Endpoint Protection

I keep getting an alert from Endpoint saying that traffic from ip address .... is blocked

[SID 23179] MSRPC Server Service BO detected

I was just wondering what this means and how I can fix it.  It is always the same address and has been occuring more often the past week.

Can you post some event logs, or run diagnostic tool from symantec on the PC then post it here? We need to identify this..

When I run a virus scan, even in safe mode, nothing is found.  I just continue to get the alert from the icon in the lower right hand cornor.  What should I run on my computer?

Did you inspect the machine that had been backtracked and run a full scan on it?

how would i do this?

The IP address that is being detected, Is that in your domain?

If it is, Narrow down on to where the machine physically is located. Take it off the network. Run a full scan on it.

The IP address that is being detected, Is that in your domain?

If it is, Narrow down on to where the machine physically is located. Take it off the network. Run a full scan on it.

As what Sandeep said, locate it from the network. This could be a misleading application infection.

One machine on the network is infected and is trying to spread. (Whoc IP is shown on other machines)

Remove infected machine.

Tejas

I also getting alert like this and I found w32.downadup.B try to spreads in my network system.

Run the downadup removal tool on all workstations...

i am using Symantec endpoint MR3 for my 500 client ...... I did all the steps which you guys are discussing..... i think Symantec is just useless product ......

Symantec unable to remove W32.downadup.b......

hi Dhayal,

I would suggest you Run a manual scan on all of your machine from SEPM.


RightClick on your Group> Scan the computers.

Make sure all you rmachines are having latest definition and MS08-067 vulnerabitility is been patched.

Temporary disable ADMIN$ share in your network. Ask user to disable OPen shares in there machines and change password every 45 days. the password must be tough and not simple dictionary words.

I know its little bit lenghty procedure, but you need to follow to remove the same.

Rgrds,
SAM

Hi Sc,

Can you please share the security logs here?

thanks SAM ..... but i already did these steps .....what next ???... i have very wide range network ..

Hi,

Pls Log a case with Symantec team,. They will provide you with the Loadpoints. Run the Loadpoint and submit the same. They will further ask you to send the suspicious files to SEcuroty Response team.

I think it is a NEW VARIANT.

Rgrds,
SAM

When I run a virus scan, even in safe mode, nothing is found. I just continue to get the alert from the icon in the lower right hand cornor.

this is the logs which i found very time on windows server 2003 ... its very time attacking on server 2003 only ....

Risk,Filename,Original Location,Status,Date
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 5:16 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 6:21 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 6:21 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 6:34 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 7:48 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 9:01 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 10:17 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/20/2009 11:31 PM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 12:48 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 1:58 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 3:13 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 4:29 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 5:44 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 6:59 AM
W32.Downadup.B,xqcasvu.qqt,C:\WINDOWS\system32\,Infected,4/21/2009 8:16 AM

The system with that IP address must be in your domain.
Physically locate them.Remove their network connection.Check that virus defination is updated or not. Then run full scan on system to be on safer side. 

Downadup uses this vulnerability in windows.Mke sure all your computers are patched with patch KB 958644
Check the security logs and Isolate the computer fro which you are getting these attacks.
Make sure these computers have all the features installed with updates definitions and windows security patches.

Try to findout the infected computer by its IP address and clean it. For downadup please download the removal tool, disable the system resoter point, detach the computer from network, log on to safe mode and then run the tool.

some time it is showing external ip & some time internal ip

Have you tried it? What is the update?

I am having this same problem with my PC. I have run scans and it keeps popping up. The IP address's that are being blocked are from multiple PC's. Where is the removal tool to download that you spoke of?

Jackie

Whats the confusion?
What I do is export my NTP logs with it filtered to show only Intrustion Prevention.
An remote hosts mentioned in lines with [SID 23179] MSRPC Server Service BO detected are surely infected with Downadup. There are no cases of false alarms.


You need to get hold of the remote host

1) Check that all members of the Administrators group have a PROPER password. If you are skipping this step you are wasting your time.

2) Ensure System Restore is turned off if its a desktop OS

3) clean it up using the removal tool
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe

4) Put the MS Patch refer to KB958644 for that OS. Also ensure that SEP client is running or needs to be reinstalled.

5) Educate all IT staff if its a remote location that when they rebuild PCs for any reason, they need to ensure all the above is done.

To add MSRPC 23179 exception.

1.Go to Policies --> Intrusion Prevention Policies
2.Right Click Edit --> On the Exceptions tab
3.Click Add --> Look for the ID 23179
4.click Next
5. On the Signature Action select "Allow" and click OK.

If you want to disable the notification on your system tray..

1. Go to Clients, then the client group you want to remove this ability from.
2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
3. Click on 'Server Control', then Customize.
4. In the Intrusion Prevention Notifications Uncheck the "Display Intrusion Prevention notifications."

 keep getting an alert from Endpoint saying that traffic from ip address .... is blocked

[SID 23179] MSRPC Server Service BO detected

I was just wondering what this means and how I can fix it.  It is always the same address and has been occuring more often the past week.

porn site automatically open in pc any one help me

Hi yvrjzala@yahoo.co.in, please see my post at https://www-secure.symantec.com/connect/forums/virus-alert-csrcsexe-mxengeexe-and-sysdrvsysexe


it could be the same problem..

How to Remove risk log?

I am using Symantec Endpoing Protection. In symantec Endpoint Protection, in the view menu  antivirus and antispyware protection in the view log in risk log, when i try to delete file the follwing message arrive.  Please any one help about this problem.

Symantec end point protection cannot perform this action of 1 of the files you selected.

possible causes:
 
 - The file have been moved or deleted.
- you are tryting to clean file located in e-mail messages.
- you are tryung to clean a compressed file in a container.
 
i am attached herewith risk log file.

Please help me.