Endpoint Protection

A client of mine is receiving the following error message as a callout to the Symantec Endpoint Protection icon located in the notification area of a computer running Windows XP SP3:

<!> Symantec Endpoint Protection

[SID: 24014] System Infected: Trojan Bayrob Activity 2 detected.

After combing the Symantec site for information regarding this potential Trojan, I see no telltale signs of its existence.  First, it is indicated that the Trojan creates a Windows Update service with corresponding registry changes - this does not exist on the machine in question.  Additionally, none of the other telltale registry modifications associated with this Trojan seems to exist.  I've run a full system scan using Endpoint and it turns up nothing.  The above message occurs at minute intervals, meaning one minute of the message on the screen and one message with it not, with the capability to close the message; but, clicking on the message does not reveal any additional detail. 

A screen capture of the desktop with this message is shown here:

I am at a loss where to go with this one, as there isn't much revealing within support on this site or the web. 

Specifications for Endpoint:

Version:  11.0.2020.56

Antivirus and Antispyware protection:  Wednesday, July 13, 2011 r24

Proactive Threat Protection:  Wednesday, July 13, 2011 r219

Network Threat Protection:  Wednesday, July 13, 2011 r1

The Quarantine and log areas show nothing.  A full system scan reveals no infections.

Any help you can provide me is greatly appreciated!

Thanks,

Culprit

Though running a scan has not revealed anything would be confusing when this popup comes up.

Run the Autoruns.exe and check the scheduled tasks running..remove them all.

remove unwanted startup items.

remove temporary files..

Good Luck!

The problem with IPS is false positive. yOu can exclude this detection after performing the task mentioned above.

open sepm

policies

ips

look for the sid; make it log only

Thanks for your help.  I've performed all of your mentioned tasks with nothing suspect, nor any change in the infection notification.  No plans exist within the company to update their client at this time, so it looks like I am on to using the recovery tool.  I am treading in new water with this move, so wish me luck!  I thank both of you for your excellent suggestions to my problem and hope that I am not digging myself a bigger hole with the recovery process.  If you have any dos and donts for recovery please share.

Thanks again!

-Culprit

Excluding the IP ; would be best if thats a valid IP in your domain

Please give a check with the above suggestion about the ip address.

IPS signatures match behaviors and actions rather than actual code.  That is to say, you can, for example, send an extra huge ping to a remote computer with IPS installed and you'll see a Denial of Service block...it doesn't mean you're actually initiating a DOS attack, just that you've matched (or exceeded) the threshold for the signature that watches for DOS.

If you're getting an IPS detection, something is happening on that machine that matches the signature displayed.  If, say, part of an IPS signature says "if you see outbound traffic to http://xyz.com, block it as part of this signature", and you type http://xyz.com in your browser...it will trigger that detection, since it matches a behavior.

This needs more information and investigation.  If there is some sort of event that can be traced back to ("we installed Bob's FTP program he wrote last week on 8 computers, and only those 8 computers are doing this"), we can check the software against our signature to determine if our signature needs to be changed, or if the software needs to change.

If, however, this is on one machine (or a relatively small number of computers in the environment), and there's no obvious potential underlying issues, there's a chance that it's a completely legitimate detection of a new variant.

I wouldn't exclude this host, or disable this IPS signature, until you've worked with support and we've determined that this is, in fact, a false positive.

Detections are like a firearm...ALWAYS assume they're dangerous until it's been proven, to your satisfaction, that it *isn't*.

Hi,

First Migrate to latest version RU6 MP3 (11.0.6300.803). 

You are using very old version i.e RU2 (11.0.2020.56)

Is the traffic inbound or outbound?

Please let everyone know why the upgrade is needed; 

Please post the fix ID from the release notes; I would never upgrade if I'm not facing any issues from SEPM.

For us our older version works great!!! 

New builds released by Symantec can contain security fixes.

We do not announce security flaws unless they are made public, or have been reported to us via responsible reporting.

I can practically guarantee that there have been security vulnerabilities patched between SEP 11.0.2 and now (around 3 years ago) that we haven't announced...not to mention the changes to GUPs, the SEPM, clients, and so on.

I'm not sure what version of the scan engine does the 11.0.2 has. However it was recommended earlier to have enhanced scan engine which might be available with the latest version. When it comes to the threat details or removal, we have to make sure the scan has found anything. It has nothing to do with the version and is well understood. It is(technically) not necessary to upgrade though.

Hi,

It is always good practice to have latest version of Antivirus.

Especially if customer is using MR2 which was released in April 2008. (More than 3 years old)