Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Folder name .exe virus

Created: 11 Feb 2013 | 9 comments

We recently got hit by a virus that hid all the folders on the fileserver and replaced them with (old folder name).exe.  All about 240kb in size.  The virus also left three files sexy.exe porn.exe and x.exe.  It didn't spread through out the file server.  It stayed on one share.  We are using Sysmenatec Endpoint protection 11.0.07000.975 with updated definitions.

File system autoprotect is on and scans all files. 

To get rid of this we ended up downloading Norton NPE.exe and it took care of the virus. 

Symantec owns Norton, correct?

WHY didn't autoprotect catch this virus.  Shouldn't the power of NPE be incorporated into the company that bought it??  Do I have Symantec configured improperly.  Management want to get rid of Symantec.  I don't, but I think Symantec should have blocked this from the begining.

 

Help

Thanks

 

Comments 9 CommentsJump to latest comment

.Brian's picture

It appears Symantec didn't have a signature for it. Did you submit to Security Response? You can here:

https://submit.symantec.com/websubmit/gold.cgi

Check these:

Security Best Practices for Protecting a Business Environment from Common Threats

Article:TECH105236  |  Created: 2008-01-27  |  Updated: 2011-02-16  |  Article URL http://www.symantec.com/docs/TECH105236

 

Security Best Practice Recommendations

Article:TECH91705  |  Created: 2009-01-08  |  Updated: 2009-01-22  |  Article URL http://www.symantec.com/docs/TECH91705

 

I would highly recommend moving to SEP 12.1 as it offers better protection than 11.x You can check the comparison list here:

Differences between SEP 11 Enterprise Edition and SEP 12.1 Enterprise Edition

https://www-secure.symantec.com/connect/articles/f...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Public Defender's picture

Thanks for the quick response.

But.  We have the latest dat files and we are talking about taking everyone in the organization to 12?  In time we will but is that going to be the solution when we get to 12 with the latest dat files.  "you need to go to 13"???

What goiod is getting the latest dat files if every decent virus we get we have to be at the next level?  This one was just a real nuisense.  We lost no data, but A LOT of time.

Is the only thing I did wrong was not be at 12?  If the dat files won't protect me why doesn't the auto update let me know my engine is useless?

Thanks

.Brian's picture

The problem is there just wasn't a defintion available at the time. The AV engine has no clue if a virus is present if it doesn't have a definition. Antivirus can no longer be trusted to protect an enterprise. You need a layered security approach.

SEP 12.1 contains a new reputation based engine where all download will be scanned in the cloud and scored based on their reputation. Would it have helped in this case? I don't know for sure. But with AV, either there is a signature available or there isn't. If there isn't than you found out the hard way what happens. To me, AV is pretty accurate but not 100% and never will be. Many new threats are being found every day, not mention the existing ones are being re-coded to evade AV detection and companies simply cannot keep up.

Are you utilising the PTP, IPS and Firewall as well? Application and Device control policy, network application monitoring, or system lockdown?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/business/support/index?page=content&id=TECH9892

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Check this Thread with similar Issue: https://www-secure.symantec.com/connect/forums/folder-getting-created-folderexe

Are you running the SEP 11.x client with latest definitions and carry all the latest Microsoft updates and security patches on the machine?

The symptoms sounds like W32.SillyFDC to me.

  1. Run a scan in safe mode with networking to remove the virus. (Make sure SEP is updated with the Latest definitions)
  2. Disable System Restore before you do this as the virus alse creates entries in the System Restore Points store volumes.
  3. Disable Autoplay for ALL DRIVES Via a GPO (If you're on a domain), and
  4. Disable SImple File Sharing if it's enabled to prevent the infection from propogating itself by binding to files.
  5. Secondly, Submit these files to the Symantec Security Response and they will get detected. https://submit.symantec.com/essential

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ambesh_444's picture

Hi,

Agreed with above comments..Please do the above steps your problem will be solve. 

1) May your system was not having latest virus definition.

2) System should have latest version of antivirus installed.

3) Do a safe mode scanning on the system (If system have sep 11) and system have 12.1 then do a normal scan.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

cus000's picture

Please refer to what Brian has written, it's basically the reality of IT Security nowdays..

With due respect nobody depends only on AV to protect their environment ... we'll need at least few layer of defense due to the current nature of threats.....  maybe you can use 2-3 open source security solutions to reduce the cost

SameerU's picture

Hi

Please send the suspicious file to Symantec Security Response for analysing

Regards

 

Chetan Savade's picture

Hi,

Symantec owns Norton that's correct. NPE is a tool it's not a version.

You should try to scan the system with Symantec power eraser also & check the result.

I will suggest to submit suspicious files to the Symantec is Symantec power eraser couldn't help.

SST will tell you about suspicious files, submit those suspicious files to the Symantec. You will receive a tracking number within few minutes after the submission.

SST might take some time to collect the logs however submission process is very easy and fast.

Try to find out the original location from where these .exe are executing Go to the properties of the file & try to find out the location.

But until and unless we will receive the valid samples we can't move further.

Please share tracking id with me & I will try to check the status about it.

Refer this thread as well: https://www-secure.symantec.com/connect/forums/fla...

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<