Folder hidding and replaced by exe
Created: 18 Jan 2013 | Updated: 26 Feb 2013 | 6 comments
This issue has been solved. See solution.
Hello,
I have a FAS2040 with cifs share.
On this share I have a virus that hide folder and replace them by .exe. I suspect one of my user who is infecting file. I need to find at least his IP address.
First I have enabled audit but it was not enough detailled.
Then to correct this issue, I have installed Symantec Protection Engine 7 and configured with my NetApp
Symantec is working well, I can see in NetApp with vscan command that Symantec is doing the job. But I have no entry at all for my hidding virus.
Do you know if there is an option in Symantec to monitor folder attribute with vscan ? I have make a lot of search but I'm unlucky.
Thank you.
Discussion Filed Under:
Comments 6 Comments • Jump to latest comment
HI,
CHeck this thread
https://www-secure.symantec.com/connect/forums/can...
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Hello,
I have read your thread and Symantec check all file, even hidden but not in my case. Also I scan a nas device, I think it is a different behaviour.
Here what happened :
For me, SPE do not check file attribute change or I haven't found the good option.
Thanks
Incase of suspicious activity still happening, then follow the steps provided in the Article below and submit the files to the Symantec Security Response Team:
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
What gets scanned is entirely determined by the netapp filer. It requests a scan and the scan engine will return a result to the scan engine. You can turn the logging levels up to verbose and see the scan engine results for all files in a detailed report, otherwise you will only see files the scan engine determines to be a threat or ecounters an error scanning a file.
I have check NetApp options and there is nothing about hidden folder or folder attribute. I have confirmation with Netapp support
With verbose options I can see only creation of exe file :
Thu Jan 31 09:22:09 CET 2013, A file has been scanned Event Severity Level : Verbose File name : \\?\UNC\192.168.0.1\ONTAP_ADMIN$\vol\vol_datas\ERF.exe Client SID : S-1-5-21-2043879999-2266753580-3138237620-7629 Client Computer : LPT357 Client IP : 10.123.4.162 Scan Duration (sec) : 0.016 Connect Duration (sec) : 0.047 Symantec Protection Engine IP address : 192.168.8.47 Symantec Protection Engine Port number : 0 Uptime (in seconds) : 152899
Nothing about attribute change. So it means that I don't need Antivirus for NAS because NEtapp do not log this action.
Even if I make a manual scan with Symantec EndPoint Protection 11 Client on my computer to this exe file, nothing is found.
I confirm that NetApp can't monitor folder ...
So finally I have resolved my issue but it was not easy :
I am disappointed by Symantec. I had to prove that it was really a virus and find the source to update the defintions of Symantec. Knowing that other less known antivirus had in their database. And i'm only a little customer with a fleet of 200 computers.
Anyway thank you for your help
Would you like to reply?
Login or Register to post your comment.