Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Missed Trojan

Created: 24 Aug 2009
thaller's picture
0 0 Votes
Login to vote
Hello Everyone,

So like I said in my last blog post, whenever something interesting or useful happens to me with regards to my dealing with SEP, I'll post about it, so here is the latest.

Last week we had an interesting "incident" with one of our clients.

The Client:

The client is a Windows XP SP2 Machine, that was on our Guest Network (Removed from the Corporate Network by Firewalling).
It was running SEP MR4 MP1 as an unmanaged client.

The client was set to auto-update from symantec every 4 hrs, and do a daily full scan.

The Problem:

We first noticed a problem when an end-user was complaining about "spyware" like symptoms, browser hijacking, popups, etc...

upon inspection SEP had not found anything, and the logs showed it was behaving as normal.

Upon furth investigation (using "other" tools) we found out that the machine was infected with Win32.XiaJian.bk Trojan.

As part of our incident response (Which I suggest every business create one) the machine was removed from the network, and re-built.

Our Incident response also calls for a call to be placed with tech-support of the A/V vendor for their angle on the problem.


So I logged a case with support and actually got some usefull information out of the call, that I wanted to share.

The outcome:

Support advised that there was not much that could be done, other than offer most likely causes for the missed detection.- Advised that frequently virus writers change the code slightly to bypass our definitions. Sometimes the threats can interfere with the major AV vendor’s products directly to disable them.
- They sent some information on how to manually submit our own finding for analysis (in which they can use to create better deffinition)
- They sent some information on how to use the Load Point utility, to better aid in the troubleshooting of issues that were missed by SEP.

The Information they sent:

Thank you for calling Symantec Technical Support. Here is the information on how to download and run the Load Point Diagnostic utility we discussed.

To download the utility, open the following web page in a browser:
https://fileshare.symantec.com

Log in with the following information:

Login ID: loadpoint
Password: Lo4dpo!nt

Once you have downloaded the utility, please follow the instructions in the following document:

Note: This tool generates a report with an extensive list of the programs that are loading on your computer. You can then use the resulting report to research the legitimacy of each program or process that is loading and therefore determine if you have any potentially malicious programs that are not being detected by Symantec AntiVirus.

Title: 'Using the Load Point Diagnostic Utility'
Document ID: 2008053012231648
Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008053012231648?Open&seg=ent

Note: This utility is provided for your convenience only. Symantec Technical Support cannot provide support for the use of this utility or any scripts calling this utility.

I hope this proves usefull for someone, as it should prove use full to me in the future.

Thank you for calling Symantec Enterprise Support. You may submit a file to be examined by Security Response directly from Symantec Endpoint Protection, or with Symantec AntiVirus Corporate Edition by excluding the original location of the sample and restoring it, then using the submission site.

To submit a file directly from the Quarantine of Symantec Endpoint Protection:

Title: 'How to submit file(s) from quarantine using the new user interface within Symantec Endpoint Protection 11.0'
Document ID: 2007031308253048
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007031308253048?Open&seg=ent

To create exceptions for the original location of the file in Symantec AntiVirus Corporate Edition in order to restore from Quarantine and manually submit the file:

Title: 'Excluding specific drives and folders from Symantec AntiVirus scans'
Document ID: 2002092413394848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002092413394848?Open&seg=ent

To upload a suspected infected file to Symantec Security Response, please follow the manual submission process at the following URL:
https://submit.symantec.com/gold/

Please do not send any submissions to the email address this message was sent from. Submissions to this email address will not be accepted and could cause delays in the examination of the submission.

You will receive an e-mail reply from your submission, containing a tracking number. If you have additional questions, please call back and reference your case ID and submission tracking number.

If you need assistance determining what items are loading on a particular machine, please refer to the following documents:

Title: 'Common loading points for viruses, worms, and Trojan horse programs on Windows NT/2000/XP/2003'
Document ID: 2001060517115206
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001060517115206?Open&seg=ent
Title: 'Common loading points for viruses, worms, and Trojan horse programs on Windows 98/95/3.1x'
Document ID: 1999052415383948
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1999052415383948?Open&seg=ent