cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

A member (File is an .exe) got infected with virus and we work in heterogeneous environment like Linux & windows FSA servers. how do u handle this issue.

schinnaswamy
1-Newbie
1-Newbie
‎Sep 21, 2016 10:24 AM
‎Sep 21, 2016 10:24 AM

A member (File is an .exe) got infected with virus and we work in heterogeneous environment like Linux & windows FSA servers. how do u handle this issue.

Hi All,

If one of your member (File is an .exe) got infected with virus and we working with heterogeneous environment like Linux & windows FSA servers. Will there be any issues when if anybody opens this file to use or will there be any issues when passing through any of our windows servers. The name of the Trojan is Trojan.Gen.SMH and I am trying to find more about the Trojan from our security team, mean while I want to ask this question in Idea forum if anyone has come across any of this situations and how did you handle them.

Regards

Sreedhar

0 Kudos
Notify Moderator
4 REPLIES 4
KaelLizak
14-Alexandrite
14-Alexandrite
(To:schinnaswamy)
‎Oct 03, 2016 03:35 PM
‎Oct 03, 2016 03:35 PM

Hello Sreedhar,

Member revisions in the SQL database are "inert", so they can't actively propagate or negatively impact the database (other than taking up space).

The danger here is when those members are checked out by those who are unaware of the virus.  This is one of the few times we would recommend the use of the si deleterevisionhttp://support.ptc.com/cs/help/integrity_hc/integrity109_hc/index.jspx?id=si_deleterevision&action=show command.  By deleting the infected revision, you prevent someone from accidentally causing an outbreak of the virus contained in the revision.

Hopefully you can get an uninfected copy of the executable in question.

Regards,

Kael


Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager
0 Kudos
Notify Moderator
khoppe
14-Alexandrite
14-Alexandrite
(To:KaelLizak)
‎Oct 04, 2016 03:51 AM
‎Oct 04, 2016 03:51 AM

Hello Kael,

one additional question:

If an Integrity User find out that ONE member revision contains a virus, how to check whether others might also be infected without first synchronizing them?

Is there any way proposed by PTC how to handle such a problem?

Greetings,

Klaus

0 Kudos
Notify Moderator
KaelLizak
14-Alexandrite
14-Alexandrite
(To:khoppe)
‎Oct 04, 2016 10:29 AM
‎Oct 04, 2016 10:29 AM

Hi Klaus,

You can't check a revision without resynchronizing it.  If you suspect you might have infected revisions, I would expect that all the revisions would be checked by either the Integrity Administrator, the Security team, or someone on the Development team by resynchronizing all the versions.  Source Integrity is there to manage the versioning, regardless of what's in there.  The need to make sure that what's in there is the right thing is outside of Integrity's scope.

To be properly security conscious, it would probably be best to sandbox and script the scanning of suspected revisions by:

  1. Create a fire-walled virtual machine to do the scanning, and to prevent an accidentally activated infection from being able to propagate through the network
  2. Creating the sandboxes from the command line in one directory structure
  3. Scanning the lot of them with one scan action without ever putting them in a situation in which they can be executed (so never context-menu click on any of the potentially infected members, never put them in the executable path variable for the operating system and so on)
  4. If possible, scripting the deletion of the problem revisions based on the output of the virus scanner
  5. Delete/rollback the virtual machine to a known good state

If you wanted to be as defensive as possible, you could do a post-checkout scan.  This isn't recommended because:

  1. It would slow down all affected checkouts substantially
  2. You'd have to write a trigger script to call the virus scanner on a member-by-member basis against the member

You might be tempted to simply scan every member as it's being checked in (or even just members with certain extensions). This slows down check-in for all the affected members (assuming you restrict it to members known to carry virus payloads, this could still be substantial).  If you filter by extension, "clever" users will add .txt or .jpg to some member names before checking them in to speed up the check-in process, defeating the automatic scan.

The real solution is to minimize the possibility of getting an infected member in the first place, which can be difficult.  A worst case example would be something along the lines of a requirement for a particular open source executable for a given project, but the official site of that software package is compromised, you'll have to build from source to get a clean version, and you'll have to review the source first.

Regards,

Kael


Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager
0 Kudos
Notify Moderator
KaelLizak
14-Alexandrite
14-Alexandrite
(To:schinnaswamy)
‎Oct 07, 2016 10:18 AM
‎Oct 07, 2016 10:18 AM

Hi Sreedhar,

Did you have any follow-up questions, or did one of my answers address what you were looking for?  If one of these posts did answer your question, could you please acknowledge it by clicking on the Correct Answer button at the bottom of the relevant post?

Thanks,

Kael


Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager
0 Kudos
Notify Moderator
Top Tags