Endpoint Protection

Can Endpoint detect page redirects or browser injections?

I'm having an issue where our network appliance alerts on redirects but symantec is not picking that up.

Josh Arbit

it should be able to detect this

In the AV policy, click on the Miscellaneous tab and in the middle of the screen you will see where if a browser change is detected it will than re-direct to a symantec page

Check your HOSTS file for malicious entries as well as flush your DNS cache

Check this thread as well

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

yep.

I have it selected to open symantec site. Is there a way that i can get alerts on website redirects?

HOSTS file is clean and i did do flushdns

Hello,

Plan of Action - 

1) Disable the System Restore http://support.microsoft.com/kb/283073

2) Disable the Browser Helper Objects on all Installed Browsers

3) Check the Host file of the machine if it has been tampered with. If yes, make the necessary changes to the host file.

4) Login to the machine as a Different User and check if this issue is occurying?

If this issue is not occurying, you may like to delete the Infected User Profile after taking a back up of necessary files.

5) To check if there are any Suspicious files on the machine, work on the steps provided in the article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Also, Check these Threads with similar issue - 

https://www-secure.symantec.com/connect/forums/help-removing-virus-redirects-web-page

https://www-secure.symantec.com/connect/forums/popup-and-redirect-virus

https://www-secure.symantec.com/connect/forums/help-re-direct-virus

Hope that helps!!

You cannot configure alerts within SEPM for this.

It just looks like there is a discraptancy.

Symantec is not picking up anything. Our Network IDS appliance is picking up bad traffic to and from that PC.

our techs ran malwarebytes that found a dll inside Adobe folder that it removed.

So i'm trying to figure out if Symantec is not doing its job, our NIDS appliance is being too aggressive or malwarebytes found a falase positive and remove it.

Do you still have the dll to submit to Symantec?

unfortunatly techs removed it.

I'm not really sure if it was a bad file. When users log in now they get an error message that the file is missing.

Maybe code was injected into that file. According to malwarebytes it looks like it is a known treat so i would assume that symantec should have that in their def.

Shouldn't Symantec block the redirect so the files wouldn't get dropped to begin with?

Can you re-install Adobe and see if the file comes back?

Yep we had Ver.9

One of our tech is installing ver 11 right now

If it's an unknown signature, than no not necessarily. It just may have went undetected.

Oh wow, quite an old version and actually it is end of life 9.x only had AV, at least with 11.x you will get AV, IPS, firewall, PTP, etc.

Should be a huge improvement.