Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Trojan.Zeroaccess!inf need to block by SEP

Created: 01 Oct 2012 | 27 comments

Can you Please help me to create Intrusion prevention blocking policy for Trojan.Zeroaccess!inf  on SEPM.

Comments 27 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Trojan.Zeroaccess!inf is a detection for files that are infected by Trojan.Zeroaccess.

Trojan.Zeroaccess Removal Tool 

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

Zeroaccess is a threat Security Response has been keeping a close eye on for some time.  In March the following whitepaper was released:

Trojan.ZeroAccess Infection Analysis
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

This August blog may also be of interest:

Trojan.Zeroaccess.C Hidden in NTFS EA
https://www-secure.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea

There are AV definitions and IPS signatures which can prevent Trojan.Zeroaccess from causing damage to a computer. (Please do be sure that IPS is in use in your organization- otherwise you are fighting with one arm ties behind your back!)  Manual action is necessary once this trojan is in place.  Luckily, for users of modern Windows OS's, this can be as simple as "restore previous version" of a file.  More details:

http://www.symantec.com/security_response/writeup.jsp?docid=2012-080900-3758-99&tabid=3

Zeroaccess is a serious threat.  A bit of public awareness can help admins to ensure their defenses are up.

I would also suggest you to create a case with Symantec Technical Support.

To Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-
 
Regional Support Telephone Numbers:
 
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
 
 
Hope this helps!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

There are multiple signatures available for the SEP IPS component:

System Infected: ZeroAccess P2P Request
System Infected: ZeroAccess Rootkit Activity
System Infected: ZeroAccess Rootkit Activity 2
System Infected: ZeroAccess Rootkit Activity 4
System Infected: ZeroAccess Rootkit Activity 5
System Infected: ZeroAccess RootKit Activity 6
System Infected: ZeroAccess RootKit Activity 7

All available signatures are found here:

http://www.symantec.com/security_response/attacksi...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

Dear Brian81,

I have enable all the Signatures then also we have found system got infected by same virus.

kindly suggest.

Thanks & Regards,

Nagesh Singh

 

pete_4u2002's picture

its being detected right?

can you run the scan in safe mode?

Nagesh Singh's picture

As I have already mention in safe mode we are not getting any virus but after some day

these are come on security Risk.

Thanks & Regards,

Nagesh Singh

 

pete_4u2002's picture

can you chec kif any other source of infection is trying to infect?

open a support ticket and ask for load point anlaysis

Nagesh Singh's picture

 we have made it cleary so many time but after 10 -15 days it seem to be again.

How we can block it through Intrusion prevention system?

Notepad:-

(The system having sharing folder which are accessing by all the user.This is a dependence, we can't remove it)

Thanks & Regards,

Nagesh Singh

 

Nagesh Singh's picture

Daer Brian81,

 

Thanks to response but can you please let me know how we'll get the report form SEPM to check whether same traffic is geeting block or not?

Thanks & Regards,

Nagesh Singh

 

_Brian's picture

Monitors tab

Log tab

Set Log type: Network Threat Protection

Set Log content: Attacks

Select your Time range

Click Advanced Settings

Set Event Type: Intrusion Prevention

Click View Log

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I would suggets you to check this Article:

Where are Intrusion Prevention events logged on the Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager?

http://www.symantec.com/docs/TECH95477

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nagesh Singh's picture

Thanks to response but I am getting Trojan.Zeroaccess!inf in Security risks and unable to get the through Intrusion Prevention log.so can you please help me out in this.

Thanks & Regards,

Nagesh Singh

 

_Brian's picture

Because this isn't an intrusion prevention, it's actually on your system and attempting to infect you or already has.

Run the removal tool:

http://www.symantec.com/security_response/writeup....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

We have already Run NPE Tools and done the safe mode scan but it comes again and again.

so i just want to block it.

User having Internet access,USB as well as CD-RW access from SEPM.

Thanks & Regards,

Nagesh Singh

 

Mithun Sanghavi's picture

Hello,

I would suggest you to Enable the Risk Tracer - 

1) About Risk Tracer

http://www.symantec.com/docs/HOWTO27137

2) What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

3) How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

You can use an application and device control to block these things.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

Can you please let us know how?

Thanks & Regards,

Nagesh Singh

 

_Brian's picture

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

No actually we need to allowed all the access to User and then we need to block Trojan.Zeroaccess!inf from SEP server.

Thanks & Regards,

Nagesh Singh

 

Nagesh Singh's picture

The file path of this Security Risk is 

c:\RECYCLER\S-1-5-21-1454471165-746137067-1801674531-500\Dc5\A0014644.dll.

and it always coming every second day.

Thanks & Regards,

Nagesh Singh

 

_Brian's picture

All Trojan.Zeroaccess!inf is is a malicous autorun.inf file. You need to block access to autorun.inf files. You can do this using an application control policy.

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

Thanks

How we can say that this infection coming because of "Autorun.inf".

Even though User having full Internet access from SEPM so it might be coming through Internet.

 

 

Thanks & Regards,

Nagesh Singh

 

Nagesh Singh's picture

we have implimented the Intrusion protection and applied the autorun.inf but yet same Security risk found.

 

Please help.

 

Infection File Path:.

 

c:\System Volume Information\_restore{5CA32C73-5FED-463B-94CC-1C35BC2377ED}\RP108\A0029599.dll

C:\WINDOWS\system32\mcontrol.dll
 

Thanks & Regards,

Nagesh Singh

 

Mithun Sanghavi's picture

Hello,

Any particular reason, you want to block these files? Are these files suspicious?

I would request you to submit these files to the Symantec Security Team on 

https://submit.symantec.com/essential

and 

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

I would request you to submit these files to understand if these files are malicious or not.

Also, check these Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nagesh Singh's picture

Dear Mithun,

 Thanks to response but can you please tell me how we can remove the virus if we are getting infection in below paths. (Meanly in System Volume information).

c:\System Volume Information\_restore {5CA32C73-5FED-463B-94CC-1C35BC2377ED}\RP108

Please suggest.

Thanks & Regards,

Nagesh Singh

 

Mithun Sanghavi's picture

Hello,

I would suggest you to disable the System Restore and Run a Full Scan on the machine.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nagesh Singh's picture

Dear All,

Still unable to stop it.in manual scan we are not getting any then but it’s always comes in Weekly schedule scan.

Enable the HI policy as well as NTP but could not help it.

Enable the risk trace but unable to get anything.

Stop Autorun.inf" through ADC.

Any More Suggestion.

Thanks & Regards,

Nagesh Singh