Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Server got infected by Multiple Virus.

  • 1.  Server got infected by Multiple Virus.

    Posted Oct 05, 2012 03:05 AM

    We are continues getting virus on the server and because of this we are getting multiple Shortcut of so many file and if we are trying to access shortcut then nothing get executed.

     Please Help me to idenfied which virus can create this problem and how to stop it.

    Risk Name mentions Below:-

     

     

    Auto-Protect scan

    W32.Changeup.C

    1

    Auto-Protect scan

    Adware.FlashEnhancer

    1

    Auto-Protect scan

    W32.Stuxnet!lnk

    1

    Auto-Protect scan

    W32.Changeup.C

    1

    Auto-Protect scan

    W32.Changeup.C

    1

    Auto-Protect scan

    W32.Changeup.C

    1

    Auto-Protect scan

    W32.Stuxnet!lnk

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    Bloodhound.Exploit.346

    1

    Auto-Protect scan

    W32.Stuxnet!lnk

    1

     



  • 2.  RE: Server got infected by Multiple Virus.

    Posted Oct 05, 2012 03:09 AM

     

    Is your system infected? Symantec tools to help clear an infection

    https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

     

    Check this thread

    https://www-secure.symantec.com/connect/forums/virus-cleanup-exercise

    Secondly, about the Tools like Power Eraser, I would recommend you to check this Thread:

    https://www-secure.symantec.com/connect/forums/need-virus-removal-tool

     

    Security Best Practice Recommendations

    http://www.symantec.com/docs/TECH91705

    Best practices for responding to active threats on a network

    http://www.symantec.com/docs/TECH122466

    Security Response recommendations for Symantec Endpoint Protection settings

    http://www.symantec.com/docs/TECH122943

    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

    http://www.symantec.com/docs/TECH98360



  • 3.  RE: Server got infected by Multiple Virus.

    Posted Oct 05, 2012 05:31 AM

    Hi Nagesh,

    One thing I note is that all of those detections are from Auto-Protect.  I recommend running a manual scan with the latest definitions, not just on this server but on all the computers which connect to it.  Then, view the logs to ensure everythign has been deleted completely and not "left alone" or "partially removed."

    What Symantc product do you use to defend your network, and what components?  (If you do not use firewall and IPS, I recommend adding them!  Relying on AV alone is fighting with one arm tied behind your back.)

    Here are some excellent suggestions on how to keep your computers, their users and data safe:

    http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

    Please do keep this thread up-to-dte with your progress!

     

     



  • 4.  RE: Server got infected by Multiple Virus.

    Posted Oct 05, 2012 07:57 AM

    Dear Mick2009,

    This is a critical server and there are some application which are not compatible with NTP as well as PTS so server having Only Antivirus and Antispywhere component.



  • 5.  RE: Server got infected by Multiple Virus.

    Trusted Advisor
    Posted Oct 05, 2012 09:01 AM

    Hello,

    W32.Changeup.C  is a worm that spreads through removable and shared drives by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

    W32.Stuxnet!lnk is a detection for .lnk files created by the W32.Stuxnet worm.

    Bloodhound.Exploit.346 is a heuristic detection for files attempting to exploit the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

    So, as we see these above Threats appears when there are open vulnerabilities on the machines.

    In your case, I would suggest the below Plan of Action:

    1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions.

    2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines.

    3) Make sure ALL the client machines are using the Latest Vendor Patches installed.

    4) Disable Auto play with GPO

    http://support.microsoft.com/kb/953252

    5) Disable the System Restore with GPO

    http://support.microsoft.com/kb/283073

    6) Disable Scheduled Tasks with GPO

    http://support.microsoft.com/kb/310208

    7) Enable Security Auditing with GPO

    http://support.microsoft.com/kb/300549

    8) Incase of any shared / mapped drives present, make sure these are password protected.

    9) Scan ALL the machines...

     

    Hope that helps!!



  • 6.  RE: Server got infected by Multiple Virus.

    Posted Oct 06, 2012 11:23 PM

    Dear Mithun,

    Can you please help me to create custom Intrusion Prevention signatures for W32.changeup.C in SEP so that we can block all the traffic?



  • 7.  RE: Server got infected by Multiple Virus.

    Posted Oct 06, 2012 11:58 PM

    There are  signatures available for the SEP IPS component:

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99



  • 8.  RE: Server got infected by Multiple Virus.

    Broadcom Employee
    Posted Oct 06, 2012 11:59 PM

    there is already IPS signature for the  CVE-2010-2568 and LNK shortcut files

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801



  • 9.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 12:06 AM

    How about the source? Mabye can try pinpoint how those files get there....



  • 10.  RE: Server got infected by Multiple Virus.

    Broadcom Employee
    Posted Oct 08, 2012 01:51 AM

    have you enabled the risktracer to know the source of the infection?



  • 11.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 06:41 AM

    Thanks Pete,

     

    let us know the signature for W32.Stuxnet!lnk also.



  • 12.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 06:53 AM

    already IPS signature for the  CVE-2010-2568 and LNK shortcut files

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99



  • 13.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 08:35 AM

    Thanks Ashish,

     

    Can you please confirm if we have Enable the Intrusion prevention policy on the SEPM but client do not have NTP & PTP component (because of some application dependence (Server OS)).

    Is our Intrusion prevention policy work?



  • 14.  RE: Server got infected by Multiple Virus.

    Broadcom Employee
    Posted Oct 08, 2012 09:20 AM

    it will work only if IPS component is installed and enabled.



  • 15.  RE: Server got infected by Multiple Virus.

    Trusted Advisor
    Posted Oct 08, 2012 12:51 PM

    Hello,

    Policies on SEPM would not take effect, if these features are not installed on the SEP client machines.

    I would suggest you to make sure you install SEP full feature set on the client machines.

    Secondly, check these Articles:

    About the types of threat protection that Symantec Endpoint Protection provides

    http://www.symantec.com/docs/HOWTO55272

    How Symantec Endpoint Protection protection features work together

    http://www.symantec.com/docs/HOWTO55268 

    Hope that helps!!



  • 16.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 01:07 PM

    A great idea, but...

    Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.  Risk Tracer requires Network Threat Protection and IPS to be installed and IPS Active Response to be enabled.

    How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH94526

    sandra



  • 17.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 01:50 PM

    Dear Pete4u2002/ Mithun,

     

    If we try to enable the intrusion Prevention policy then we have to enable NTP Component.

    but It not possible in my case.I can't enable NTP on Server.

    and Even we have enable the Risk Tracer but nothing found.

     



  • 18.  RE: Server got infected by Multiple Virus.

    Broadcom Employee
    Posted Oct 08, 2012 01:52 PM

    enable NTP with rule allow all, will that not help?



  • 19.  RE: Server got infected by Multiple Virus.

    Trusted Advisor
    Posted Oct 08, 2012 02:11 PM

    Hello,

    Did you follow the Article provided by Sandra above?

    Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.

    Please see What is Risk Tracer? for more information.

    Hope that helps!!



  • 20.  RE: Server got infected by Multiple Virus.

    Posted Oct 08, 2012 02:13 PM

    For risk tracer to work you have to enable NTP.You can scan the system either with SERT or using NPE tool.

    also ensure that all ms patches are installed on system and drives are not shared.



  • 21.  RE: Server got infected by Multiple Virus.

    Posted Oct 15, 2012 12:00 AM

    Thanks Riya,

    We have Scan the server with NTP and fix the error which we have found but after 2 days again we have found Virus infection on the server.

    (Note: - we can't Enable NTP on the server because of cluster Environment).