Endpoint Protection

Hi,

I've thise problem with a few client's pc. Their pc keep infected with W32.Downadup.B and repeating even after SEP detected and moved to quarantined and blocked.

When I run manual the next day, it detected again.

Any help ?

this is a worm, you actually need to clean the infected machines from the network.

check the URL, it is of great use

http://www.symantec.com/business/support/index?page=content&id=TECH93179&locale=en_US

First assure that your all clients and servers in the network are having the os patch KB 958644.Then assure that you are not having shares in which everyone having write permission.Then scan all the affected PCs in the network in safemode.Also assure that you are turning off the system restore of the affected PCs before scanning.This article will help you to find the affected PCs in your network

Wormsand threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

Hi Jim,

W32.Downadup.B is not convenient to remove but with the tools, techniques and advice available, it is possible.

Here are links to the info you need:

The Downadup Codex, Edition 2.0 https://www-secure.symantec.com/connect/blogs/downadup-codex-edition-20, also http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf

W32.Downadup write-up: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

In brief:

• Use IDS, ADC and Firewall components with SEP instead of just AV
• Use strong passwords throughout your organization
• Lock down network shares and take measures to control autoruns
• Ensure all MS patches are up to date
• Identify the computer(s) in your network from which W32.Downadup.B continually tries to spread itself.  get them offline and cleaned and the problem generally is resolved.

Also see: http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

Thanks and best regards,

Mick

You must still have an infected machine somewhere on your network.

To isolate it, you can use the Risk Tracer feature in SEP.
 

To enable it:

Login to SEPM >> Policies >> Select your AV policy and edit it >> File System Auto-Protect tab >> Adavanced tab >> at the bottom, select the Risk Tracer button >> Enable it by ticking the box "Enable Risk Tracer"

To view logs:

Go to Monitors >> Logs >> set log type to Risk >> You can set your advanced settings as you wish >> click View Log >> up pops a list of infected machines and you can select any which are infected with Conficker and hit Details >> On the details page, look for the "Source Computer" and this should tell you the infected machine.

Remove it from the network, run the Conficker Removal tool, reboot and apply the patch.

Hello,

I want to add one thing.

When you clean your computer is not mean everything is ok now. you must to update your OS, update your SEP clients all company. clean is easy but protect it more important. 

Best Regards.

Fatih

It seems that there is a computer in the network that is still infected and not detected. This is the only reason what I see as of now why these computer gets infected again and again. Make sure that all the computers in the network has Antivirus with Updated Definitions, all Microsoft Patches are in place. Run Full Scan after disabling System Restore and Network Shares.

Below are few articles

Title: 'Security Tip: How to Determine if a Specific Microsoft Hotfix Has been Installed?'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH94284&locale=en_US

Title: 'Simple steps to protect yourself from the Conficker Worm'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH93179&locale=en_US

How can i know the source came from ? It will be good if we know the source at the initiate stage

To know the source..

Enable Risk Tracer and make sure IPS is installed on the client.

You can also enable Debug logging on Netlogon Service

Check these for More info

https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-year

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Check my post above on Risk Tracer

See recommendationshttp://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fConficker.B

We thought we went through all 65 computers on the network and all the servers and unplugged them all and ran the removal tool.  We found a few that had the virus.  We kept them off the network and only allowed a few back on.  Now we have a problem that all of our user accounts are locked out including our admin accounts.  We can not even get onto our servers with the local admin account.  We have been working around the clock on this for 3 days.  We walked away for a few hours and now it is worse than every.  HELP someone.

It sounds like you still have Conficker somewhere on a machine(s)

One of the symptoms of Conficker is account lockouts as it tries spreading by brute forcing various login combinations.

Are you seeing anything in your SEPM logs, mainly using Risk Tracer? This should give you the source of the problem.

Also, after running the removal tool, did you apply the patch? This is a must otherwise machines will just become re-infected and the problem will continue.

I would recommend opening a new thread on this so it gets more attention.

Under Risk Tracer option, do I need to enable 'poll network session every XXXXX millionsecond' ?

The maximum value allow= 30 seconds which I think its is too frequent.

Any advise ?

I've always left it at the default and I have 10k+ machines on my network. Have not seen any adverse affects from leaving it at default.