Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Power Eraser and users' Load Points

Created: 03 Aug 2012 | 10 comments

Hello,

 

Symantec Power Eraser seems to examine only Load Points of the Current User,  and not the Load Points of all users who have profiles on the host.

Some tools like Autoruns from Sysinternals ( http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ) are able to enumerate auto-starting locations for all the users on the host.

It would be nice if Symantec Power Eraser could do the same.   (the people doing the investigation in our company are not the same as the people that are infected,  they do not use the same account etc.)

 

Best regards,

 

Antoine

Comments 10 CommentsJump to latest comment

K33's picture

Symantec Power Eraser is the latest Symantec Recovery tool. The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.

http://www.symantec.com/theme.jsp?themeid=spe-user-guide

Ajit Jha's picture

Are you using this utility as Admin User? If not please do so. It should Gather Log from Host.

http://www.symantec.com/business/support/index?page=content&id=TECH134803&actp=search&viewlocale=en_US&searchid=1343985648932

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Antoine B's picture

Hello,

 

Answering to Kashish33: 

  • we would like to  use Symantec Power Eraser to find new variants of existing threats that are not detected by the current definition sets,  this seems to be one of the goals of Symantec Power Eraser

  • as you may know a lot of virus ensure persistence through a HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run registry key  (here,  CURRENT_USER = the infected user)

 

Answering to Ajit Jha:

Yes we use an admin account.

Symantec Power Eraser successfully examines  some Load Points like:

hkey_local_machine\software\microsoft\windows\current version\run

and

hkey_current_user\software\microsoft\windows\current version\run   (here,  current_user = the admin account)

But it doesn't seem to examine user profile registry hive for users different than the current user.

 

Best regards,

 

Antoine

 

 

K33's picture

You may Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Chetan Savade's picture

Hi Antoine B,

Actually no need to call support on this issue.

You are correct that Symantec power eraser examine only load points of the current user & it's by design.

By default windows loads one profile at a time.

There are few common load point it can be specific to user profile.

Check following article to know more about it.

http://www.Symantec.com/docs/TECH99331

As per your comment -(the people doing the investigation in our company are not the same as the people that are infected,  they do not use the same account etc.)- In this case people that are infected should run power eraser, investigation person should not use his login credential to run this tool.

However you can give request to product enhancement:

http://www.Symantec.com/business/support/index?pag...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hi,

You can add it under an idea section also.

https://www-secure.symantec.com/connect/node/add/idea

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Antoine B's picture

Thanks Chetan Savade,  I will open an idea.

 

For your suggestion about the infected user running the tool,  this doesn't work:

  • they are not working in IT
  • they do not have administrator rights  (best practice)  and Symantec Power Eraser doesn't seem to work fine with non administrator account
Chetan Savade's picture

Hi Antonie B,

With this situation you need to temporarily elevate the user rights and fix the issue and revert the permissions.

OR

Run complete scan using SEP /NSS /SERT.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

cus000's picture

Nice point there Antoine.

Let us know if you already pushing the idea.

Chetan Savade's picture

Hi,

I can see idea is being created.

https://www-secure.symantec.com/connect/forums/sym...

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<