Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Folder hidding and replaced by exe

Created: 18 Jan 2013 • Updated: 26 Feb 2013 | 6 comments
This issue has been solved. See solution.

 

Hello,

 

I have a  FAS2040 with cifs share.

On this share I have a virus that hide folder and replace them by .exe. I suspect one of my user who is infecting file. I need to find at least his IP address.

 

First I have enabled audit but it was not enough detailled.

 

Then to correct this issue, I have installed Symantec Protection Engine 7 and configured with my NetApp

 

Symantec is working well, I can see in NetApp with vscan command that Symantec is doing the job. But I have no entry at all for my hidding virus.

Do you know if there is an option in Symantec to monitor folder attribute with vscan ? I have make a lot of search but I'm unlucky.

 

Thank you.

Comments 6 CommentsJump to latest comment

arthrax's picture

Hello,

I have read your thread and Symantec check all file, even hidden but not in my case. Also I scan a nas device, I think it is a different behaviour.

Here what happened :

  1. Virus hide my share folder on my nas and replace them by exe file
  2. I delete exe file and unhide file
  3. I activated Symantec Protection Engine
  4. After a few hours, virus come back with same behaviour on same shared file
  5. Nothing is seen by Symantec

For me, SPE do not check file attribute change or I haven't found the good option.

Thanks

Ashish-Sharma's picture

 

Incase of suspicious activity still happening, then follow the steps provided in the Article below and submit the files to the Symantec Security Response Team:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Thanks In Advance

Ashish Sharma

 

 

BenDC's picture

What gets scanned is entirely determined by the netapp filer. It requests a scan and the scan engine will return a result to the scan engine. You can turn the logging levels up to verbose and see the scan engine results for all files in a detailed report, otherwise you will only see files the scan engine determines to be a threat or ecounters an error scanning a file.

arthrax's picture

I have check NetApp options and there is nothing about hidden folder or folder attribute. I have confirmation with Netapp support

With verbose options I can see only creation of exe file :

Thu Jan 31 09:22:09 CET 2013, A file has been scanned Event Severity Level : Verbose File name : \\?\UNC\192.168.0.1\ONTAP_ADMIN$\vol\vol_datas\ERF.exe Client SID : S-1-5-21-2043879999-2266753580-3138237620-7629 Client Computer : LPT357 Client IP : 10.123.4.162 Scan Duration (sec) : 0.016 Connect Duration (sec) : 0.047 Symantec Protection Engine IP address : 192.168.8.47 Symantec Protection Engine Port number : 0 Uptime (in seconds) : 152899

Nothing about attribute change. So it means that I don't need Antivirus for NAS because NEtapp do not log this action.

Even if I make a manual scan with Symantec EndPoint Protection 11 Client on my computer to this exe file, nothing is found.

arthrax's picture

I confirm that NetApp can't monitor folder ...

So finally I have resolved my issue but it was not easy :

  1. I have submit virus file to Symantec
  2. Virus was propagating faster so we decide to open a ticket with our Symantec contact commercial. No help at the beginning.
  3. We use other antivirus and Sophos detect the virus. It was a very old virus from 2007 in c:\setup
  4. We send this virus to Symantec with our contact
  5. A rapid release was made very quickly and after upgrading our client definition with Symantec Manager Console, no more virus
  6. 2 days after, I receive response from Symantec from my first submit in point 1 : Symantec EndPoint can detect it ....
  7. It takes 1 month to remove this virus.

I am disappointed by Symantec. I had to prove that it was really a virus and find the source to update the defintions of Symantec. Knowing that other less known antivirus had in their database. And i'm only a little customer with a fleet of 200 computers.

Anyway thank you for your help

SOLUTION