Endpoint Protection

 View Only

  • 1.  Downloader.Dromedan Activity

    Posted Oct 29, 2015 11:25 PM

    Hi Guys,

    From past week, whenever users connected to data card and working, symantec is showing the notifications as Downloader.Dromedan Activity detected. Due to this the internet connectivity is not working since symantec is blocking the traffic upto 600 seconds. This is showing as activty 9, 10 & 11. How to prevent this or for time being how to allow this IPS signature.

    If allowed means what will be the impact. Please help

     



  • 2.  RE: Downloader.Dromedan Activity

    Posted Oct 30, 2015 12:46 AM

    looks like there may be some infected files residing in the PC, can you run a threat analysis scan with symhelp and post the log here ?

     

    https://www.symantec.com/security_response/writeup.jsp?docid=2011-101915-4058-99



  • 3.  RE: Downloader.Dromedan Activity

    Posted Oct 30, 2015 03:46 AM

    Hi Srikanth_Subra,

    The data card (SD card/USB drive used to share files) is infeted with Downloader.Dromedan.  When sharing it around, the end users are spreading an infection throughout the network.  It is absolutely essential to get that card and those computers isolated before they can further spread the theat!

    Best Practices for Troubleshooting Viruses on a Network
    http://www.symantec.com/docs/TECH122466

     

    Do not disable IPS as it is what is saving you at the moment.

    Spotting the malicious file on that drive will be easy enough.  Just use SymHelp to scan the SD Card.  Here is an illustrated guide:

    Using Today's SymHelp to Combat Today's Threats
    https://www-secure.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

     

    Once you have identified that large oddly-named suspicious file, submit it to Security Response.  They will build defenses against it which will remove the infection and stop those IPS alerts.

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

     

    Please do keep this thread up-to-date with your progress! &: )

    Mick

     



  • 4.  RE: Downloader.Dromedan Activity

    Posted Oct 30, 2015 07:50 AM

    You need to pull that machine from the network and get it cleaned up, preferably re-image it.



  • 5.  RE: Downloader.Dromedan Activity

    Posted Oct 30, 2015 03:23 PM

    I would suggest you to contact Symantec Technical support to to perform a Threat analysis on (atleast one of) the affected machines and to identify that is this really an attack or just a false positive detection. In either case the tech support will help you resolve the issue.



  • 6.  RE: Downloader.Dromedan Activity

    Trusted Advisor
    Posted Nov 01, 2015 06:53 AM

    Hello Srikanth,

    Why create a IPS exception for this and risk yourself? Currently, it is not recommended.

    I would suggest you to run a Threat Analysis Scan...

    Here are the official Symantec articles on how to run the tool for Threat Analysis:

    About the Threat Analysis Scan
    http://www.symantec.com/docs/TECH215550

    How to run the Threat Analysis Scan in Symantec Help (SymHelp)
    http://www.symantec.com/docs/TECH215519

     

    Regards,

     



  • 7.  RE: Downloader.Dromedan Activity

    Posted Nov 02, 2015 07:34 AM

    Hi Srikanth_Subra,

     

    Just a ping to see how you are progressing?  The thread is still marked "needs solution."

     

    Many thanks,

     

    Mick