Endpoint Protection

 View Only

  • 1.  SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 07, 2011 09:30 PM

    Hello.  I use Symantec Endpoint Protection which is licensed to me through my employer.  Recently, I have been getting a bubble in the system tray which reads "Symantec Endpoint Protection - [SID:  23917] Web Attack:  Phoenix Toolkit Website 4 detected."  When I click on the bubble, the message just disappears.  When I do a full scan of the system, it doesn't list this offender as an item to delete.  The IT manager at my office thinks this might be some keylogger that is down at the root level.  Why can't SED get rid of this offender?  What can I do to get rid of the problem?  I shouldn't have to buy a third party program to get rid of the problem.  Hopefully someone can provide me with a solution to this problem!  Thank you.



  • 2.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 09, 2011 11:06 AM

    Hi,

    first of all, it is a web attack to control your PC remotely detected by the Intrusion Prevention component:
    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23917

    You should then look at the right logs:

    open the SEP > view logs > client management > security logs, you should see there more details on the attack, if the source of the attack is there, block it, for example with the firewall.

    You should also try to scan the system with a more aggressive scanner of ours:

    open SEP > help and support > download Support Tool, launch it and execute a scan with the Power Eraser.



  • 3.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 19, 2011 01:09 PM

    I have the same problem except SEP cannot start with this virus on the computer.  It pops up with a warning to purchase a third party program to get rid of the virus.  I also use SEP licensed through my employer.  Any other suggestions?



  • 4.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 19, 2011 01:30 PM

    I have downloaded the Support Tool but I get an error trying to run it.

    Sep_SupportTool.exe is not a valid Win32 application.



  • 5.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 19, 2011 01:40 PM

    looks like I had a corrupted download, worked the second time



  • 6.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Dec 20, 2011 01:20 AM

    Giuseppe,

    Thanks for the information that you gave the other writer.  Now, please give me detailed instructions on:

    *****You should then look at the right logs:

    open the SEP > view logs > client management > security logs, you should see there more details on the attack, if the source of the attack is there, block it, for example with the firewall.

    You should also try to scan the system with a more aggressive scanner of ours:

    open SEP > help and support > download Support Tool, launch it and execute a scan with the Power Eraser.********** ****8*******

    Thanks

    Al



  • 7.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Broadcom Employee
    Posted Dec 20, 2011 01:31 AM

    is sthere any suspicious exe or process? can you submit it symantec?



  • 8.  RE: SID 23917: Web Attack: Phoenix Toolkit Website 4 detected.

    Posted Jan 03, 2012 11:07 AM

    Hi,

    I am not sure how those steps can be more detailed:

    double click the yellow shield to open the SEP interface, click view logs, then client management, then security logs, you should see there more details on the attack, if the source of the attack is there, block it, for example with the firewall. 

    You've already downloaded the Support Tool, open it, flag the Power Eraser option and go ahead with the scan.