Cleaning Up a SUS Server After a Virus Infection

Goto the SUS Home Page
 
A virus broke into my SUS patches directory and I think almost all files were damaged. With antivirus I was able to fixes each and every file, but because the virus was polymorphic, I do not know if the files are okay after the cleanup.

I downloaded a new patch yesterday. I approved it, and the IIS log showed successful download entries, on the desktop and also the Windows 'UPDATE.LOG' shows that a detection cycle was performed, but does not show that any EXE was downloaded.

What it is strange, is that in 'C:\Program Files\WindowsUpdate' is a 'tmp' directory, where the update gets downloaded (by schedule or by forcing a detection cycle), but never installed.

Also, there is no 'Automatic Updates' source events in the System log.  Nethertheless, I can execute the patch manually from any place, it gets installed and seems to be intact.

I think my anti-virus cleanup procedure was not successful in all cases and patches were damaged.

So I am looking for a way to clean-up my SUS server directory to a clean state. I wouldn't like to have to re-install SUS because it is very stable. Also I would like to know, if after re-download, I have all needed patches.

Contributed By: Don Cottam [MS]
Are you positive that you have completely cleaned the virus off of the SUS server? If so, then the best way to clean the SUS content (EXE and CAB files) is to completely delete everything in the '\SUS\Content\Cabs' folder and re-synchronize your SUS server so that all content is downloaded again.

The virus may have changed some of the EXE/CAB files, and cleaning up the virus you may have changed them again - either way once any of them is changed the digital signature is invalid, and the Automatic Update client will refuse to install anything with an invalid digital signature.
 
© FAQShop.com 2003 - 2008

Goto the SUS Home Page

 Email the Author