Endpoint Protection

Hello all , I am going through a new installation of SEP and has deployed around 950 agents now , and have statistics which are showing a large number of viruses that were cleaned and quarnatined. I am attaching the screenshot for your reference. Is this a normal behavior ?

Regards

Here is the file

This much quarantine is normal ?

and also end users are complaining that they are having some performance issues is this much quarantine be casusing the performance issues ?

any 1 ?

If these PCs did not have any virus scanner installed previously, then it could explain the high numbers of viruses being found on the new installation.

The slowdown may be related to these viruses being found. Give it time for a full scan & cleanup for this to settle down.

But... seriously, that's a very high numbers of viruses being found!

Just checked the screenshot again, you need to focus on "Newly Infected" and also "Still infected" - sort them out first to prevent any further spread. Then do a full scan again to ensure they are all gone.

Wouldn't the cleanup happen automatically ? or any manual intervention be needed ?

Secondly those that are already infected wouldn't they automatically be cleaned ? or I need to do anything manually ? any help would be appreciated. Thanks

Not always. Sometimes you will need to reboot these machines so the files can be removed. If you click on these numbers, it will tell you further details.

Here is the file for your reference

any 1 ?

Have you done what I've suggested earlier?

Reboot PCs, do a full scan, check the logs again. Take action based on the messages in the logs. You will need to find the source(s) and stop them from spreading again. The 'Still Infected' is what you will need to focus on mostly.

Tony I have done and told them to restart their PC's but why so much malware is quarantined ? why isn't it getting clean , though all the machines are updated with latest protection definations

Tony for newly infected I am seeing the following Actions

1. No repair available

2. left alone

3. Not applicable

How can I fix these? could you kindly tell and guide. Thanks

Now the risk type for above mentioned actions are

1. Suspicious.EPI.2

2. Trojon.Gen.2

3. Suspicious.clould.5

Please see this article which should explain more in details:

http://www.symantec.com/business/support/index?page=content&id=TECH102052

The PCs could have been so very infected, sometiems a full rebuild might be needed.

Has these PCs ever had any virus scanner before you installed SEP?

How do you have your actions configured? Personally, I hate quarantining. Everything is either cleaned or deleted.

And to me, that is A LOT of risks going on there...you may need to revisit your policies. Do you use any of the other components?

Brian these are the policies configured and mostly they are configured as default. I am attaching screenshot for your reference . Please If I should change the action

All componets are being used. For actions part do you want me to configure the first action as

1. Clean

2. Delete

?

Please see Best practices articles for Symantec Endpoint Protection (SEP)

http://www.symantec.com/business/support/index?page=content&id=TECH181685

Does your company policy dictate what it should be?

Preferably clean then delete, that's a good start. But I also don't know what your policy dictates.

Download Insight is set to Leave Alone on unproven files. Is this what you want

Definitely numbers are too high and need to work upon it on priority.

Before yoiu start troubleshooting I would suggest make sure the following items:

•  SEP clients have all the SEP features and the latest definitions.
•  Operating should have latest Service pack and Windows patches.

Using Symantec Endpoint Protection's Network Activity Tool to Identify Suspicious Processes

http://www.symantec.com/docs/TECH92950 

Scan the still infected machines with Symantec threat analysis tool. Run Symhelp to find suspicious files on the system and submit it to Symantec security response team for further analysis.

http://www.symantec.com/docs/TECH170735 

Stringent the policies. You can apply the following ADC policy if possible.

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security and help prevent malicious attacks from viruses with the Symantec Endpoint Protection (SEP) client.

http://www.symantec.com/business/support/index?page=content&id=TECH132337

Check this article also, How to use Application and Device Control to limit the spread of a threat.

http://www.symantec.com/docs/TECH93451

Well after the replies it seems that I am in a bit of troublesome envoirement where I need to fix it and need to put it extra measures. 

thanks for your reply Brian. No Brian not really , we need to configure polices so that endpoints are protected. I see that the quarantine number is so high so is it appropriate for me to change the action from quarantine to delete ? I hope doing it so wouldnt cause any false positive and remove legitimate files , would it ? what do you recommend the actions should be ? the total number of endpoints which are generating these stats are 1100.

Regards

Thaks for your reply Chetan. so what do you recommend how can I lowe this number ? Now for the still infection meachines I am havig the following risk types

1. Suspicious.EPI.2

2. Trojon.Gen.2

3. Suspicious.clould.5

the action took for these risks were

1. No repair available

2. left alone

3. Not applicable

these actions that it took for these risks are somewhat vague that no repair is availble or not applicable

There's always a risk with false positives but I'd go with clean/delete.

so Brian what you are suggestions for actions for Scans, Auto-Protect , Download Insigh and for Sonar my actions should be the following ?

1. Clean

2. Delete 

is it ? Regards

Symantec has made the detection so I can say you are safe. If file is 100% infected it will remain in quarantine only. With each new definitions release SEP will scan these infections and take necessary action as required.

Trojan.Gen.2 is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics. Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2011-082216-3542-99

Suspicious.Epi.2 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2012-050814-1337-99

Suspicious.cloud is also similar kind of threat.

I would suggest to look at these infected files, location.

In rare cases where a legitimate file is misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product and review the list of files detected as suspicious. If you identify a potential misidentification, restore the file from Quarantine and allow it to run normally in order to regain the functionality of your computer or application. 

Suspected false-positive detections can be reported to Symantec using our false-positive detection reporting page to contribute to the effectiveness of our product.

For AV set to clean/delete

For DI and SONAR set to quarantine in case of false positives, whihc may be higher here, especially SONAR and internal apps

thanks for the brief reply chetan . But again as you cann see for 1100 clients with this huge number/size of quarantine is it a normal or acceptable number ? and for the second action what is your recommendation to quarantine the risk or delete it ? regards

Only the business can decide what is acceptable. To me is it very high though

How it's going so far? Hopefully the number of viruses has reduced based on our advices & recommendations?

Hello , Yes I have changed the action to the following

1. Clean

2. Delete

Regards

There is only one risk here because sometime it may happen genuine file is 100% infected and SEP is not able to clean because if SEP deleted that infection that file might not work. By keeping 100% infected file in quarantine it will work without any harm. 

so Chetan what you are suggesting is that I should not use delete action ? and instead should use quarantine ? Regards

If AV is detecting something the risk is low it's going to be a falser positive. I'll take my chances and delete or clean it.

I will suggest to leave with default settings unless you are not sure what files are quarantine & you are ok if SEP deleted them.

Please find the updated status in the attached  screenshot

At the end of the day, it really depends on your company's policy and if there are any mission criticial files that needs to be protected, then I would pick quarantine.

Just my views...

the count of newly infected and still infected has been greatly increased, it seems that something is going on with my customer network 

Could you proivde screenshots for Last 7 days & last hour data also.

Change the view to 'Last Hour' - what does the stats say?

What is the most common virus that is coming up? (Click on the number to find out)

Outrageous,

As has been asked a few time already, "What is the position of your organization regarding security and the use of antivirus?" Assuming that they have invested money in SEP, then you may want to take a more aggressive approach at controlling/eliminating virus threats. If this is the case, then you will want to "Clean" (if possible), "Delete" (when you can't clean), and "Quarantine" if you are not sure or not allowed to delete files from company PCs because it make break the PC.

If you aren't cleaning or deleting, you should absolutely expect new and still infected numbers to increase. They will continue to increase until you do 1 of 2 things: 1) clean and/or delete, or 2) identify the infected systems and the behavior that is causing them to be infected, and stop that behavior (i.e. block users from visiting websites that are causing malware infection). Expect that if you do both, then you should see numbers from newly infected to stop increasing and drop to 0 (assuming you are deleting malware from the infected machines).

If you aren't in the position to decide, find someone who is and have them make a decision already.

Spesh

Like some of the other suggestions here already, if you want to see the numbers decrease/stop, then take a more aggressive position on your AV actions (i.e. move to "Delete"). Be prepared that some of your systems may just stop functioning because a file needed to run has been deleted by AV. In that case, ensure that you have a good, virus-free image that can be used to restore the affected systems.

Hello all thanks for your replies. It is one of my customer for which I am implementing this solution , now that being said their first priority is their end user performance concerns which should not be affected greatly and they also wants to maintain balanaced security.

Like I have said the current actions being set for AV and AP is 1. Clean  2. delete and for Sonar and DI it is 1. clean 2. Quarantine

So for higher security I should select the actions for all componenet as 1. Clean 2. Delete

as there is no specfic buisness requirement apart from user performance concerns, though there will be a bit of false positives but they would be marginal , what do you suggest for this ?

It's no so much about security as it is productivity. Setting to quarantine will help out if there is a false positive and you can quickly restore whereas if it's cleaned or deleted, the file is gone and you would need to restore from a good backup.

It's about preference. For me I'll take my chances with a false positive. I don't want malware or the risk of malware on my network. I'm comfortable dealing with the fallout if it's a false positive.

I don't see any relation between performance and these two settings.

Personally, I would put aside the performance concerns for now and focus on getting all of these viruses/malware cleared out first as the most highest priority.

Once this has been done, you can focus on performance concerns at a later time.

You do not want to allow whatever these viruses are to be grabbing copies of confidential files to outside of the network. There are Data Protection to think of, etc.

If I were you, I would shut down the network, get all machines cleared out and ensure that there are no further risk of spread befoe allowing these machines back on the network. You really NEED to find the source of the spread first, otherwise there is no point of cleaning the machine as it will be infected again.

You also have not answered a few of the other questions (including mine) - the information from you will help us to give you the correct information.

Hello all , as requested please find the screenshots for last 24 hours and last 7 days. Regards

this is for 24 hours 

Your numbers (especially "Newly Infected") for the last 24 hours look more acceptable for a network of 950-1000 devices (not completely acceptable, just more). Let me give you some perspective...

That's my last 24 hours with 90,000 hosts. Here are the last 7 days.

Not awesome or perfect, but I'd rather work with my environment than with yours right now, just based on the numbers. Work with the organization's IT support group to locate and eliminate as many of those "Newly/Still Infected" devices. That's where you are going to earn your money and win over your client!!!

status being shared by me are for 1350 endpoints 

Thanks for these screenshots. Between your 7 days and 24 hours, you still have 2051 still infected. This is where you need to tackle first.

Is this company shut over the weekend? If so, this is your chance to get a team together and get this sorted out in one swoop.

Good luck

OK.

I still prefer my numbers for 90K hosts vs. your current situation with 1350.

Re-emphasizing...work with the IT Support staff to track down those affected hosts and get them cleaned up. Assuming you're the consultant paid to install and maintain the SEP management console, then let them do the drudge work.

If you have a security monitoring team, try to work with them to identify what activities the users/devices that generated those last 2000 new infections are doing that led to them being infected. Again, focusing your efforts on controlling the spread of new infections is what is going to win your client's approval.

To compare, here's my stats for 3,025 endpoints for the last 30 days.

Yes, I work hard to keep this way! :)

Yes I know my customer envoirement is highly infected , becuase in the envoirement for the last 3 years , there hasn't been any fully functional AV running in the envoirement thats why the detection rate is so so high.

Now lets see what they do with their envoirement to fix these risks and infections.

Regards

3 years with no AV! Wow...

If I turned up to this job, I would be planning to rebuild ALL machines to ensure they are virus free and to stop data leak to outside world. I wouldn't leave like that to be honest...

Have you checked to see if the servers are also affected as well? If not, then you really need to look at them too.

I'm jealous!

Hello all , this is the recent status update.

second one

How are you getting on with it? Hopefully improved by then...?

Hello Sutton , yes trying to actually :)

Is there any update?

Or

If your query has been resolved mark this thread as a solved with the best answer that helps you.