Video Screencast Help

SEP Virus Attack

Created: 16 Oct 2012 • Updated: 18 Dec 2012 | 18 comments
This issue has been solved. See solution.

Hi,

In our network from last 2 days we have getting the problem of packet drop

Firewall Engineer commented that this issue occur because of recieving the huge count of traffic from UDP port 53.

They provide some systems ip/hostname when i scanned that systems i only find cookie in one of that systems.

But they told that this is virus attack, so is it possible that its virus attack and symantec is not able to control on it and also not able to find it.

Pls reply on ASAP..

Comments 18 CommentsJump to latest comment

.Brian's picture

Well this could be an attack from the outside, such as a scan. It doesn't mean malware is on your network but attackers trying to break in. Do you have NTP installed? Did you check NTP logs?

Have you located the source of the attack? Can you block at your firewall?

You can tighten up your SEP settings to help mitigate

 

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/business/support/index?page=content&id=TECH122943

 

Security Best Practice Recommendations

http://www.symantec.com/business/support/index?page=content&id=TECH91705

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

visible_sol's picture

NTP installed in all clients and not found any risk. I will check once again. I have not found infected system in any type of virus risk included NTP.

Today EOD hopefully our firewall team shared the exact source of attack.

I will read your attach links and modify the setting if require.

Thanks for quick response.

.Brian's picture

Check if traffic is incoming or outgoing. It sounds like the attack was not successful.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

visible_sol's picture

as per shared information traffic is incoming

.Brian's picture

First you need to know source so you nvestigate further to see what you can find about it on the Internet.

Also, it needs to be blocked at your perimeter.

You can configure the sep firewall to block all traffic except those ports you define, although blocking dns will cause you problems.

You may be able to span a port on your switch and run wireshark to identify the traffic.

It sounds like it may have just been a scan against your network to find clients. SEP can block these types of scans.

Is the attack still going on?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

visible_sol's picture

Still issue is running we have found some syatems where continuously traffic come, now we are scanning these system in safe mode and also will be try 3part application if virus not detect by Sep.

Till the actual link and source not be confirmed, I have checked there not any firewall configure from SEP. Also it not possible to block the DNS. If i block then all application will hampered.

We have tried the wireshark to identify the log and forward it to confirm, waiting for the reply.

If any help will be require then update you.

Thanks

Mithun Sanghavi's picture

Hello,

Tracking Cookies are used by Legitmate web sites to track how many times you access their sites.  Web sites that use this type of cookie usually require a log in to access the site.  

Best to verify if this is being caused by the user is to perform a full scan, remove the threat and then reboot the machine. Once the machine is rebooted, then perform another full scan. If the full scan does not find the Tracking Cookie at that time, this means it is being placed there during the day while the user is working on the computer.

Run  the Full scan in Safe Mode with System Restore turned Off

Tracking Cookies - Check this: 

http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

BLOG with Video:

https://www-secure.symantec.com/connect/blogs/tracking-cookies

 

 

Now your issue: 

Tracking cookies are, for the most part, completely harmless. As a result they will no be deleted or detected by auto-protect, however during a full scan the cookies are usually found and then deleted. 

In general this doesn't do any harm to the computer or user. Cookies are usually used by websites to track information about you. Usually the biggest reason people don't want cookies deleted is because that is how websites store their automatic log-in and password information when you click on "remember this password...". If you would like to hear more information on the subject or if you still have more questions please create a new thread.

Again, if you are annoyed with the notification being displayed, then disable the notification.

How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH103044

 

Hope this may help you explaining the same!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
visible_sol's picture

i have reiceve the similar cookie on that system i have full scan the system and clean it but it possible that this type of virus can create the huge count of traffic in network

Mithun Sanghavi's picture

Hello,

I would suggest you to read this  -

Can SEP client detect "DNSChanger" virus ?

http://www.symantec.com/docs/TECH182966

Symantec Security Response’s current recommendation:

Monitor your network for the bad DNS IPs, using that to identify any infected clients we may have missed with SEP.  If you can re-route traffic, you can reroute these machines to a legitimate DNS server.  Regardless, we recommend taking our repair tool to each of these machine and using it to clean them.

Reference: https://www-secure.symantec.com/connect/articles/operation-ghost-click-turn-dns-changer-ccs-dark-side

I would also encourage you to create a Case with Symantec Technical Support - 

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Hope that helps!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fabiano.Pessoa's picture

Hi

The ideal is to check the important services and creating rules go to unlock them. At the end applies a drop, udp. The best before that is to create a log for udp and whether it just "attack" is based on the entry (input) or internally (forward).

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Ashish-Sharma's picture

 

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

 

Check this thread

https://www-secure.symantec.com/connect/forums/virus-cleanup-exercise

Secondly, about the Tools like Power Eraser, I would recommend you to check this Thread:

https://www-secure.symantec.com/connect/forums/need-virus-removal-tool

 

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/docs/TECH122943

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

http://www.symantec.com/docs/TECH98360

Thanks In Advance

Ashish Sharma

 

 

Prem Yadav's picture

Port no 53 is used for the DNS query.May your system is infected by virus & it genertaing the DNS query.If symantec not detecting the virus please download Microsoft malware removal tool from below link & scan the system.

http://www.microsoft.com/en-us/download/details.aspx?id=16

visible_sol's picture

I will try the microsoft tool before that sep client require to remove or not

Fabiano.Pessoa's picture

Hi

The ideal is to check the important services and creating rules go to unlock them. At the end applies a drop, udp. The best before that is to create a log for udp and whether it just "attack" is based on the entry (input) or internally (forward).

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

visible_sol's picture

Thanks for reply till the time not of any virus getting detected which come harmful for site, issue status is pending but till time issue come fro othe application end. I will keep this forum in underobserve till the case closing.

Fabiano.Pessoa's picture

Thanks

If there's anything I can do, just let me know.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

visible_sol's picture

Thanks all, now the issue is clearly detected from other application and not of any problem detected from SEPM.

Thanks to all for your support.

Fabiano.Pessoa's picture

Hi,

Glad you managed to solve the problem.
We are always available and has the support of all.

big hug

Fabiano Pessoa

Systems Analyst - Forensic Expert