,
in fact, already clean, 1 scan.)

I've never run a workstation in this mode, although I do have it running,
without tray icons, on more than 3 dozen office machines in various client
offices.

When I installed, I ran through a full, deep scan and cleaned everything
found on each machine. It happens that all but about 3 of the cited
machines are quite clean--about all that I ever find are VNC variations
which were either remnants or known and legitimate.

I think you owe more to the clients than just installing the app--a
first-time around cleaning is a reasonable addition. In my case, because
the app was beta, and I was installing it in January, I didn't do this work
on billable time. I have billed them for time spent updating since then,
though. The time needed for a full scan and cleaning is significant--I tend
to do such work via Remote Desktop, and on a whole office at a time, so that
I'm not doing each machine serially.

I guess some of my feelings about this are from long experience with the
beta, and seeing what can go wrong. I absolutely recommend the app to every
customer, and run it on all the machines I administer, but I also know
things can go wrong, and that the beta isn't perfect--hence my decision to
sit through a full scan on the first install.

 

[Robin Walker [MVP]]

Now, how would I go about fixing this? Do I have to train
the users how to manually deal with the scan results?

At the moment, Microsoft AntiSpyware is on evaluation beta trials only. You
should not use MSAS in any production environment. So the tough answer to
your question is: either uninstall Microsoft AntiSpyware, or educate your
users to be beta-testers.