Endpoint Protection

I am getting report from one of my security vendors that I may have a DNS Trojan loose in my network somewhere. Problem I am having is locating it. In theory SEP is on every machine in the company. Symantec is not giving any alerts on this. The firewall is showing the traffic as coming from a legit DNS server. What i suspect is that someone is bringing in a machine from home in an office that has no IT presense in it and hooking it into the network and picking up that server as its DNS server via DHCP. Questions

Does SEP detect DNS Changers and if so as what.

Any thoughts on how i can reveil the IP address of the machine that is causing the traffic.

I have had the server looked at and a security audit done on it by a 3rd party that I trust and they see not indication of an infection on the server.

Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
[SID: #####]

Yours just says "Denial of Service". This likely means it's being blocked by denial of service detection, not by signature. (Intrusion Prevention Policy > Settings > Enable denial of service detection)

Why not just include the IP as an excluded host? (Intrusion Prevention Policy > Settings > Enable excluded hosts, then add in your printer's IP)

http://www.symantec.com/business/support/index?page=content&id=TECH97176&locale=en_US

Additionally check the install guide

I have read some where there is an option to check DNS or DHCP record in sepm policies

http://www.upenn.edu/computing/virus/docs/sep/110x/Installation_Guide_SEP11.0.6.pdf

Hello,

SEP will detect DNSChanger as Trojan.Flush.K or as Trojan.DNSChanger.

Have a look: http://www.symantec.com/security_response/writeup.jsp?docid=2007-011811-1222-99

regards,

Marius

Enable Risk Tracer, u wil find the source

http://www.symantec.com/business/support/index?page=content&id=TECH102539

Hey Rick,

Have you found the DNS changer ?

Please , tell us how and what have you found.....

Hello Rick,

I'm a little confused by your original post, but I'll give it my best show.

It sounds to me that you're concerned that some of the machines in your environment may be using wrong DNS servers for DNS queries and that you think the cause of this may be a machine (or machines) on the network infected with a threat.

Can I ask what information led you to believe this? If it was a report from a security product (or security staff), then does the report list the hostnames or IPs of computers they believe are affected?

If you can get ahold of a machine having this problem, you can run the command ipconfig /all from the Command Prompt and can view the IP addressss of DNS servers being used by that machine. Once you know the IP addresses for the DNS servers (assuming they are on your network), then it should be fairly simple to trace the IP back to a MAC address. And once you know the MAC address, you should be able to locate the physical port on your network.

Hope this helps.

Regards,

James

We think we found it its been 2 days so far since I got an alert.   We did see traffic the gave indications of the infections going to an IP addressa and port known to be used by this infection.   We narrowed it down to an office based off of time of day and week that it was happening and realized we only had one small office open at that time.   One user there was complaining of performance issues so we resorted of using several different scanners in addition to SEP and they found several infections that were removed.   With the office the user is in I have limited visability as it is currently configured hoping to change that in the coming months.

Hello,

Check this Symantec BLOG: 

DNSChanger Fraud Ring Busted

https://www-secure.symantec.com/connect/blogs/dnschanger-fraud-ring-busted

Hope this is useful.

I've read the blog.  I've read about Trojan.Flush (1st identified in 2007). 

The question is:  Will SEP 11 and SEP 12 protect against the current DNSChanger risk?

Will it detect, delete, clean, quarantine, or what?