Endpoint Protection

Hi,

Two of my costumers are facing problem with a virus that symantec are not detecting.

The virus create many shortcus and hide all files that are in the folder.

They are running SEP MR6 MP2 and the SEP clients are up to date.

On the print of the folder you can see that has folders like music, documents and many shortcust that the virus has created, for example I got 1GB of files on this folder and all of the are hiden.

Even on Safe mode the AV did not find nothing, and what is funny is on client machine that is infected i can see the folders and access properly, however at the file server i can see only shortcuts.

At clients machines SEP Clients are running with all features.

Does any one has seen this virus and could point me why SEP are not blocking or removing.

My environment most of the users don't have unecessary permissions and WSUS is working well, I've done also a research for machines with out of date service packs.

Thanks....

Hello,

It's better open a support case, you may need to provide some files for researching if the virus don't have a signature yet.

Regards,

Oykun

SEP is not catching because it doesn't have the signatures to detect it. It may be a new variant.

Submit to Security Response so they can analyze and create definitions.

https://submit.symantec.com/websubmit/gold.cgi

- Make sure applications vulnerabilities are patched

- Secure the network shares; disable them or make the password protected

- If possible, remove infected machines off the networkEnable network scanning or enable Risk tracer:

http://www.symantec.com/business/support/index?page=content&id=TECH94526&actp=search&viewlocale=en_US&searchid=1299043657515

- Verify if autorun is disabled.

Please submit a sample for analysis or run SEP Support tool and open a case with Support to assist you from there.

Hello,

Here are few Suggestions and it Really works...

1) Make sure all the Microsoft Security Patches & Service Pack updates are in Place.

2) Use Symantec Support Tool.

Check the steps on how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

 

 

 

By Clicking on the Button "Copy the files to a single location", you could save the suspicious files to a particular directory of your choice.

 

Please zip the Files. Make sure that zip file does not include more than 9 files and /or 10MB of size.

 

4) You will want to submit these suspicious files, to the Symantec Security Response for analysis, Click on this link to begin the process:

https://submit.symantec.com/gold/

Fill out the form and upload the file(s).

Your Technical Contact ID:  (check with your Local Technical Support Representative)

 

You will receive a confirmation email with a tracking number, and within 24 to 48 hours you should receive an email telling you if the file is viral or not. If it is viral, you will be provided with a set of rapid release definitions. These can be installed to your system so that Symantec Endpoint Protection or Symantec AntiVirus can then detect the infected file and prevent a re-infection.

 

5) Submit the file to Threat Expert (owned by Symantec).

Automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com, and this step does not replace the need to submit files to Symantec Security Response.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009101314263148?Open&docid=2010011510455048&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af

 

 

 

 

 

Suggestion to stop the spreading in the network further:

  As per the Screen shot i see the file called Autorun.inf which is of size 1KB,open it and check whether it is running any script say trying to execute any .exe or .dll file.

Delete the entries in the autorun.inf and save the file,since it has the attrib of read-only,first change the properties by unchecking read-only and the save the autorun.inf file.

And then disable the autorun feature from the registry on the machine:

* How to disable autorun feature on a machine:

- Open registry and navigate to the following locations :

Hello,

Here is the Plan of Action for you..

STEP 1 - CHECK FOR KNOWN OS VULNERABILITIES AND DOWNLOAD PATCHES TO PROTECT THEM:

Begin by checking your network for known, patchable OS vulnerabilities that may be exploited to spread virus infections. The Microsoft Baseline Security Analyzer is a free tool from Microsoft that you can use to analyze your vulnerability to known security exploits in the Microsoft Windows operating environments. This tool centrally scans Windows-based computers for common security mis-configurations and generates individual security reports for each computer that it scans. MBSA will scan for common security mis-configurations in the following products: Windows 2000, Windows XP, Windows Vista Windows Server 2003, Windows Server 2008, Internet Information Server (IIS) 5.0, and 6.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003. MBSA also scans for missing security updates, update rollups and service packs published to Microsoft Update.

You can download the MBSA free from Microsoft at the following link:

http://technet.microsoft.com/en-us/security/cc184924.aspx

Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

STEP 2 - SUBMIT SUSPICIOUS FILES FOR ANALYSIS TO SYMANTEC SECURITY RESPONSE:

Provided in the Thread above...

STEP 3 - Disable Auto play with GPO
http://support.microsoft.com/kb/953252

STEP 4 - Disable Scheduled Tasks with GPO
http://support.microsoft.com/kb/310208

STEP 5 - Enable Security Auditing with GPO
http://support.microsoft.com/kb/300549

STEP 6 - Scan ALL the machines...

I've collected the files and sent to Symantec to have a look.

Thansk 4 help!!!