Endpoint Protection

Hi

A new threat is spreading in our network making pcs very slow and network connectivity very poor. This has infected almost each pc in our network.

I have submited the file and the Tracking #14353568 . also created a case in mysupport page case no is 410-671-180

but need to speedup the solution process.

tried to block the file from running through apps and device controll policy but clients are having problem through this as their explorer.exe closes and starts automatically again and again and as a result their desktop comes and goes out frequently.

Any one from symantec can help me quickly.

I have checked for the tracking number mentioned by you. The investigation is still under progress. I have made a note of the tracking number and will keep you updated.

need to speed up the process. our network is suffering due to this. other av products are detecting this threat. and this has become an issue in our company.

Greetings Bijay.Swain,

Unfortunately I do not have the ability to process these submissions faster without you opening a support case with Symantec. If you want to do that we can get the submission bumped.

Alternatively, if you use Network Threat Protection in your environment you can block the file from being ran using the MD5 hash:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009041514273648?Open&seg=ent

Go straight to the section "Configuring the Policy". The MD5 hash to use for this is: 6fb7df8aaa4e3e410503b73a9d476aba

I checked into the threat and it appears it may be spreading via Autorun. I would suggest checking into disabling Autorun network wide to limit the spread of threats:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648?Open&seg=ent

 Off hand was NTP enabled, with IPS running?  Just curious more than anything..  
Beyond that, call into Symantec support, immediately ask for a "Duty Manager."  Explain the situation, and he/she will escalate.

As an FYI, if the issue has a serious impact to your business' daily functions you can advise the agent the severity is "Severity 1 (Emergency Up)". These cases take priority and will get an agent on the line typically faster than a Duty Manager can arrange a callback for you.

I would agree.  BTW, web cases are not really intended for urgent issues such as a virus outbreak.

Hi john

support case no is 410-671-180. now can you help me?

The submssion that you have made is still open.

If you really need immdeiate help please contact support.

While this isn't helpful in cleaning up the infection, its always good to have a reminder that SEP is only part of the solution for keeping malware off your machines.

Several other things that can reduce your risk of infection or reduce the impact if something does get in:

1. Limit the use of admin rights
2. Use perimeter defenses
3. Educate users on malware/security
4. Watch the network for signs of infection to cut-off infected systems
5. Use software restriction policies or Application and Device Control in SEP to only allow pre-approved software to run.
6. Keep your machines up-to-date with software and patches

I got the closing mail for the tracking no #14353568 which says withe the latest rapid release Sequence Number: 104859 (or higher) will detect the threat as Imaut.cn .
I downloaded the latest rapid release and updated my client but it doesn't detect the threat.
 when i checked my seq no it syas as 104855 . i am unable to get the 104859 rapid release . can anyone  send the link.

Ok I got the ftp link.

Greetings Bijay.Swain,

Please keep us posted on this!

i got the ftp site . but the update for that sequence no is not there. folder is blank.

Greetings,

It takes anywhere from 30-60 minutes from the time you get the closing email til the definitions are available.

Keep an eye on the following site, you should see revision 104859 or later populate shortly.

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/

Did you end up getting the rapid release bijay? If so did it catch the virus?

Grant-

Yes I got the rapid release and it caught the virus. thanks to symantec for quick response as they took only 1 day to provide the rapid release . Pcs in our network were gone too slow as this threat was creating a file/folder of 4.12 MB in each folder of a drive which was taking whole disk space making the pc unusuable.

I am Happy with symantecs effort for this.