If you suspect an Infection in your network and if you could find the infected file please upload the sample to the link https://www.microsoft.com/security/portal/submit.aspx
Only one file can be submitted at one time and the size of that file is limited to 10 megabytes. Compress the file and password protect the file with the password "infected" (without quotes).
If you want to submit more than one file for analysis, please compress the files into a single archive and password protect the files with the password "infected" (without quotes).
In the comments field please provide any information about the Infection.
Microsoft Malware Protection Center will send you the results of the analysis on the submission.
FCS customers please contact Microsoft Customer Service and Support to raise an incident and follow the below steps.
You can also try these steps,
· Run a Full Scan in the infected machine with the recent signature updates.
· Try to isolate the machine from the network to avoid spreading the infection.
Check the Prerequisites
· http://technet.microsoft.com/en-us/library/bb404270.aspx
If you still experience issues after reviewing the Prerequisites, please contact Microsoft Customer Service and Support to raise an incident and follow the below steps
Server installation issues: Gather and provide the engineer with the topology you are attempting to install and computer and account information (see deployment guides)
Example:
Item
Description
Your Notes
Management server
Server name
Collection server
Collection database
Server name and SQL Server instance name (if it's not the default)
Reporting server
Reporting
Database
Server name and SQL Server instance name
Distribution
Server
DAS Account
Domain user account required
DTS Account
(Recommendation: re-use DAS account)
Reporting Account
(Recommendation: re-use DAS account).
Action Account
Management Group Name
Defined during Client Security setup
Reporting Server URL
Defined during SQL Server 2005 setup (Default:http://reportingservername/ReportServer)
Report Manager URL
Defined during SQL Server 2005 setup
(Default: http://reportingservername/Reports)
Size of Collection Database
Size of Reporting Database
WSUS Management URL
Created when installing WSUS
WSUS Client Configuration URL
Collect the failed setup log from the below location and share it with the Engineer who is contacting you
For Server role installation:
<Install drive>\Program files\Microsoft Forefront\Client Security\Server\Logs\Server_date.log
For Client installation:
%Program Files%\Microsoft Forefront\Client Security\Client\Logs
Please execute the CSS Sec MPS report from the Link in the distribution Server http://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
(If it’s a Single server topology run it in the FCS Server)
Also execute the CSS Sec MPS report from the Link in a client machine http://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
and when Microsoft Engineer has contacted you request him/her for the Workspace to upload the output of the MPS Report.
Execute the CSS Sec MPS report from the Link
http://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
· Run this in all the Forefront Client Security Server Roles.
· If it’s a Single Server topology execute this in FCS Server.
· To Run this Script you need to login with Administrator ID.
· This Script will not take more than 5 to 15 minutes.
· This Script is transparent and utilizes less processor time and memory.
· Gather and provide the engineer with the topology you are attempting to install along with computer and account information (See Deployment Guides)
When Microsoft Engineer has contacted you request him/her for the Workspace to upload the output of the MPS Report.
Information on IIS:
IIS Anonymous (IUSR) User Information
IIS Metadata and Module Information (MBSchema.xml, MetaBase.xml, sysinfo xml).
IIS Configurations and logs.
Windows update related Information:
WinHTTP Proxy Settings.
BITS (Service and Queued job Status)
Missing Security update Information.
FCS Information:
FCS Anti malware support Logs.
FCS Security State Assessment Information.
FCS Account Information.
FCS Client setup files.
FCS Database Information.
Profile settings of FCS Console.
Checks the Status for Forefront client dependency services.
MOM and reporting Services Information:
MOM Management Pack Information.
MOM *.mc8 Log Files.
MOM Configuration (Onepoint database size and permissions, System Center Reporting database Size and Permissions)
SQL reporting Services Information and logs.
Other Information:
Dcom Information.
Event Logs (Application, System and Security Event logs)
Schedule task Information.
Version of Windows OS.
Version and Symbol Information of Executables.
NTFS Information
Group Policy Information.
Disk Quota Information.
MS Office Information.
Hardware Information of the Local machine.
ISA Server Information.
Security center Configuration (Anti Virus, Firewall, Automatic Updates)
For More Information please read the readme file from the link: http://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
Thanks
Swami
CSS Security Team