Problem with virus
Hi,
Two of my costumers are facing problem with a virus that symantec are not detecting.
The virus create many shortcus and hide all files that are in the folder.
They are running SEP MR6 MP2 and the SEP clients are up to date.
On the print of the folder you can see that has folders like music, documents and many shortcust that the virus has created, for example I got 1GB of files on this folder and all of the are hiden.
Even on Safe mode the AV did not find nothing, and what is funny is on client machine that is infected i can see the folders and access properly, however at the file server i can see only shortcuts.
At clients machines SEP Clients are running with all features.
Does any one has seen this virus and could point me why SEP are not blocking or removing.
My environment most of the users don't have unecessary permissions and WSUS is working well, I've done also a research for machines with out of date service packs.
Thanks....
Comments
Hello, It's better open a
Hello,
It's better open a support case, you may need to provide some files for researching if the virus don't have a signature yet.
Regards,
Oykun
SEP is not catching because
SEP is not catching because it doesn't have the signatures to detect it. It may be a new variant.
Submit to Security Response so they can analyze and create definitions.
https://submit.symantec.com/websubmit/gold.cgi
Endpoint Knowledge Base
Security Best Practices
SEP Support Tool
- Make sure applications vulnerabilities are patched
- Secure the network shares; disable them or make the password protected
- If possible, remove infected machines off the networkEnable network scanning or enable Risk tracer:
http://www.symantec.com/business/support/index?pag...
- Verify if autorun is disabled.
Please submit a sample for analysis or run SEP Support tool and open a case with Support to assist you from there.
Suggestions and it Really works...
Hello,
Here are few Suggestions and it Really works...
1) Make sure all the Microsoft Security Patches & Service Pack updates are in Place.
2) Use Symantec Support Tool.
Check the steps on how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
b. Place a check mark next to each category that is relevant to your issue, and then click Next.
c. After the utility has finished collecting data, click Collect full data for support.
"<computer name>_<date>_<time>_full.sdbz"
Submit this report to your Technical Support agent, and attach the .sdbz file to the email he /she has send to you from above as a file attachment.
4) You will want to submit these suspicious files, to the Symantec Security Response for analysis, Click on this link to begin the process:
https://submit.symantec.com/gold/
Fill out the form and upload the file(s).
Your Technical Contact ID: (check with your Local Technical Support Representative)
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
Suggestion to stop the spreading in the network further:
Suggestion to stop the spreading in the network further:
As per the Screen shot i see the file called Autorun.inf which is of size 1KB,open it and check whether it is running any script say trying to execute any .exe or .dll file.
Delete the entries in the autorun.inf and save the file,since it has the attrib of read-only,first change the properties by unchecking read-only and the save the autorun.inf file.
And then disable the autorun feature from the registry on the machine:
* How to disable autorun feature on a machine:
- Open registry and navigate to the following locations :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
Plan of Action.
Hello,
Here is the Plan of Action for you..
STEP 1 - CHECK FOR KNOWN OS VULNERABILITIES AND DOWNLOAD PATCHES TO PROTECT THEM:
Begin by checking your network for known, patchable OS vulnerabilities that may be exploited to spread virus infections. The Microsoft Baseline Security Analyzer is a free tool from Microsoft that you can use to analyze your vulnerability to known security exploits in the Microsoft Windows operating environments. This tool centrally scans Windows-based computers for common security mis-configurations and generates individual security reports for each computer that it scans. MBSA will scan for common security mis-configurations in the following products: Windows 2000, Windows XP, Windows Vista Windows Server 2003, Windows Server 2008, Internet Information Server (IIS) 5.0, and 6.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003. MBSA also scans for missing security updates, update rollups and service packs published to Microsoft Update.
You can download the MBSA free from Microsoft at the following link:
http://technet.microsoft.com/en-us/security/cc184924.aspx
Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines
STEP 2 - SUBMIT SUSPICIOUS FILES FOR ANALYSIS TO SYMANTEC SECURITY RESPONSE:
Provided in the Thread above...
STEP 3 - Disable Auto play with GPO
http://support.microsoft.com/kb/953252
STEP 4 - Disable Scheduled Tasks with GPO
http://support.microsoft.com/kb/310208
STEP 5 - Enable Security Auditing with GPO
http://support.microsoft.com/kb/300549
STEP 6 - Scan ALL the machines...
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
I've collected
I've collected the files and sent to Symantec to have a look.
Thansk 4 help!!!
Rodrigo Benedik
Would you like to reply?
Login or Register to post your comment.