Endpoint Protection

Hi,

In one of our machines we are having some sort of virus which is resetting the home page to this url hxxp://www.nuevaq.fm/

I do know what site is this..many IE applicatiosn are not opening.

Iam using SEP 12.1 RU1. definitions are up to date

Now 2 users are having this problem, when we tried full scan no risks found.

Please help

Hi Shrikant,

Please specify the address (for e.g. http://www.symantec.com/enterprise/security_response/index.jsp) in AV/AS Policy --> Miscellaneous --> Internet Browser Protection to prevent browser attacks.

By default this Symantec Security Site is added. I found this for you:

http://www.threatexpert.com/report.aspx?md5=83c749732492b43f6efc1687be2c8336

This i already read..Now how to block this?

collect teh load point log and open a support case and ask for review. The tech team will ask to submitthe suspicious file if present and that will fix the issue, assuming the threat ia active on the machine and is responsible for the home page.

Power Eraser may also help to remove suspicious files:

About Symantec Power Eraser
Article: TECH134803   |  Created: 2010-01-09   |  Updated: 2012-04-13   | 
Article URL http://www.symantec.com/docs/TECH134803 
 

How to collect the logs?

I already tried the power eraser..but while doing the scan option itself is disabled and showing error as symantec reputaion database not found

Hello,

In your case, Symantec is detecting such threat's as W32.Rontokbro!gen1 as Ajit pinpointed.

I agree with Mick as well for using the Symantec Power Eraser Tool.

However, in certain cases a strong Plan of Action is necessary.

Here are few Points which would assist you to prevent this.

1) Check the Host files. If they are changed make the necessary changes.

Usually Symantec does protect you from such changes, if proper policies are at place.

You can create a Application Control Policy, like to this below:

by Creating this policy, thereforth onwards all the modifications to the host file would be blocked.

2) Most of the times; such Threats are User Based. I would suggest if you could create a new user on the same machine and check if the issue exists on the new User Profile created.

If it does not exists then you can delete the Infected User Profile.

You could protect the User Profile from getting infected by creating proper policies in SEP.

How to Block Known Virus Executables that run from %UserProfile% using Application and Device Control

http://www.symantec.com/docs/TECH131741

3) Check the box for "Enable Browser Intrusion Prevention" within the Intrusion Prevention Policy of Symantec Endpoint Protection Manager which controls the user ability to enable/disable this feature.

4) Create a rule for Block / Log Browser Helper Objects.

How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94965

5) Incase, you find any suspicious files on the machines, you can follow this Article:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Those policies are already available in my SEPM and all are enabled

We tried another tool to capture the virus, which caught and now the problem is solved..

but why symantec failed to capture this?

Replies for this issue?

it may not be present in symantec database or it could be false positive from other AV tool you used. If you still have the file, you can upload that to symantec security response team.

i will get the file and upload it to symantec security response

Thats great ! pass on the tracking number once you upload the file

Like wise many files i have submitted to security response but no reply from them....

do you mean there is no tracking number?

can you open support ticket to identify why you not receiving the tracking number?

Srikanth,

PM me the email address used for the submission, and I will see if I can find your tracking number.

Thomas

Hi,

Please find the number of my submission 2674764

i have submitted same file several times, but no response.

are you sure thats the tracking number? can you please re confirm

Hi Srikanth.S,

Can you contact Thomas or myself via Private Message?  The tracking number supplied is not valid. 

Please let us known the name of the file you submitted, the email address you used, what contract portal you submitted it under (Gold?  BCS?  Retail?) and the MD5 of the file if possible.

Many thanks in advance,

Mick

Hello,

Try to capture load points using SEP Support Tool then create a case to support.

You may also copy the suspicious files and check it to virustotal.com or Symantec sample submission.