Endpoint Protection

One of our users apparently downloaded the Blackhole exploit kit from a server run by the Russian Business Network.  The user saw an alert from SEP on the screen, and our network security people tell us that Symantec blocked the malware successfully.

But we never saw anything about this incident in any log -- neither the Symantec risk logs, nor any of the computer's event logs, and when we tried running a Rapid Release definition update on this computer, we got the message:

 No updateable version of Norton Anti-Virus was found... 

Which would seem to indicate that the client was corrupted somehow, perhaps by Blackhole.  But according to the SEPM Console, the client is running fine; definitions are up-to-date, and the client checked in with the server a few minutes ago.

Does anyone out there have experience with Blackhole?  Can you help me figure out what's going on?

Hi,

Check the Security log on the SEP client.

The IPS should've blocked this. What the user probably saw was the notification from the SEP client that traffic from x.x.x.x was blocked (or something similar)

If that is the case and the traffic was inbound, than the IPS was doing it's job and no further action should be needed (you can do some forensics to see what sites were visited and which one may have caused the alert).

As a precaution, run a full scan in safemode. You can also utilize Power Eraser.