Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA 4.2.3 Administrator Guide > Common tasks and user scenarios > Locate and isolate an infected computer

Locate and isolate an infected computer

Table of contents
No headers
Created by Lori Krell_ret, last modified by Alexandra.Nerpasova on Oct 24, 2016

Views: 437 Votes: 0 Revisions: 4

Consider the following scenario:

A local branch of your banking network that handles all of your credit card transactions complains of an extremely sluggish network, causing frequent timeouts during sensitive data transfers.

Use SolarWinds NTA to quickly pinpoint and respond to the wide variety of viruses that can attack your network.

  1. Check that the link to the branch network is up.
  2. Click My Dashboards > Network > NPM Summary.
  3. Consult the Percent Utilization chart. You see that the current utilization is 98%, even though normal branch network utilization is 15-25%.
  4. Click My Dashboards > NetFlow > NTA Summary.
  5. Under NetFlow Sources, click the name of the branch network to view its flow-enabled router.
  6. Under Top 10 Endpoints, you can see that a single computer in the IP range is generating 80% of the load on the branch link. You know that computers in this IP address range are accessible to customers for personal transactions using the web.
  7. Under Top 10 Applications, you see that 100% of the last two hours of traffic from the publicly accessible computer has been generated by an IBM MQSeries messaging application. Click the application name to determine that the IBM MQSeries messaging occurs over port 1883.
  8. You do not have any devices using IBM MQSeries messaging in the customer accessible location, nor any other services or protocols that require port 1883. You recognize that this is a virus exploit.
  9. Use a configuration management tool, such as SolarWinds Network Configuration Manager, to push a new configuration to your firewall that blocks port 1883.


Last modified