Video Screencast Help

Endpoint 12.1 and browser redirects

Created: 22 Jan 2013 | 12 comments

Can Endpoint detect page redirects or browser injections?

I'm having an issue where our network appliance alerts on redirects but symantec is not picking that up.

 

Josh Arbit

Comments 12 CommentsJump to latest comment

_Brian's picture

it should be able to detect this

In the AV policy, click on the Miscellaneous tab and in the middle of the screen you will see where if a browser change is detected it will than re-direct to a symantec page

Check your HOSTS file for malicious entries as well as flush your DNS cache

Check this thread as well

https://www-secure.symantec.com/connect/forums/you...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Toolshed's picture

yep.

I have it selected to open symantec site. Is there a way that i can get alerts on website redirects?

HOSTS file is clean and i did do flushdns

 

_Brian's picture

You cannot configure alerts within SEPM for this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

 

Hello,

Plan of Action - 

1) Disable the System Restore http://support.microsoft.com/kb/283073

2) Disable the Browser Helper Objects on all Installed Browsers

3) Check the Host file of the machine if it has been tampered with. If yes, make the necessary changes to the host file.

4) Login to the machine as a Different User and check if this issue is occurying?

If this issue is not occurying, you may like to delete the Infected User Profile after taking a back up of necessary files.

5) To check if there are any Suspicious files on the machine, work on the steps provided in the article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Also, Check these Threads with similar issue - 

https://www-secure.symantec.com/connect/forums/help-removing-virus-redirects-web-page

https://www-secure.symantec.com/connect/forums/popup-and-redirect-virus

https://www-secure.symantec.com/connect/forums/help-re-direct-virus

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Toolshed's picture

It just looks like there is a discraptancy.

Symantec is not picking up anything. Our Network IDS appliance is picking up bad traffic to and from that PC.

our techs ran malwarebytes that found a dll inside Adobe folder that it removed.

 

So i'm trying to figure out if Symantec is not doing its job, our NIDS appliance is being too aggressive or malwarebytes found a falase positive and remove it.

 

 

_Brian's picture

Do you still have the dll to submit to Symantec?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Toolshed's picture

unfortunatly techs removed it.

I'm not really sure if it was a bad file. When users log in now they get an error message that the file is missing.

Maybe code was injected into that file. According to malwarebytes it looks like it is a known treat so i would assume that symantec should have that in their def.

_Brian's picture

Can you re-install Adobe and see if the file comes back?

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Toolshed's picture

Shouldn't Symantec block the redirect so the files wouldn't get dropped to begin with?

_Brian's picture

If it's an unknown signature, than no not necessarily. It just may have went undetected.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Toolshed's picture

Yep we had Ver.9

One of our tech is installing ver 11 right now

_Brian's picture

Oh wow, quite an old version and actually it is end of life 9.x only had AV, at least with 11.x you will get AV, IPS, firewall, PTP, etc.

Should be a huge improvement.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.