Endpoint Protection

 View Only

  • 1.  Folder name .exe virus

    Posted Feb 11, 2013 03:37 PM

    We recently got hit by a virus that hid all the folders on the fileserver and replaced them with (old folder name).exe.  All about 240kb in size.  The virus also left three files sexy.exe porn.exe and x.exe.  It didn't spread through out the file server.  It stayed on one share.  We are using Sysmenatec Endpoint protection 11.0.07000.975 with updated definitions.

    File system autoprotect is on and scans all files. 

    To get rid of this we ended up downloading Norton NPE.exe and it took care of the virus. 

    Symantec owns Norton, correct?

    WHY didn't autoprotect catch this virus.  Shouldn't the power of NPE be incorporated into the company that bought it??  Do I have Symantec configured improperly.  Management want to get rid of Symantec.  I don't, but I think Symantec should have blocked this from the begining.

     

    Help

    Thanks

     



  • 2.  RE: Folder name .exe virus

    Posted Feb 11, 2013 03:42 PM

    It appears Symantec didn't have a signature for it. Did you submit to Security Response? You can here:

    https://submit.symantec.com/websubmit/gold.cgi

    Check these:

    Security Best Practices for Protecting a Business Environment from Common Threats

    Article:TECH105236  |  Created: 2008-01-27  |  Updated: 2011-02-16  |  Article URL http://www.symantec.com/docs/TECH105236

     

    Security Best Practice Recommendations

    Article:TECH91705  |  Created: 2009-01-08  |  Updated: 2009-01-22  |  Article URL http://www.symantec.com/docs/TECH91705

     

    I would highly recommend moving to SEP 12.1 as it offers better protection than 11.x You can check the comparison list here:

    Differences between SEP 11 Enterprise Edition and SEP 12.1 Enterprise Edition

    https://www-secure.symantec.com/connect/articles/few-differences-between-sep-11-enterprise-edition-and-sep-121-enterprise-edition



  • 3.  RE: Folder name .exe virus

    Posted Feb 11, 2013 04:04 PM

    Thanks for the quick response.

    But.  We have the latest dat files and we are talking about taking everyone in the organization to 12?  In time we will but is that going to be the solution when we get to 12 with the latest dat files.  "you need to go to 13"???

    What goiod is getting the latest dat files if every decent virus we get we have to be at the next level?  This one was just a real nuisense.  We lost no data, but A LOT of time.

    Is the only thing I did wrong was not be at 12?  If the dat files won't protect me why doesn't the auto update let me know my engine is useless?

    Thanks



  • 4.  RE: Folder name .exe virus

    Posted Feb 11, 2013 04:12 PM

    The problem is there just wasn't a defintion available at the time. The AV engine has no clue if a virus is present if it doesn't have a definition. Antivirus can no longer be trusted to protect an enterprise. You need a layered security approach.

    SEP 12.1 contains a new reputation based engine where all download will be scanned in the cloud and scored based on their reputation. Would it have helped in this case? I don't know for sure. But with AV, either there is a signature available or there isn't. If there isn't than you found out the hard way what happens. To me, AV is pretty accurate but not 100% and never will be. Many new threats are being found every day, not mention the existing ones are being re-coded to evade AV detection and companies simply cannot keep up.

    Are you utilising the PTP, IPS and Firewall as well? Application and Device control policy, network application monitoring, or system lockdown?



  • 5.  RE: Folder name .exe virus

    Trusted Advisor
    Posted Feb 12, 2013 01:18 AM

    Hello,

    Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

    http://www.symantec.com/business/support/index?page=content&id=TECH9892

    What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

    http://www.symantec.com/docs/TECH99222

    Check this Thread with similar Issue: https://www-secure.symantec.com/connect/forums/folder-getting-created-folderexe

    Are you running the SEP 11.x client with latest definitions and carry all the latest Microsoft updates and security patches on the machine?

    The symptoms sounds like W32.SillyFDC to me.

    1. Run a scan in safe mode with networking to remove the virus. (Make sure SEP is updated with the Latest definitions)
    2. Disable System Restore before you do this as the virus alse creates entries in the System Restore Points store volumes.
    3. Disable Autoplay for ALL DRIVES Via a GPO (If you're on a domain), and
    4. Disable SImple File Sharing if it's enabled to prevent the infection from propogating itself by binding to files.
    5. Secondly, Submit these files to the Symantec Security Response and they will get detected. https://submit.symantec.com/essential

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Hope that helps!!



  • 6.  RE: Folder name .exe virus

    Posted Feb 12, 2013 01:37 AM

    Hi,

    Agreed with above comments..Please do the above steps your problem will be solve. 

    1) May your system was not having latest virus definition.

    2) System should have latest version of antivirus installed.

    3) Do a safe mode scanning on the system (If system have sep 11) and system have 12.1 then do a normal scan.



  • 7.  RE: Folder name .exe virus



  • 8.  RE: Folder name .exe virus

    Posted Feb 13, 2013 03:58 AM

    Please refer to what Brian has written, it's basically the reality of IT Security nowdays..

    With due respect nobody depends only on AV to protect their environment ... we'll need at least few layer of defense due to the current nature of threats.....  maybe you can use 2-3 open source security solutions to reduce the cost



  • 9.  RE: Folder name .exe virus

    Posted Feb 14, 2013 05:22 AM

    Hi

    Please send the suspicious file to Symantec Security Response for analysing

    Regards

     



  • 10.  RE: Folder name .exe virus

    Broadcom Employee
    Posted Feb 14, 2013 09:22 AM

    Hi,

    Symantec owns Norton that's correct. NPE is a tool it's not a version.

    You should try to scan the system with Symantec power eraser also & check the result.

    I will suggest to submit suspicious files to the Symantec is Symantec power eraser couldn't help.

    SST will tell you about suspicious files, submit those suspicious files to the Symantec. You will receive a tracking number within few minutes after the submission.

    SST might take some time to collect the logs however submission process is very easy and fast.

    Try to find out the original location from where these .exe are executing Go to the properties of the file & try to find out the location.

    But until and unless we will receive the valid samples we can't move further.

    Please share tracking id with me & I will try to check the status about it.

    Refer this thread as well: https://www-secure.symantec.com/connect/forums/flash-drive-shortcut-virus#comment-8327121