How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
| Article:TECH141402 | | | Created: 2010-10-07 | | | Updated: 2012-12-24 | | | Article URL http://www.symantec.com/docs/TECH141402 |
Problem
You have a computer that you believe is infected with a threat, but scans with current definitions come back without finding it. How do you use the Load Point Analysis item with the Symantec Support Tool to find suspicious files to submit to Symantec?
Solution
- Obtain the Symantec Load Point data
1.) Download the Symantec Support tool (SST) from this URL:
http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe
http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe
2.) Copy the SST to the machine believed to be infected and run it.
3.) Click I accept the EULA.
4.) Check the box for Load Point Analysis. This will also check the box for Definitions and Content Signatures…this is expected.
5.) Click Next.
6.) Allow the tool to run. This can take anywhere from 5-15 minutes, depending on the machine.
Once the tool completes, you can either view the data on that machine, or save the data to view it on another computer.
Once the tool completes, you can either view the data on that machine, or save the data to view it on another computer.
- Save Load Point data for review on a different computer
1.) Once the tool finishes running and has presented you with the results page, click Load Points: x items, then Load Point Analysis, then Save the Load Point Report.
2.) When you click Save the Load Point Report, a Save Report page with several fields including Name, Company, and so on will open. Fill these out as completely as possible.
3.) Click Ok. Once the save is complete, you’ll be brought back to the results page.
4.) The saved SST data is saved as a .sdbz file in the same location where you ran the SST.
- View Load Point data on a different computer
1.) Copy the SST to the “good” computer that you intend to use to view the data.
2.) Copy the .sdbz file generated above to the “good” computer.
3.) Run the SST as if you are going to run the tests on the “good” computer, but only accept the EULA.
4.) Click Open a report.
5.) Browse to the .sdbz file from above and double click it. This will open the results on the “good” computer.
- Reviewing Load Point information
1.) When opening a .sdbz file from another computer, you may be prompted to re-run the Load Point Reputation Database. If so prompted, click Yes to this. This may take a few minutes to run. If the reputation check was successfully completed on the other machine, you won’t get this prompt.
2.) Click Load Points:
Load Point Analysis: Report
The Load Point Report is meant to be a summary overview of the data found by SST. Primarily, examine the data of the tests that failed…usually; it will be a list of files that should be submitted, and their locations. Let’s take a look at the data in this example:
Looking at the example, there are 6 files that need to be either manually verified to be known internal tools or submitted. These files were flagged due to the suspicious factors outweighing the “good” factors, and the files ended up with a negative score. These files should be submitted to Symantec via the appropriate submission page. If you are unsure of the address, please check with Symantec Support.
Note: Tools that are created internally, which may not have been previously seen by Symantec, may show up as suspicious. If you have any doubt about a file that is shown as suspicious, please submit it.
Windows Load Points: Analysis
Analysis is the results of checking file hashes against the Symantec reputation database. The SST checks a host of different things about a file, such as if it’s signed, if it’s new, under a certain file size, and the like. Weights are assigned to each of these properties, and each file is assigned a score. If the score is far enough in the negative range, it’s automatically flagged as needing further investigation. You can click on each file listed to get details on why the file was scored as it was. As an example:
|
|
Article URL http://www.symantec.com/docs/TECH141402
Terms of use for this information are found in Legal Notices
Thank you.