Endpoint Protection

 View Only
Expand all | Collapse all

SEP Virus Attack

Migration User

Migration UserOct 16, 2012 10:59 AM

  • 1.  SEP Virus Attack

    Posted Oct 16, 2012 10:07 AM

    Hi,

    In our network from last 2 days we have getting the problem of packet drop

    Firewall Engineer commented that this issue occur because of recieving the huge count of traffic from UDP port 53.

    They provide some systems ip/hostname when i scanned that systems i only find cookie in one of that systems.

    But they told that this is virus attack, so is it possible that its virus attack and symantec is not able to control on it and also not able to find it.

    Pls reply on ASAP..



  • 2.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:14 AM

    Well this could be an attack from the outside, such as a scan. It doesn't mean malware is on your network but attackers trying to break in. Do you have NTP installed? Did you check NTP logs?

    Have you located the source of the attack? Can you block at your firewall?

    You can tighten up your SEP settings to help mitigate

     

    Security Response recommendations for Symantec Endpoint Protection settings

    http://www.symantec.com/business/support/index?page=content&id=TECH122943

     

    Security Best Practice Recommendations

    http://www.symantec.com/business/support/index?page=content&id=TECH91705



  • 3.  RE: SEP Virus Attack
    Best Answer

    Trusted Advisor
    Posted Oct 16, 2012 10:17 AM

    Hello,

    Tracking Cookies are used by Legitmate web sites to track how many times you access their sites.  Web sites that use this type of cookie usually require a log in to access the site.  

    Best to verify if this is being caused by the user is to perform a full scan, remove the threat and then reboot the machine. Once the machine is rebooted, then perform another full scan. If the full scan does not find the Tracking Cookie at that time, this means it is being placed there during the day while the user is working on the computer.

    Run  the Full scan in Safe Mode with System Restore turned Off

    Tracking Cookies - Check this: 

    http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

    BLOG with Video:

    https://www-secure.symantec.com/connect/blogs/tracking-cookies

     

     

    Now your issue: 

    Tracking cookies are, for the most part, completely harmless. As a result they will no be deleted or detected by auto-protect, however during a full scan the cookies are usually found and then deleted. 

    In general this doesn't do any harm to the computer or user. Cookies are usually used by websites to track information about you. Usually the biggest reason people don't want cookies deleted is because that is how websites store their automatic log-in and password information when you click on "remember this password...". If you would like to hear more information on the subject or if you still have more questions please create a new thread.

    Again, if you are annoyed with the notification being displayed, then disable the notification.

    How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager

    http://www.symantec.com/business/support/index?page=content&id=TECH103044

     

    Hope this may help you explaining the same!!!



  • 4.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:35 AM

     

    Is your system infected? Symantec tools to help clear an infection

    https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

     

    Check this thread

    https://www-secure.symantec.com/connect/forums/virus-cleanup-exercise

    Secondly, about the Tools like Power Eraser, I would recommend you to check this Thread:

    https://www-secure.symantec.com/connect/forums/need-virus-removal-tool

     

    Security Best Practice Recommendations

    http://www.symantec.com/docs/TECH91705

    Best practices for responding to active threats on a network

    http://www.symantec.com/docs/TECH122466

    Security Response recommendations for Symantec Endpoint Protection settings

    http://www.symantec.com/docs/TECH122943

    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

    http://www.symantec.com/docs/TECH98360



  • 5.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:37 AM

    Port no 53 is used for the DNS query.May your system is infected by virus & it genertaing the DNS query.If symantec not detecting the virus please download Microsoft malware removal tool from below link & scan the system.

    http://www.microsoft.com/en-us/download/details.aspx?id=16



  • 6.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:49 AM

    NTP installed in all clients and not found any risk. I will check once again. I have not found infected system in any type of virus risk included NTP.

    Today EOD hopefully our firewall team shared the exact source of attack.

    I will read your attach links and modify the setting if require.

    Thanks for quick response.



  • 7.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:56 AM

    Check if traffic is incoming or outgoing. It sounds like the attack was not successful.

     



  • 8.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:57 AM

    i have reiceve the similar cookie on that system i have full scan the system and clean it but it possible that this type of virus can create the huge count of traffic in network



  • 9.  RE: SEP Virus Attack

    Posted Oct 16, 2012 10:59 AM

    as per shared information traffic is incoming



  • 10.  RE: SEP Virus Attack

    Posted Oct 16, 2012 11:00 AM

    I will try the microsoft tool before that sep client require to remove or not



  • 11.  RE: SEP Virus Attack

    Posted Oct 16, 2012 11:11 AM

    First you need to know source so you nvestigate further to see what you can find about it on the Internet.

    Also, it needs to be blocked at your perimeter.

    You can configure the sep firewall to block all traffic except those ports you define, although blocking dns will cause you problems.

    You may be able to span a port on your switch and run wireshark to identify the traffic.

    It sounds like it may have just been a scan against your network to find clients. SEP can block these types of scans.

    Is the attack still going on?



  • 12.  RE: SEP Virus Attack

    Trusted Advisor
    Posted Oct 16, 2012 11:49 AM

    Hello,

    I would suggest you to read this  -

    Can SEP client detect "DNSChanger" virus ?

    http://www.symantec.com/docs/TECH182966

    Symantec Security Response’s current recommendation:

    Monitor your network for the bad DNS IPs, using that to identify any infected clients we may have missed with SEP.  If you can re-route traffic, you can reroute these machines to a legitimate DNS server.  Regardless, we recommend taking our repair tool to each of these machine and using it to clean them.

    Reference: https://www-secure.symantec.com/connect/articles/operation-ghost-click-turn-dns-changer-ccs-dark-side

    I would also encourage you to create a Case with Symantec Technical Support - 

    How to create a new case in MySupport

    http://www.symantec.com/business/support/index?page=content&id=TECH58873

    Phone numbers to contact Tech Support:-

    Regional Support Telephone Numbers:

    • United States: https://support.broadcom.com (407-357-7600 from outside the United States)
    • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
    • United Kingdom: +44 (0) 870 606 6000

    Hope that helps!!!



  • 13.  RE: SEP Virus Attack

    Posted Oct 18, 2012 05:18 AM

    Still issue is running we have found some syatems where continuously traffic come, now we are scanning these system in safe mode and also will be try 3part application if virus not detect by Sep.

    Till the actual link and source not be confirmed, I have checked there not any firewall configure from SEP. Also it not possible to block the DNS. If i block then all application will hampered.

    We have tried the wireshark to identify the log and forward it to confirm, waiting for the reply.

    If any help will be require then update you.

    Thanks



  • 14.  RE: SEP Virus Attack

    Posted Oct 19, 2012 02:29 AM

    Hi

    The ideal is to check the important services and creating rules go to unlock them. At the end applies a drop, udp. The best before that is to create a log for udp and whether it just "attack" is based on the entry (input) or internally (forward).

    hugs



  • 15.  RE: SEP Virus Attack

    Posted Oct 19, 2012 02:33 AM

    Hi

    The ideal is to check the important services and creating rules go to unlock them. At the end applies a drop, udp. The best before that is to create a log for udp and whether it just "attack" is based on the entry (input) or internally (forward).

    hugs



  • 16.  RE: SEP Virus Attack

    Posted Oct 21, 2012 09:01 AM

    Thanks for reply till the time not of any virus getting detected which come harmful for site, issue status is pending but till time issue come fro othe application end. I will keep this forum in underobserve till the case closing.



  • 17.  RE: SEP Virus Attack

    Posted Oct 22, 2012 01:32 AM

    Thanks

    If there's anything I can do, just let me know.

    hugs



  • 18.  RE: SEP Virus Attack

    Posted Oct 26, 2012 03:16 AM

    Thanks all, now the issue is clearly detected from other application and not of any problem detected from SEPM.

    Thanks to all for your support.



  • 19.  RE: SEP Virus Attack

    Posted Oct 26, 2012 04:22 AM

    Hi,

    Glad you managed to solve the problem.
    We are always available and has the support of all.

    big hug