Endpoint Protection

Can you Please help me to create Intrusion prevention blocking policy for Trojan.Zeroaccess!inf  on SEPM.

Trojan.Zeroaccess!inf - Removal

http://www.symantec.com/security_response/writeup.jsp?docid=2011-122009-5305-99&tabid=3

Security Best Practices for Protecting a Business Environment from Common Threats

Hello,

Trojan.Zeroaccess!inf is a detection for files that are infected by Trojan.Zeroaccess.

Trojan.Zeroaccess Removal Tool 

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

Zeroaccess is a threat Security Response has been keeping a close eye on for some time.  In March the following whitepaper was released:

Trojan.ZeroAccess Infection Analysis
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

This August blog may also be of interest:

Trojan.Zeroaccess.C Hidden in NTFS EA
https://www-secure.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea

There are AV definitions and IPS signatures which can prevent Trojan.Zeroaccess from causing damage to a computer. (Please do be sure that IPS is in use in your organization- otherwise you are fighting with one arm ties behind your back!)  Manual action is necessary once this trojan is in place.  Luckily, for users of modern Windows OS's, this can be as simple as "restore previous version" of a file.  More details:

http://www.symantec.com/security_response/writeup.jsp?docid=2012-080900-3758-99&tabid=3

Zeroaccess is a serious threat.  A bit of public awareness can help admins to ensure their defenses are up.

I would also suggest you to create a case with Symantec Technical Support.

To Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

There are multiple signatures available for the SEP IPS component:

System Infected: ZeroAccess P2P Request
System Infected: ZeroAccess Rootkit Activity
System Infected: ZeroAccess Rootkit Activity 2
System Infected: ZeroAccess Rootkit Activity 4
System Infected: ZeroAccess Rootkit Activity 5
System Infected: ZeroAccess RootKit Activity 6
System Infected: ZeroAccess RootKit Activity 7

All available signatures are found here:

http://www.symantec.com/security_response/attacksignatures/

Daer Brian81,

Thanks to response but can you please let me know how we'll get the report form SEPM to check whether same traffic is geeting block or not?

Monitors tab

Log tab

Set Log type: Network Threat Protection

Set Log content: Attacks

Select your Time range

Click Advanced Settings

Set Event Type: Intrusion Prevention

Click View Log

Hello,

I would suggets you to check this Article:

Where are Intrusion Prevention events logged on the Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager?

http://www.symantec.com/docs/TECH95477

Hope that helps!!

Thanks to response but I am getting Trojan.Zeroaccess!inf in Security risks and unable to get the through Intrusion Prevention log.so can you please help me out in this.

Because this isn't an intrusion prevention, it's actually on your system and attempting to infect you or already has.

Run the removal tool:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-122009-5305-99&tabid=3

We have already Run NPE Tools and done the safe mode scan but it comes again and again.

so i just want to block it.

User having Internet access,USB as well as CD-RW access from SEPM.

Hello,

I would suggest you to Enable the Risk Tracer - 

1) About Risk Tracer

http://www.symantec.com/docs/HOWTO27137

2) What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

3) How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

Hope that helps!!

You can use an application and device control to block these things.

Can you please let us know how?

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH106304&locale=en_US

No actually we need to allowed all the access to User and then we need to block Trojan.Zeroaccess!inf from SEP server.

The file path of this Security Risk is 

c:\RECYCLER\S-1-5-21-1454471165-746137067-1801674531-500\Dc5\A0014644.dll.

and it always coming every second day.

All Trojan.Zeroaccess!inf is is a malicous autorun.inf file. You need to block access to autorun.inf files. You can do this using an application control policy.

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

http://www.symantec.com/business/support/index?page=content&id=TECH104909

Thanks

How we can say that this infection coming because of "Autorun.inf".

Even though User having full Internet access from SEPM so it might be coming through Internet.

we have implimented the Intrusion protection and applied the autorun.inf but yet same Security risk found.

Please help.

Infection File Path:.

c:\System Volume Information\_restore{5CA32C73-5FED-463B-94CC-1C35BC2377ED}\RP108\A0029599.dll

C:\WINDOWS\system32\mcontrol.dll
 

Hello,

Any particular reason, you want to block these files? Are these files suspicious?

I would request you to submit these files to the Symantec Security Team on 

https://submit.symantec.com/essential

and 

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

I would request you to submit these files to understand if these files are malicious or not.

Also, check these Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Hope that helps!!

Dear Mithun,

 Thanks to response but can you please tell me how we can remove the virus if we are getting infection in below paths. (Meanly in System Volume information).

c:\System Volume Information\_restore {5CA32C73-5FED-463B-94CC-1C35BC2377ED}\RP108

Please suggest.

Hello,

I would suggest you to disable the System Restore and Run a Full Scan on the machine.

Hope that helps!!

Dear Brian81,

I have enable all the Signatures then also we have found system got infected by same virus.

kindly suggest.

its being detected right?

can you run the scan in safe mode?

As I have already mention in safe mode we are not getting any virus but after some day

these are come on security Risk.

can you chec kif any other source of infection is trying to infect?

open a support ticket and ask for load point anlaysis

 we have made it cleary so many time but after 10 -15 days it seem to be again.

How we can block it through Intrusion prevention system?

Notepad:-

(The system having sharing folder which are accessing by all the user.This is a dependence, we can't remove it)

Dear All,

Still unable to stop it.in manual scan we are not getting any then but it’s always comes in Weekly schedule scan.

Enable the HI policy as well as NTP but could not help it.

Enable the risk trace but unable to get anything.

Stop Autorun.inf" through ADC.

Any More Suggestion.