Video Screencast Help

Trojan is by-passing endpoint protection with attachment to e-mail

Created: 14 Mar 2013 | 6 comments

Then internal scanning took place on an internal computer on a Tuesday and did not flagg out this trojan Horse.  The user saw it was a odd mail  and did not open it just placed it on his desktop to manually scan it the next day.  Once he scanned it with windpoint it was ok.

Today thursday, he opened it and symantec Endpoint stop it while opening the e-mail..  Our relese is 11.05002.333. 

Is this the way endpoint it is suppose to stop trojans.  File name is sample.zip>>image.scr

 

Concerned, 

 

Operating Systems:

Comments 6 CommentsJump to latest comment

_Brian's picture

This happened most likely because there wasn't a signature at the time the file was downloaded so SEP didn't know about.

Trojan Horse is usually a generic name Symantec gives to a new sample.

Once Symantec got ahold of the file, they created a signature for it and it was downloaded and loaded into the SEPM for distribution to clients.

We get similar emails with the .scr file attached (inside the zip file) all the time. I submit to https://www.virustotal.com/en/ to see who has a signature for it. Usually it is hit or miss. If Symantec doesn't have a signature I submit to their security response so they can create one/

Jjake10's picture

This was a recognized Trojan with a history back to 2004 known as, “Trojan-Spy.HTML.Smitfraud.c [Kaspersky], Phish-BankFraud.eml.a [McAfee], Trj/Citifraud.A [Panda Software], generic5 [AVG]”

 

also it is in symantec data base online at:

http://securityresponse.symantec.com/security_resp...

 

_Brian's picture

That may be the case but the problem is the bad guys simply change the code to evade AV detection. SEP 12.1 will provide better protection against this with SONAR (behavioral analysis) and Download Insight (reputation based) scanning.

Mithun Sanghavi's picture

Hello,

Check this Thread: https://www-secure.symantec.com/connect/forums/outlook-plugin-0

Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.

About Auto-Protect and email scanning

http://www.symantec.com/docs/TECH95093

NOTE: Symantec Internet Email Auto-Protect in SEP 11.x is not supported on 64 Bit machines.

You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.

If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are immediately downloaded. The attachments are scanned when you open the attachment. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature if you regularly receive large attachments.

Email attachments are frequently the culprits in virus attacks. To protect yourself from viruses transmitted through email attachments:

  • Don't open any attachment you were not expecting, even if it comes from a trusted source, such as a family member, co-worker, or friend.
  • If you do not know the sender of a message that includes an attachment, delete the message without reading it.
  • Do not open any attached file ending in .exe, .vbs, or .lnk.
  • Never open an attachment without verifying that it's virus free. To open an attachment, first save it to your hard drive and then scan it with antivirus software, such as Symantec Endpoint Protection.

Incase of Suspicion, it is recommended to submit the Attachment to the Symantec Security Response Team on https://submit.symantec.com/essential

The Exchange servers have nothing to with the Outlook mail scanning plugin. This is completely client-side. Your Exchange servers would have something like Mail Security for Microsoft Exchange scanning the server-side traffic.

OR

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

As Brian stated, it sounds like a new variantion of the threat.

For future note, submit and compare any undetected files to external sites or Security Respond for further analysis..

 

Good that your user is educated..

sandra.g's picture

So it sounds like when he saved the (compressed?) file to the desktop and then scanned it, the malicious file was not detected, but when he tried to open the zip file it was detected before it could infect the computer. (Definitely good for your user for knowing better than to just open it!) Is that accurate? If so, I can see this being as expected, depending on your settings.

You may want to see this forum thread, which touches on compressed file scanning: https://www-secure.symantec.com/connect/forums/how...

Specifically, greg12's reply (from August, 2011):

Auto-Protect for file system indeed doesn't check archives (by contrast, Auto-Protect for E-Mail/Outlook/Lotus Notes does it). I assume the main reason is performance. Apart from that, malware in archives will be detected by Auto-Protect when the archive will be decompressed.

In other words, AutoProtect would not have scanned the compressed zip file when it was copied to the desktop. (The file can't infect anything from within the zip as it's being copied.)

The manual scan might have had compressed file scanning turned off for performance, but you would have to verify that in your policy settings. When the zip file's contents were extracted, AutoProtect caught the file in question.

As was mentioned above, since the version that you are using, 11.0.5002, is from September of 2009 and there have been many enhancements and fixes since that release, you may want to look into the possibility of upgrading to a newer version: Best practices for upgrading to Symantec Endpoint Protection 12.1.2

Hope this helps,

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help