Video Screencast Help

How to handle infections that aren't detected by SEP

Created: 21 Jun 2013 | 9 comments

We have a third party service that detects when our machines are attemping to connect to known bot networks.  When we receive these alerts, we send a desktop technician to take a look at the machine.  Sometimes they run a SEP 12 scan, which doesn't detect anything.  (If SEP 12 were able to detect it, it would have stopped it in the first place, since it is configured to run in memory.)

For machines in this state, where you know something is wrong, but you can't find any evidence of that with SEP, what should you do?  Is there another Symantec tool that is recommended, or are we supposed to just find another third party tool to get a "second opinion" on the machine?

Operating Systems:

Comments 9 CommentsJump to latest comment

.Brian's picture

Check this KBA:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

Article:TECH98929  |  Created: 2000-01-06  |  Updated: 2012-09-13  |  Article URL http://www.symantec.com/docs/TECH98929

 

You can try the Symantec Power Eraser.

About Symantec Power Eraser

Article:TECH134803  |  Created: 2010-01-09  |  Updated: 2013-05-07  |  Article URL http://www.symantec.com/docs/TECH134803

 

How to run Symantec Power Eraser with the SymHelp utility

Article:TECH203683  |  Created: 2013-03-08  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203683

 

You can use the SymHelp tool to submit suspicious processes

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203027

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ed16's picture

Thanks.  Power Eraser sounds helpful, but I can't figure out how to download it.  All links lead me to Symantec Help...

 

http://www.symantec.com/business/support/index?page=content&id=TECH170752

.Brian's picture

Yes, it is run from SymHelp tool, no standalone download. Check the link I posted above on how to run SPE from SymHelp.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ed16's picture

Unfortunately, I tried it from SymHelp and it doesn't work.  I select Power Eraser, check the rootkit box, and it reboots my system, but nothing happens.  I tried 3 times.

W007's picture

Hello,

You can raised support ticket

Eliminating viruses and security risks

 

Article:HOWTO27280  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27280

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Hi Ed16,

The logs that the SEP clients are sending to the SEPM are often a great way to identify which files are suspicious on which clients.  Here's an illustrated article that may be of interest:

 

Using SEPM Alerts and Reports to Combat a Malware Outbreak

https://www-secure.symantec.com/connect/articles/using-sepm-alerts-and-reports-combat-malware-outbreak

With thanks and best regards,

Mick

SameerU's picture

Hi

If you find any suspicious files please submit to the following link

https://submit.symantec.com/websubmit/bcs.cgi

Regards

 

sealchan's picture

Unless a rootkit is suspected you can still get the bulk of the value from Symantec Power Eraser without running the rootkit scan.  There is also Load Point Analysis in SymHelp, another threat analysis tool.  Symantec Power Eraser gives you the ability to remove suspicious files.  Load Point Analysis gives you more information about the file and can be run on a system that is not connected to the Internet.

Reference the following document for links to more information:

Google: SymHelp FAQ

http://www.symantec.com/docs/TECH203496

SebastianZ's picture

If Power Eraser is not working you can have a check with SERT tool as well:

https://www-secure.symantec.com/connect/videos/sym...

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

Article:TECH131732  |  Created: 2010-01-15  |  Updated: 2012-06-25  |  Article URL http://www.symantec.com/docs/TECH131732

 

Beside the scan few more articles regarding the prevention:

Security Best Practices for stopping malware and other threats    
http://www.symantec.com/theme.jsp?themeid=stopping...

Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003
http://www.symantec.com/docs/TECH99331

Adjusting scans to increase protection on your client computers    
http://www.symantec.com/docs/HOWTO55307

Monitoring endpoint protection
http://www.symantec.com/docs/HOWTO55302