Is it a virus?
Hello.
I have the questions.
My customer tell me the network very slow both head office and branch. Sometime can't send the email.
He checked the log of firewall and found the most packets was denied by firewall. The packets sent to wan ip.
Total packet : about 50,000.
Deny packet : about 40,000.
He want to change the antivirus software. I'm taking the endpoint (MR4MP2) install for demo.
Then run update content and full scan both windows and sefemode.
First time the number of packets are decrease. Then he check the log at firewall again.
The packet from computer was installed by endpoint is existing.
I investigated by process and port analyze and found the process "svchost".
I know that is process of Window but I think the svchost not SYN sent.
I'm not sure that is virus.
Can anybody tell me.
exhibit
http://www.uppic.net/if/9firewall.jpg
http://www.uppic.net/is/1svchost.jpg
Best Regards,
wirawat.
Comments
Syn Flood
To me it looks like a Syn flooding attack. Svchost is used to run services..
Check what exactly is running under that svschost
in command prompt ---Tasklist /SVC
you can also use ProcesExp from Sysinternals to know what is hooked to that svchost and it is running from %SystemRoot%\System32
or i it running from some temp location..
Normally if there is a virus or some threat it will hook its DLL to svchost.exe.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
IPS
Make sure you install all the features of Symantec Endpoint Protection Mainly the network threat Protection with updated IPS signatures.
You can also check this article if it helps.
https://www-secure.symantec.com/connect/articles/how-find-suspected-threats-your-computer
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Thanks for quick reply
I created packet include Antivirus and Antispyware Protection and Network Threat Protection.
And updated all content.
As image I think all svchost.exe are running on "C:\Windows\System32\svchost.exe".
In the Network Threat Protection log of SEP have the status block inbound packets.
But firewall is deny packet from this computer again.
Thank you.
wirawat
What under Svchost.exe
Can you check what is running under the svchost.exe process that is sending these Syn packets
Use Processexp to check what is running under these svchost.exe
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I will try.
After I try to do that.
I will response to you.
Thank you.
wirawat.
Process under svchost.
Dear Vikram,
I'm not sure that's a virus.
Please look in text file.
http://www.yousendit.com/download/Y1RyZm1iTERFc0pFQlE9PQ
I will get more information from customer.
Thank you.
wirawat.
Still not sure
Still not sure what is running under svchost and rundll32
Run process explorer hover your mouse over each svchost.exe and check what services are running under it and also check ofr rundll32 and what dll is running under it.
http://www.megaupload.com/?d=4CTO79I2
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Try netstat netstat -nb
Run "netstat -nb" and find out which file is associated with the traffic.
U can download tcpview from sysintenals to find out the program initiating the traffic.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Find out the wan ip address and search in Google. you may get some information about the program's(Virus) which may cause this kind of traffic
Regards,
Srinivas H.P.
HCL Infosystems Ltd
Svchost and rundll32.exe
owadays threat either attach to svchost.exe to run as a service..so that users cannot identify them and it will be automatically on all the time.
Or the DLL's use the rundll32.exe to run the DLl as a EXE file Downadup used to run all its files under rundll32 to create and run the Scheduled Tasks. It also created its service under svchost so that it doesn't look suspicious.
SO if you are infected with downadup...the taskmanager will look pretty normal just you will se few svchosts running and bunch of rundll32 .
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Re
Vikram is correct, so the best thing to do is to run Loadpoint Diagnostic Tool on the PC. pls post the logs here or you can check it manually. on the logs provided, look for the .exe you are looking for then inspect the dlls loaded with that exe. Make sure you inspect the correct svchost.exe.
download the utility here: http://service1.symantec.com/SUPPORT/ent-security....
If you want to see what
If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
I havebeen through the logs
I havebeen through the logs nad the snapshot submitted and it is very tough to advice you the exact proble because the svchost.exe seems tro be fine.
As well said by Paul and Vikram, u should run the Loadpoint utility and upload the log here and let the expertise analyse the log. Hope we can make some way out.
Ajit
Regards'
Ajit Jha
Technical Consultant
STS
if this running process is
if this running process is causing your network very slow try to enable the firewall then allow all the ports that SEP utilizing to isolate the problem. try also to use network sniffer or packet monitor to identified what application of file causing this problem.
:-)
Thank you everybody.
I will try follow your advice.
But may be I response to slow because the user so busy difficult to check.
Thank you.
wirawat.
If you have sep installed
If you have sep installed then why "klnagent.exe 196 Kaspersky Lab" this process is running.
close all HP services. and check.
I think
I'm not sure.
I think the customer installed kasperkey before install sep and forgot to uninstall.
May be the customer is comparing between sep and kasperky for purchase the product because Trend Micro will exprie.
Sorry to respond late. The problem has been solve by ...
The problem has been solve by scan virus for each client in the safemode.
And when check the logs at the proxy I found some user use very traffic and then inform that user.
Now customers can buy our products successfully.
Would you like to reply?
Login or Register to post your comment.