Endpoint Protection Small Business Edition

Good evening,

Since 2 hours I'm getting this popup  "Symantec Endpoint Protection [SID27950] System Infected Spygate RAT Activity detected".

I have looked on different forums but I can't find a solution.

Following actions have been done

- run a scan in normal et safe mode

- run Norton Power Eraser

- run CCCleaner

Strangely i can't find anything wrong.

How can I solve this issue? Is the system really infected or it's just a warning saying that SEP has done his job?

Thanks for your help

Raphaël

If you've a run a full scan with the latest defs as well as a threat analysis scan, its likely that SEP was just doing its job.

 How to run the Threat Analysis Scan in Symantec Help (SymHelp)

You can also try a third party second opinion scan as well...

Full Scan will not find IPS, IPS detections are based on attack patterns , where Scan is file based. 

Symantec has blocked an attack using IPS signature, You dont have to worry about i

You can get more precise informations if you check the security log: Client GUI > View logs > Client Management/Security Log. There you can also see the IP address of the "attacker".

Hi Raphaël,

Thanks for the post. If this IPS alert is appearing constantly, then the system is likely infected.  If this appeared just once then it likely means IPS protected you when you visite a drive-by download site.

Symantec Guide to Scary Internet Stuff - No 4 Drive-by downloads
http://www.youtube.com/watch?v=J0QXD2ts4Qc 
 

Do take the time to ensure your SEP is configured to protect you!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
 

Please do update this thread with more news (or word that this has answered your question) when time allows.

With thanks and best regards,

Mick

HI Mich2009,

I am having this message coming all the time, how can I get rid of this infection?

Thanks,

Cuervo123

Hello,

By looking in the log file following the advoice of greg12 I can see that I get an attack from a remorte host with the IP 54.69.32.99. I have the following message [SID: 27950] System Infected: Spygate RAT Activity attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

See an extract of the log file in attach.

What can I do?

Thanks

Raphaël

Attachment(s)

RAT_Activity.zip   888 B 1 version

This is incoming traffic so the IPS is doing its job by blocking it. Put in a firewall rule to block this IP address. The firewall is the first line of defense and will drop the traffic before it his anything else.

Here is the best article for how to fight an infection:

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

Also, use the SymHelp diagnostic with Threat Analysis Scan to find any suspicious files on that computer.

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519

Hi Raphaël,

Just a ping to see how you are progressing?

Many thanks in advance,

Mick

Well, I have the same issue. Except I have outgoing TCP requests.

Every 10 minutes or so I get a pop up message "Spygate RAT Activity detected"

Ever since I tried installing an application I probably shouldn't had.

Following is an extract from my log file. I changed the user name & domain.

289    6/11/2014 5:26:24 PM    Intrusion Prevention    Critical    Outgoing    TCP    54.69.32.99    00-00-00-00-00-00    10.0.0.13    AC-7B-A1-B2-11-73    C:\Windows\System32\svchost.exe    USER    DOMAIN   HOME DOMAIN Offline    1    6/11/2014 5:25:22 PM    6/11/2014 5:25:22 PM    [SID: 27950] System Infected: Spygate RAT Activity detected.

The IP address  54.69.32.99 = nginx. Nginx (pronounced engine-x) is a free, open-source, high-performance HTTP server and reverse proxy

A scan using Symantec Endpoint Protection does not find any problem.

A scan using Malwarebytes also finds no problems.

I would greatly appreciate any help in cleaning this malware.