Greetings all,

We were hit by Code Red and a few boxes were infected.  Unfortunately, our
backups of these NT boxes now include the virus files in their backups.

The boxes have since been disinfected/patched.  If we need to restore a box
next week, it should be fine, since it will use this weekend's full +
incremental = no virus.
However, if we need to do a full rebuild before then (not likely, but
possible), then since we're not using True Image Recovery, we're going to
get c:\inetpub\scripts\root.exe and other viral baddies back.  Files that
the worm modified aren't a problem since we've patched and taken an
incremental since then, but files it _creates_ will come
back, which is a problem (like root.exe).

I haven't found a way to delete certain files from a backup image other than
expiring the whole image, which I'd rather not do.  Any suggestions?  Of
course, we can just tell people "if you use backups from these days, you
have to repatch," which I guess is the default solution if there isn't
anything that's cleaner.

-- 
Andrew (Drew) Fabbro      
Fabbro.Andrew AT cnf DOT com
CNF - Unix Servers Group
"Don't try to be like Jackie.  There is only one Jackie.
 Study computers instead." - Jackie Chan