Protection Engine for Network Attached Storage

 View Only
  • 1.  Folder hidding and replaced by exe

    Posted Jan 18, 2013 04:26 AM

     

    Hello,

     

    I have a  FAS2040 with cifs share.

    On this share I have a virus that hide folder and replace them by .exe. I suspect one of my user who is infecting file. I need to find at least his IP address.

     

    First I have enabled audit but it was not enough detailled.

     

    Then to correct this issue, I have installed Symantec Protection Engine 7 and configured with my NetApp

     

    Symantec is working well, I can see in NetApp with vscan command that Symantec is doing the job. But I have no entry at all for my hidding virus.

    Do you know if there is an option in Symantec to monitor folder attribute with vscan ? I have make a lot of search but I'm unlucky.

     

    Thank you.



  • 2.  RE: Folder hidding and replaced by exe

    Posted Jan 18, 2013 04:36 AM

    HI,

    CHeck this thread

    https://www-secure.symantec.com/connect/forums/cant-detect-w32pilleuz-attrib-h



  • 3.  RE: Folder hidding and replaced by exe

    Posted Jan 21, 2013 04:57 AM

    Hello,

    I have read your thread and Symantec check all file, even hidden but not in my case. Also I scan a nas device, I think it is a different behaviour.

    Here what happened :

    1. Virus hide my share folder on my nas and replace them by exe file
    2. I delete exe file and unhide file
    3. I activated Symantec Protection Engine
    4. After a few hours, virus come back with same behaviour on same shared file
    5. Nothing is seen by Symantec

    For me, SPE do not check file attribute change or I haven't found the good option.

    Thanks



  • 4.  RE: Folder hidding and replaced by exe

    Posted Jan 21, 2013 05:00 AM

     

    Incase of suspicious activity still happening, then follow the steps provided in the Article below and submit the files to the Symantec Security Response Team:

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.



  • 5.  RE: Folder hidding and replaced by exe

    Posted Jan 26, 2013 02:49 PM

    What gets scanned is entirely determined by the netapp filer. It requests a scan and the scan engine will return a result to the scan engine. You can turn the logging levels up to verbose and see the scan engine results for all files in a detailed report, otherwise you will only see files the scan engine determines to be a threat or ecounters an error scanning a file.



  • 6.  RE: Folder hidding and replaced by exe

    Posted Jan 31, 2013 08:31 AM

    I have check NetApp options and there is nothing about hidden folder or folder attribute. I have confirmation with Netapp support

    With verbose options I can see only creation of exe file :

    Thu Jan 31 09:22:09 CET 2013, A file has been scanned Event Severity Level : Verbose File name : \\?\UNC\192.168.0.1\ONTAP_ADMIN$\vol\vol_datas\ERF.exe Client SID : S-1-5-21-2043879999-2266753580-3138237620-7629 Client Computer : LPT357 Client IP : 10.123.4.162 Scan Duration (sec) : 0.016 Connect Duration (sec) : 0.047 Symantec Protection Engine IP address : 192.168.8.47 Symantec Protection Engine Port number : 0 Uptime (in seconds) : 152899

    Nothing about attribute change. So it means that I don't need Antivirus for NAS because NEtapp do not log this action.

    Even if I make a manual scan with Symantec EndPoint Protection 11 Client on my computer to this exe file, nothing is found.



  • 7.  RE: Folder hidding and replaced by exe
    Best Answer

    Posted Feb 26, 2013 09:06 AM

    I confirm that NetApp can't monitor folder ...

    So finally I have resolved my issue but it was not easy :

    1. I have submit virus file to Symantec
    2. Virus was propagating faster so we decide to open a ticket with our Symantec contact commercial. No help at the beginning.
    3. We use other antivirus and Sophos detect the virus. It was a very old virus from 2007 in c:\setup
    4. We send this virus to Symantec with our contact
    5. A rapid release was made very quickly and after upgrading our client definition with Symantec Manager Console, no more virus
    6. 2 days after, I receive response from Symantec from my first submit in point 1 : Symantec EndPoint can detect it ....
    7. It takes 1 month to remove this virus.

    I am disappointed by Symantec. I had to prove that it was really a virus and find the source to update the defintions of Symantec. Knowing that other less known antivirus had in their database. And i'm only a little customer with a fleet of 200 computers.

    Anyway thank you for your help