Pending Side Effects Analysis : Access Denied Backdoor.Tideserv!inf
Created: 21 Jun 2010 | 25 comments
After running a full system scan using Endpoint Protection and I am getting the following error:
Security risk detected: Backdoor.Tideserv!inf
File: C:\Windows\System32\drivers\netbt.sys
Action Taken: Pending Side Effect Analysis : Access Denied
My question is what does the action taken "Pending Side Effect Analysis : Access Denied" mean?
Has the threat been removed or is there another step that I need to take to protect my computers?
Any help would be greatly appreciated.
Discussion Filed Under:
Comments
Have a look at event log
Have a look at event log also
Symantec Endpoint Protection 11.x event log entries
Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
SEP has a component called
http://www.symantec.com/connect/forums/action-take...
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Should I then be patient &
Should I then be patient & see what type of solution SEP comes up with?
Yes , lets wait and observe
Yes , lets wait and observe that.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Second Notification
Prachand -
The second notification that I received, say "Action Taken: Left Alone".
Does this mean it is no longer a threat? Or what should I do?
Thanks in advance for your help.
Left Alone Symantec
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/16179a5b53c4d21b8825722c00680866?OpenDocument
"Left Alone" actually means "blocked, but unable to remove" We never actually do nothing - even if we cannot get rid of the file, we still block whatever its trying to do and log "Left Alone"
https://www-secure.symantec.com/connect/forums/action-taken-what-does-they-mean
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
It looks like it has install
It looks like it has install a driver ( SYS file ) on your system and is currently in use..In normal operation SEP won't be able to remove it.
Update your SEP with latest rapidrelease virus definitions, Start your machine in Safe mode
Then run a full scan.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Does it matter if I run a
Does it matter if I run a full scan in safe mode w/ Networking on or not?
Just so I
Just so I understand, whatever threat is posed by Tidserv!inf, it is being blocked by SEP- is that correct.
SEP has not deleted the file, because ?? I don't understand what is meant in the definition of "Left Alone", that "This may mean that a risk is active on the endpoint". Is the PC still at risk?
Thanks again for your help & patience!
Tidserv is a rootkit
SEP isn't "blocking" the threat. The action "left alone" in this case means exactly that. Tidserv is a rootkit, which means its altered or replaced valid windows system files with modified infected ones. SEP can't just remove these, otherwise your system wouldn't boot up. Its not like the cleanup engine can store all the various system drivers out there either. You'll need to manually restore the driver via the Windows recovery console. You can review the threat writeup for instructions.
http://www.symantec.com/security_response/writeup....
The attached solution seems
The attached solution seems to be written for Windows XP/ME. I am running Vista.
Are there any different steps for the solution using Vista? I would assume that step 1 is different.
Any help is greatly appreciated.
Try this...
http://windows.microsoft.com/en-us/windows-vista/W...
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Run Full scan in safe mode
Run Full scan in safe mode without networking..as It is recommend that when you run a full scan in safe mode you should not be connect to the network/Internet.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Best Practices for responding
Best Practices for responding to "Left Alone" in the virus or threat history log
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
I believe my current
I believe my current situation is
Where does this leave me? I can't seem to get the file off of the computer. When I run a manual scan in safe mode, SEP does not pick up any threats.
I've tried a system restore in VISTA to an earlier point, and when that happens I get the blue screen of death, as windows won't boot up....
If SEP has determined it is a risk, but is unable to Quarantine or Delete the file (probably becasause windows is fooled into thinking this file is needed), am I protected from a reoccurance of the Virus?
Thanks again!
mehoover
Are you still referring to the initial detection of backdoor.tidserv!inf? What the !inf extension on the detection means is that the detection is informational but action must still be taken, because if SEP were to take action on the detected file (deleting it, quarantining it, etc), it would render the operating system unusable, because the file indicated is in fact a system file.
"If SEP has determined it is a risk, but is unable to Quarantine or Delete the file (probably becasause windows is fooled into thinking this file is needed), am I protected from a reoccurance of the Virus?"
if we have a detection, Auto-Protect should prevent true reinfection. You may want to take a look at the 'Prevent Recurrence' section of the following document.
Title: 'Best practices for troubleshooting viruses on a network'
http://service1.symantec.com/SUPPORT/ent-security....
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Sandra - I am still talking
Sandra -
I am still talking about the backdoor.tidserv!inf. I guess I'm left with how do I clean up what's left? Will the solution suggested by Raunak Vaghela accomplish this? (i.e. run Symantec Endpoint Recovery Tool). Or can I just stop, and be satisfied that I won't be reinfected?
Thank-you!
I would read the actual
I would read the actual Security Response writeup (see the link above). It involves using the Windows recovery console to replace affected system files.
Bear in mind, though, that since this is a backdoor, removing detected files may not be enough, and there may have been changes to the operating system that cannot be reversed... please see the following.
Title: 'Backdoors and What They Mean to You'
http://service1.symantec.com/SUPPORT/ent-security....
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
I tried, but I don't get past
I tried, but I don't get past the first step. When I run a Vista System Restore to a point prior to infection, I get the blue screen, and windows shuts down. I then have to do a System Repair, then a System Restore to the point prior doing the system restore suggested in Step 1. ????
Step 1 does not mention using
Step 1 does not mention using System Restore. It mentions using the XP Windows Recovery Console. Unfortunately, I don't have experience with the Vista Recovery Console process--I posted a link to a Microsoft doc up there describing it, which you will want to consult. The Windows Recovery Console and System Restore are not the same.
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
That is what I meant, I have
That is what I meant, I have tried the Vista Recovery Console process (as you posted), which leaves me w/ the inability to boot up.
Sometimes, when a process is
Sometimes, when a process is running as System user, for example a driver, SEP may be able to detect it but couldn't stop it.
If SEP client is able to detect the threat, then please follow the KB below. It will fix the issue:
http://service1.symantec.com/SUPPORT/ent-security....
Please Mark on the solution that worked for you.
As mentioned several times
As mentioned several times already in this thread, a regular scan be it by the Recovery Tool or by the SEP client will not deal with this threat. The file needs to be replaced using the Recovery Console. There is NO other way to deal with this threat.
As a follow-up, I used an
As a follow-up, I used an anti-malware application called Hitman Pro. This software, identified and fixed the affected file. It seems to have worked in removing the threat. I am no longer receiving the error warnings from SEP. I thank all of you for your suggestions & help!
FWIW, Hitman Pro is the only
FWIW, Hitman Pro is the only product on the market at the moment that will detect AND remove the latest version of TDSS rootkit. Some more info: http://hitmanpro.wordpress.com/
Would you like to reply?
Login or Register to post your comment.