Video Screencast Help

How to harden SEP after sexy.exe virus attack

Created: 16 Mar 2013 | 2 comments

Hi all and thank you in advance for your help and knowledge,

So Friday after noon our network was hit with the sexy.exe virus as a result our fileshares quickly tuned into directorys full of files with .exe extensions (some real file names with .exe added) and other with sexy.exe porn.exe and gueopo.exe.

We are running Symantec Endpoint Protection 11 and I was wondering if there are any know ports or sites that should be blacklisted? I have done some searching and have been unsucessful. Would love to get this going before the servers start going live.

I figured the good people at symantec could stear me in the right direction.

Thank you


Operating Systems:

Comments 2 CommentsJump to latest comment

Brɨan's picture

These are two good articles on increasing security settings in SEP

Security Response recommendations for Symantec Endpoint Protection settings

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH122943 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2010-01-03 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2010-11-16 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL

SEP secret sauce for better protection

Thesed likely came from a legitimate site that was hacked. These sites change all the time so they would be very difficult to block.

Have you considered upgrading to SEP 12.1? It has a feature called Download Insight which scans downloads and categorizes them based on their reputation. It is a very nice feature.

Also, do you currently use Application and Device Control in SEP?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

check this link

based on the file, it could be changeup, check this link to stop the threat , it mentions about  the port and domain it tries to connect