Endpoint Protection

We have been infected by a flash drive virus that symantec does not detect or clean. We have the latest defs.

It creates the hidden files and directories on the harddrive of the workstation and on the flash drive at the root.

Directories
c:\gazma\
c:\gazma\menatena

files
c:\gazma\lax.exe
c:\gazma\desktop.ini
c:\gazma\menatena\lax.exe
c:\gazma\menatena\desktop.ini

Malwarebytes and combofix.exe clean it manually.

Infected machines lose internet connectivity exactly 5 hours after logging in in the morning.

How can I get symantec to include this in the virus defs.

Submit the sample to Security Response ASAP.

http://www.symantec.com/business/security_response/submitsamples.jsp

You should strongly consider upgrading the SEP 11. SAV does not offer the level of protection needed against today's modern threats.

Make sure that Auto-play is disabled on all your Drives.

Hi Superfine,

Isolate those infected computers from the others, submit the suspicious files that were identified (Symantec Power Eraser can also help to remove suspicious files, by the way), make sure that all defenses are up to date--- here is a good link:

Security">http://www.symantec.com/docs/TECH105236">Security Best Practices for Protecting a Business Environment from Common Threats

When that infection is clear, I strongly encourage all SAV users to upgrade to SEP: here are links to a pair of newly-discovered vulnerabilities that affect all releases of SAV prior to SAV 10.1 MR10.  SEP is not vulnerable to any attacks which may take advantage of these known vulnerabilities in SAV. 

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_01

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00

Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

I submitted the directory and autorun.inf in a zipped file to the link you provided.

I also implemented a GP disabling the autorun.  Great advice learn_learn!

Make sure that you do not submit  it to the Retail users website...

I did not have a choice. When I go to the business ones it says that my support number is not valid on my account, but i'm reading it right off of the .pdf they emailed me.

Type the technical contact ID. That's what you need. Please call support  on https://support.broadcom.com, if required, but  PLEASE DO NOT SUBMITT to RETAIL.

What is the technical contact?  Is it an email address or customer number or something else.

It is  something else..if is not mentioned on the  .pdf you got, then please  call support, and  open a case.....they will let you  knowthe  contact ID. And  moreover, they could also, help you to submit files, and  let you know, once  a response  is available...

I called that number and they gave me my Technical Contact ID.  Thanks a lot.

We initially steered clear of SEP because we were told by a consulting company that it was difficult to manage and a resource hog. Of course that was 2 years ago (v9).  Are there any drawbacks on SEP 11?  I have had Norton 360 at home for 3 years and love it.  I can hardly tell it's running and have never been infected.

Two years ago, with SAV ver  9, it could  have  been, but SEP ver 11.0.6200 is Kool.

Does Symantec Endpoint Protection or Symantec Antivirus Scan USB flash drives?
http://www.symantec.com/business/support/index?page=content&id=TECH102573

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses
http://www.symantec.com/business/support/index?page=content&id=TECH99222