Video Screencast Help

cant detect W32.Pilleuz with attrib h

Created: 07 Jan 2013 | 10 comments

Hi, I just discovered that SEP 12.1 with latest updates and definitions (07.01.2013) can't detect W32.Pilleuz if the h attibute is set on the file. 

If i do a attrib -h virusname.exe the virus is detected almost instantly (maybe since i modified the file?) if i right-click on the usbdrive and choose to scan for virus I find noting. Fullscan can't find anything ether.

This installation of SEPM was a test/lab installation with all the default settings and SEP only deployed to the test server it self. 

So how do i tweak SEP to scan the files with the -h attribute set? The virus is a bit to common on our branch offices to my liking... I also find it a bit disturbing that a default installation of SEP cant detect files with the -h attibute(?). SEP did stop the execution of the autorun.inf so my testlab wasn't infected, but it didnt scan the file the autorun tried to execute. So what do I need to change in my setup to make SEP find files like this?

 

 

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

W32.Pilleuz is a worm that spreads through file-sharing programs, MSN Messenger, and removable drives. It also opens a back door on the compromised computer.

By default Symantec Endpoint Protection will scan ALL files including one with a hidden attribute.

I would suggest you to Disable the Autorun Feature on the machine.

Preventing a virus from using the AutoRun feature to spread itself

http://www.symantec.com/business/support/index?page=content&id=TECH104447

Incase of suspicious activity still happening, then follow the steps provided in the Article below and submit the files to the Symantec Security Response Team:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

This file should be scanned regardless if it is set to hidden or not.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

andreas.rosland's picture

Thank you Mithun, the advice regarding autorun is a good one (it's disabled with GPO) but it doesn't really answer my main question. Way isn't the virus discovered before I changes the attribute? And how can i make SEP find the viruses without manualy finding the virus and change the attributs? 

Finding the virus manualy and changing the attributes isn't a very effective way to combat the virus ;)

The virus was uploaded to the symantec securety responce team (#27467347) 21.12.12 and 24.12.12 they concluded that the file was the above mentioned virus.

That wasn't a suprise as Trend AV (protecting our servers) have stopped 4166 infections (worm_verst.sm trend name for the same virus) since 6.11.12

So how do I make SEP 12.1 detect the file without doing anyting manually with the file? 

.Brian's picture

SEP 12.1 (and even 11.x) already scans for all files, whether hidden or not (unless an exception was set).

You may want to open a support case so they can look into it further.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

andreas.rosland's picture

 

and it may not be the -h attribute at all that prevents SEP finding the virus, but changing it and SEP will find the virus(and remove it). This could be a result of me modifying the file and trigging SEP to inspect the file that way. 

But way isnt the virus detected when I scan the USB drive? (right click and "Scan for Viruses...") i'm quite sure that isnt the intended behavior, and you all seems to agree it should scan -h files as well. But the reality is that this virus isnt detected before i changed the attribute.

well i opened a support case (03282028) but it was closed with the following: 
Resolution Checked the file and found it is hidden . 
Removed the attribute - SEP was able to clean the virus

 

So I opened this thread after I got the "Resolution" above as it got me a bit frustrated... 

 

.Brian's picture

So they basically told you to make the file "unhidden" and it will be detected?

Do you have an SE or case manager? That is not an acceptable solution.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I understand. I am looking into the case and I have forwarded the request to the Symantec Security Team.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Hi Andreas,

Cheers for starting this thread- let me see if I can help.

My understanding is that SEP 11 and 12.1 should detect and remediate threats whether or not the h attribute is set or not.  (As a matter of fact, I have personally used SEP 11 successfully a couple years ago against this very same W32.Pilleuz threat in a "super hidden" folder- it worked, no problem.  I used a manual scan of the USB drive rather than a right-click, if I remember right.) 

I'll work with the case owner and see if there is something new or odd about your submitted samples.  More news within a day or so!

 

 

With thanks and best regards,

Mick

Mick2009's picture

Hi Andreas,

Security Response has extracted your samples from that submission, put them on a USB key and hidden them.  In their tests, SEP 12.1 could successfully detect and remediate the hidden files as W32.Pilleuz with both a manual scan and AutoProtect.

Please do get in touch with Tech Support again if you have any future W32.Pilleuz files that you are having difficulty with.  SEP 12.1 should be able to detect and remediate them without any trouble no matter what attributes are set.   

Hope this helps!!

Mick

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Thank you Mick for updating the Thread.

I agree with Mick. Symantec Security Team had performed the above test and were successful in detecting the same.

By default Symantec Endpoint Protection will scan ALL files including one with a hidden attribute.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.