Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP and Photo.exe

Created: 09 Jul 2013 • Updated: 25 Oct 2013 | 13 comments

Has anyone come across Photo.exe, which keeps materialising on our Windows Server 2003 share drive, in various locations. i am not sure if it is being created by share drive clients on on the windows server itself. I have ran SEP and Malwarebytes, Malicious Software rmoval tools, to no avail.

Thanks in advance.

Operating Systems:

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

submit the file to Symantec Security response if you feel it is suspicious.

James007's picture

Hi,

You can submit the file for submission in symantec.

https://submit.symantec.com/websubmit/retail.cgi

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files in SEP 12.1  and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/u...

Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH170752

.Brian's picture

It would seem that the likely issue here is that someone with a mapped drive to this server causes it to continuously be re-infected.

Have you checked the remote connections to the server and what file(s) they have open or are accessing?

Have you disabled autorun?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

NoelP's picture

Thanks Pete, We will investigate remote connections and test with Autorun disabled

Mithun Sanghavi's picture

Hello,

Are running the SEP 12.1 client with latest definitions and carry all the latest Microsoft updates and security patches on the machine?

Run a scan in safe mode with networking to remove the virus.

Could you zip each of the folders and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

In your case, it is also advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine via GPO. http://support.microsoft.com/kb/967715

4) Disable System Restore before you do this as the virus also creates entries in the System Restore Points store volumes.

Also, check this Article:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

NoelP's picture

This solggested solution resolved the issue for me, Thanks

Beppe's picture

Hello,

submissions to:

https://www.virustotal.com

and

http://www.threatexpert.com

would be useful too.

Regards,

Giuseppe

raju123's picture

Analysis the virus file from "www.virustotal.com"

Virus can detected by other AV not by Symantec then sumit the file to symantec security response team

http://www.symantec.com/security_response/submitsamples.jsp

If virus detected by symantec then scan it in safe mode n/w to clean it.

Run the SPE tool and submit report to symantec

 How to run Symantec Power Eraser with the SymHelp utility

Article:TECH203683  |  Created: 2013-03-08  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203683

https://www-secure.symantec.com/connect/articles/about-new-symhelp-tool-sep-121ru2

NoelP's picture

Thank you all, we will work on many of the solutions and suggestions proposed above.

Beppe's picture

You are welcome, just remember to flag the discussion as resolved.

Regards,

Giuseppe

raju123's picture
 
Please update the current status in thread or mark as Solved with the helpful one.
 
.Brian's picture

NoelP

please mark the answer that best helped as the solution. The one you marked does not provide the solution

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.