Video Screencast Help

SEP not detecting a virus

Created: 24 Oct 2013 • Updated: 24 Oct 2013 | 13 comments

Hi,

I have SEPM on my server and SEP on clients. Recently (yesterday) a virus appear on a client. This virus is not detected by SEP but it is detected by MalwareBytes. The virus convert your folders and files on Hidden Items and creates links to then that execute the virus if you click on them.

I have attached the virus for anyone to detect with SEP.

Can you help me??

Thanks,

<< Removed the file - Mithun Sanghavi>>

Operating Systems:

Comments 13 CommentsJump to latest comment

James007's picture

Please don't be attached any suspicious files in public thread

Upload a suspected infected file (Retail)

https://submit.symantec.com/websubmit/retail.cgi
How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

 

Article:TECH97449 | Created: 2009-01-16 | Updated: 2013-08-07 | Article URL http://www.symantec.com/docs/TECH97449

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

 

martinfe33's picture

Hi James007,

Sorry for uploading but SEP doesnt detect it as suspicious. SEP says nothing about this file. Malwarebytes give me a positive detect.

The code of the links is:

C:\WINDOWS\system32\cmd.exe /C start /b "" "cmd.exe" /C if exist "Evaluaciones\evaluaciones 2010\rFQfXT.bdKx" start /b "" "Evaluaciones\evaluaciones 2010\rFQfXT.bdKx" && start /b "" "Horarios.xls"

This way i found the virus.

I am going to try to submit the file by the way you say.

Thanks,

James007's picture

Hi,

Try to install this patch

Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution
Vulnerability
Microsoft Security Bulletin MS10-046/ (KB2286198)
http://www.microsoft.com/en-in/download/details.as...

Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability
Nortel Response to Microsoft Security Bulletin MS08-067/ (KB958644)
http://www.microsoft.com/en-in/download/details.as...

 

Check also this thread

https://www-secure.symantec.com/connect/forums/short-cut-virus

Mithun Sanghavi's picture

Hello,

Could you please zip each of the files and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Check these articles:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

Run the Symantec Power Eraser on it

How to run Symantec Power Eraser with the SymHelp utility

Article:TECH203683  |  Created: 2013-03-08  |  Updated: 2013-09-20  |  Article URL http://www.symantec.com/docs/TECH203683

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

martinfe33's picture

Hi,

I uploaded the file and they openned me a case. I am waiting for response.

I have checked the Power Eraser but on the server..... i prefer not to do it. It checks only basic system.

I will wait for the response from Symantec.

Thanks,

Mithun Sanghavi's picture

Hello,

Could you please PM me with the Case #?

Let me have a look.

Did you upload the suspicious files to the Symantec Security Response Team?

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

martinfe33's picture

Hi Mithun,

I have sent you a PM with tracking number.

I uploaded yesterday the suspicious file.

Thanks,

martinfe33's picture

Hi again,

I have no news from Symactec Security Response Team. Anyone can help me about this??

Thanks,

martinfe33's picture

Still without news from Symantec. Any help please?? It is not logical that Malwarebytes free version detects perfectly a virus that SEP 12.1 Paid cant detect! 

_Brian's picture

Did you receive a tracking number back from Symantec after submitting??

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

martinfe33's picture

Hi _Brian,

I recieved a tracking number but i cant find where to check the status and i have no recieved any other notification about this from Symantec.

Where can i check it??

Thanks,

Mithun Sanghavi's picture

Hello,

The Last time you send me the Tracking number, I had suggested you to submit the files on Essential website.

https://submit.symantec.com/websubmit/essential.cgi

AND

http://www.threatexpert.com, which can give you more information on the files you submit to it.

If done, please send me a PM with the new Tracking number again.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.