Video Screencast Help

porn.exe, sexy.exe, password.exe; file/folder name .exe

Created: 09 Jan 2013 | 20 comments

So how come Endpoint didn't prevent this from infecting my workstation propogating through the network and infect 3 other workstations. I have live update active so all my clients had the latest definitions. Not good.

 

Comments 20 CommentsJump to latest comment

pete_4u2002's picture

is the auto protect working?

do you mean SEP did not find these files as threat?

can you submit these files to Security response?

.Brian's picture

It's likely Symantec doesn't yet have defs created for them. See below:

Upload to virustotal or threatexpert to check to see against all other AV engines:

https://www.virustotal.com/

http://www.threatexpert.com/

Also, upload file to Symantec to create defs for it:

https://submit.symantec.com/websubmit/gold.cgi

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

 HI,

Try to scan you system Symantec tool 

 

 

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/you...

If symantec not detect virus you can submit Supicious file

 

Submit Suspicious Files

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks In Advance

Ashish Sharma

 

 

Ajit Jha's picture

Hi Hank

I would recommend to scan your system using SERT Tools. More information about SERT can be found here.

http://www.symantec.com/business/support/index?pag...

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Still LOL's picture

I have experienced the subject thread (not exactly the same words but different .exe threat files) issue several times, symantec never detected those, finally ended up doing with combofix.

Thanks,

APK

pete_4u2002's picture

you should be submitting the files to Security response to know if the threat is a new variant?

Still LOL's picture

Dear Pete,

Submitting to security response and getting a reply back from them, then to resolve the issue - all these are time consuming process.

What is the standard response time from security response? 

 

Thanks,

APK

pete_4u2002's picture

i would suggest you to work with Tech support once you submit the file.

Ajit Jha's picture

Hi Still,

All i know is that there is no shortcut to success. This is the procedure. There are millions of varienst being released veryday, its not possible for Symantec to keep a track of it, so being a customer, its our responsibility to inform them about it by submitting it. We with Symantec will hepl the Globe from getting infected with such varients.

And Symantec never recommends to use a Third party utility to clean such worms/viruses.

Please cooperate...its for your, our and everyones benifit.

 

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Still LOL's picture

I agree and I dont want to slip away from the subject thread.

My only concern is - my users should not be waiting for their PC to be working as normal.

 

Thanks,

APK

Ajit Jha's picture

Hi,

Then please follow the posts of Ashish and Brian.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Mick2009's picture

Hi Hank,

Here's some advice from Security Response on how to make the best use of SEP.  Auto-Protect with traditional AV derfinitions alone is not enough for a complete defence against today's sophisticated threats: using IPS, Insight etc is crucial.  And, of course, educated users following best security practice... that';s the best protection.

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!

Mick

 

With thanks and best regards,

Mick

Mithun Sanghavi's picture

 

Hello,

To catch the file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

Submit the .zip folder to Symantec Security Response Team on 

https://submit.symantec.com/websubmit/essential.cgi

I would suggest you to work on the Steps provided in the Article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

 

Check this Thread with similar Issue: https://www-secure.symantec.com/connect/forums/folder-getting-created-folderexe

Are you running all the latest Microsoft updates and security patches on the machine?

Make sure you have the Latest Microsoft updates and security patches on ALL the machines.

The symptoms sounds like W32.SillyFDC to me.

  1. Run a scan in safe mode with networking to remove the virus. (Make sure SEP is updated with the Latest definitions)
  2. Disable System Restore before you do this as the virus alse creates entries in the System Restore Points store volumes.
  3. Disable Autoplay for ALL DRIVES Via a GPO (If you're on a domain), and
  4. Disable SImple File Sharing if it's enabled to prevent the infection from propogating itself by binding to files.
  5. Secondly, Submit these files to the Symantec Security Response and they will get detected. https://submit.symantec.com/essential

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

dgh's picture

I have seen W32.Changeup causing this behaviour. It hides folders on a network share or removable drive and creates a rogue executable with the same name, and also creates an autorun file. The virus has been around a while and SEP catches it, but there is a chance that a recently coded variant is not yet recognised by current definitions.

Hank Reardon's picture

Thanks to everyone for your input. You've given me plenty to chew on as I admit to not being nearly as knowledgable as I need to be on the subject of virus protection.

Hank Reardon's picture

I had a consultant in today who used a combination of combofix and malware bytes to take care of the problem. It turned out that only my workstation was infected, as I was the fool who opened the email with the bug. But it had looked like it propagated through the network so each client needed to be checked. Anyway all is good and I will submit the attachment to Symantec Support tomorrow. 

Mick2009's picture

Excellent news, Hank! 

The bad guys are always cooking up news ways to get their stuff onto as many machines as possible.  The Security Response blog posts are a good resource for staying on top of developments.

https://www-secure.symantec.com/connect/symantec-blogs/sr

With thanks and best regards,

Mick

Public Defender's picture

All,

 

Thanks for all of your input.  I understand that symantec can't have the fix as soon as the coder write the virus/worm. 

With that said.  Why the *@!* doesn't auto protect stop a process from writing at file called porn.exe and  sexy.exe???  If that was the intended file name, let me deal with a misguided engineer's naming conventions as the EXCEPTION.  Kill those filenames as the RULE.

 

Thanks

 

 

.Brian's picture

The purpose of autoprotect is not to block by filename. It is to block a known malware signature.

If you want to block by filename, than you need to use an application control policy to do this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Auto-Protect is signature based scanning.i.e. it scans each file with the list of signatures it has.

Now that is not enough,so you should use Sonar and Insight with addition to IPS

Every Malware uses a specific way to propogate and within computer or on the network.

Youu can have specific Applicaton control rules to block such activity. eg. making few registry entry read-only, browsers not being able to write on system folders, blocking .lnk and autorun.inf.

For enterprise it is important to take Malware Management seriously and make better use of SEP as it is not just Antivirus.

For the above filename, they are not malicious names, no filename can be malicious even if it virus.exe or trojan.exe 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.