Endpoint Protection

Hello support,

         I was wondering if anyone else is having this issue. It is critical to our business, and unfortunately, even though we have a maintenance contract with Symantec, they say this isn't their fault, but I am convinced it is.

         On Friday we thought we had a virus, and so we hastily pushed out antivirus to all of the servers and clients on our network, and since then, have had nothing but problems. We ended up not having a virus, which is great, but Symantec itself is doing very weird things to XP machines.

          Since installing Symantec, which by the way is Corporate version 10.1.6.6000, any XP machine that has Symantec on will have its network drives lost, and after flushing the DNS, and restarting the machine, we can sort of get them to come back, but not all the time. This happens very sporadically too, not all XP machines have been affected.

          We tried putting the XP machines in a group that has everything from Symantec disabled, and we have tried putting them in a group that disables Auto-Protect. No luck.

          We even removed Symantec from the machine completely, and removed Symantec; using CleanWipe, from the server that housed the network shares, but with no luck.

          I don't know what to do. When I called support, they told me since Symantec has been removed from both the server with the network shares, and the clients' computers, it isn't a Symantec issue any longer, but I feel as if the damage has been done. I don't know what to do, or how to even diagnose what is happening. Any help would be greatly appreciated.


Thanks,

Jeff

You should really be using a newer version of SAV. 10.1.6 was released 7 versions ago. 10.2.4 is the latest version available.
You mention that you pushed out AV on Friday. What were you running for AV protection before then? You cannot install an AV product on an infected system until it is clean. What was the threat that you thought you had?

I am moving this to the Endpoint/AV forum for better visibility.

Thomas

Thanks for moving this. Actually, we have purchased Symantec Endpoint Protection 11X, however, before we have started rolling that out, we had this "virus" issue arise, and the machine in question already had SAV 10.1.6 installed, and the other administrator was afraid that the "virus" would spread through the entire network, and so he had us deploy the antivirus to all of the other machines in the network, so we could do a full system scan last weekend to ensure nobody else received what this one person supposedly did.

Here is the supposed virus, along with the notes from the person's email:

I was googling my antivirus issue from Friday when I came across this chat thread on Symantec's website.  Granted it is 2 years old, but it seems to fit the bill.  The Tech Bulletin was last updated 08/2009.`
 
It seems that Symantec's auto-update bugs out during definitions updates and flags a bunch of DWH****.tmp files as malware.  The  DWH****.tmp are actually Symantec files.
 
Chat Thread:  http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder
 
Tech Bulletin:  http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5acc619d5a30571b882573980069a3cd?OpenDocument

Using a very old version of AV software is nearly as bad as none at all.
For one thing, if the machine that was "infected" was already running SAV, then how would installing the same old softwre catch that same thing on other computers that it supposedly missed on that one?
I know, water under the bridge, but I see very flawed logic there...........
Sort of like the homeowner who was broken into, despite having an alarm system. The thief cleaned them out while the alarm went silent. So to prevent the same thief from returning and cleaning out the garage, he installed the same alarm system in his garage..........
Anyway, ;-)
There's a reason that software is updated - beyond the obvious need to update to keep modern threats away, and that is to keep it working in the constantly changing world of Windows.
If the workstation OS was current, or say even XP with SP3 and all the latest updates, it's really risky to install older software on the current OS, it can lead to operational issues.
OTOH, if the SAV software has since been removed, I have to think there's something else going on here.......
I'm trying to think of how DNS flushing might be related to SAV, esp with SAV removed.
Is SAV fully removed? All traces and drivers? Even SYMEVNT drivers?

Yes, I agree with you, and again, I was just following orders of the other administrator. Hence why I have started configuring SEP so we can be updated, because this was not looked at in a LONG time, and I believe the other administrator made a hasty decision because they were afraid, and in the heat of the moment when they thought they found a virus, and now it is up to me to clean up the mess. I think I have found at least an idea of what is happening through this forum post:

http://social.technet.microsoft.com/Forums/en/winservergen/thread/0105b25b-a3c6-475c-8afa-73175f27f48f

I am going to be rushing out my copy of SEP, but I feel as if since I did install an old version of Symantec on a new OS, we are dealing now with operational issues, and I need to fix those issues.

So, for us, what had happened (which, by the way Symantec did not help at all, as they told me since it was removed, it was no longer their problem) was installing the old Symantec on the Windows XP machines corrupted the drivers of the network adaptors. You have to repair the network adaptors in order for it to work properly. Just in case anyone was curious.

I have since then moved onto SEP 11X, and getting that ready for our system.