Video Screencast Help

Using SEPM Alerts and Reports to Combat a Malware Outbreak

Created: 25 Feb 2013 • Updated: 17 May 2013 | 18 comments
Language Translations
Mick2009's picture
+21 21 Votes
Login to vote

"Monitor First" runs the good advice from security guru Bruce Schneier.  Millions have typically been spent putting a security infrastructure in place, with AntiVirus clients, firewalls, IDS/IPS, and so on.  These powerful endpoints are able to stop most existing threats, and can report back to a central management console what action they have taken.

But, if no one is reading those logs and acting upon them, the company remains at a disadvantage.  Here is an actual case (with data anonymized to protect this customer's identity) of how using the powerful reporting capabilities built in to the Symantec Endpoint Protection Manager (SEPM), and then acting upon that information, proved helpful to one admin who took the initiative to proactively seek out the cause of the constant re-infections throughout her corporate network..... 

A Real-Life Example

Below is an example of how a report generated by SONAR logs can identify new malware for which there are not yet definitions.  This report can also highlight specific computers from among the company's thousands which need immediate attention from the security admins.

This example is taken from a network of SEP 12.1 computers which have the Proactive Threat Protection/SONAR component deployed- on SEP network using only the AntiVirus component, of course, other methods would have to have been used....

For the past week, the network had been undergoing a persistent outbreak of various types of malware.  Downloading and distributing Rapid Release definitions identified many new threats, but there always seemed to be more suspicious activity reported by end users.  

To see if she could locate the source of the infections, the SEPM's admin clicked on Monitors, Logs, and chooses to view a SONAR report with the Advanced filter set to display only the Events where the action resulted in a verdict of "Suspicious."  

 

This generated an on-screen report of "Security risk found" events, which could then be exported into .csv format.  The admin took this file, imported it into MS Excel, enabled filtering, and hid certain columns to allow her to focus in on the information she was looking for.  

For sake of space, the Date column is not displayed in this article, but the admin was quickly able to spot some files which the SEP 12.1 clients detected over and over again in the same locations on the same computers. Narrowing in again: she un-ticked the display for the known, approved programs that were listed, un-ticked Tracking Cookies, and filtered to display entries which generated a Detection Score of 80 or above. 

Very quickly, the report narrowed to executable files which were found running from very unusual locations.  These files had random names typical of malware....

sonar-report_2.png

A quick internet search on VirusTotal.com revealed that several of those SHA1 Application Hashes (unique identifiers) had poor reputations. Action was definitely called for.

She also noticed that all of these suspicious files were located on just a handful of computers.  Very quickly she gave instructions to have those computers isolated from the network to keep them from spreading any infection.  This is an important best practice from the following article:

Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466 
 

She also gave instructions for the SymHelp tool to be run on the computers with Load Point Analysis checked.  This tool identifies suspicious files on a computer, which can then be collected and submitted to Symantec's Security Response for full analysis... 

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

 Ah ha!  The suspicious files from her report were flagged by the SymHelp tool, along with several other files that were deemed to be possible malware.  The admin zipped them up in batches of nine or less and submitted them to Symantec Security Response.

How to Use the Web Submission Process to Submit Suspicious Files
Article URL http://www.symantec.com/docs/TECH102419 
 

While Symantec was examining the files, she took additional measures to secure the network (hunting for more SONAR samples that had a lower Detection Score, monitoring other logs).  One action taken was to use the MD5 hashes (provided from Symantec automatically by mail after she submitted samples) to create an ADC policy that blocked them.  This was applied to the client groups throughout the company, stopping those threats from executing or spreading any further.

How to use Application and Device Control to limit the spread of a threat.
Article URL http://www.symantec.com/docs/TECH93451 
 

The computers which had been compromised were fully patched, had third-party components like Java and Adobe brought up-to-date.  Their users were given  strong new passwords and a bit of education about computer security best practices. The machines were kept off the network, though, until they could receive a full system scan with definitions that contained protection.

In due course, the submitted files are examined and new AntiVirus definitions prepared.  These new defs are downloaded via LiveUpdate and applied to all clients throughout the network. Those suspicious files, it seems, were members of the Downloader family.  Evidently a malicious attacker had been using that handful of compromised systems to constantly download new, undetected hack tools and infostealers, staying one step ahead of traditional signature-based AV defenses.  These tools were also crafted in such a way that as to resist the efforts of Auto-Protect products to terminate their processes.   They could not withstand a full system scan in safe mode, though!

By using SONAR's heuristic powers, reviewing the logs and taking action to ensure that compromised machines were fully cleaned before being added back to the network, the persistent infection was cleaned.

Many thanks for reading!  Please do leave comments and feedback below. 

This is just one example of how SEPM's built-in reporting and alerting features can be used to ensure a corporate network's stability and security.  If it would be helpful, I would be glad to provide additional illustrations....

 

 

Comments 18 CommentsJump to latest comment

Mithun Sanghavi's picture

Thumbs up..for this Amazing article Mick.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
W007's picture

Really good article, thanks!

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
Mick2009's picture

Just adding a couple of extra helpful links for admins seeking the source of network infections:

What is Risk Tracer?
http://www.symantec.com/docs/TECH102539

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH94526 
 

 

With thanks and best regards,

Mick

+2
Login to vote
raju123's picture

thanks Mick2009 for valuable and nice artical +1

+1
Login to vote
Ch@gGynelL_12's picture

Great Job! Really Helpful.

+1
Login to vote
Mick2009's picture

Adding a link to an excellent article that will be of help to admins identifying and tracking suspicious files....

How to utilize SEP 12.1 for Incident Response - PART 1
https://www-secure.symantec.com/connect/articles/how-utilize-sep-121-incident-response-part-1

With thanks and best regards,

Mick

+3
Login to vote
Mick2009's picture

I am glad to discover that Part 2 is now available:

How to utilize SEP 12.1 for Incident Response - PART 2
https://www-secure.symantec.com/connect/articles/how-utilize-sep-121-incident-response-part-2

With thanks and best regards,

Mick

+2
Login to vote
John Santana's picture

Wow this is cool, thanks Mick !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
anshul_pareek's picture

Superb Stuff!! yes

 

Thanks & Regards,

Anshul Pareek

Endpoint Security

Symantec

+1
Login to vote
Mick2009's picture

A second article in this informal series is now available....

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

With thanks and best regards,

Mick

+2
Login to vote
Matheus Vasconcelos's picture

Verry Detail article! Congradulations Mick!

+1
Login to vote
Mick2009's picture

Readers of this article may be interested in the series' third installment.....

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

With thanks and best regards,

Mick

0
Login to vote