Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

An unusual pattern

  • 1.  An unusual pattern

    Posted Dec 11, 2013 02:30 PM

    We have had some machines that have SEP installed, we are mostly current, but there are a few stand outs. The stand outs manifest this way. 1. They will NOT upgrade past the version they are one. 2. For some reason there is a trust relationship, which forces me to remove and re add them to our domain.

    Every single one of these PC's are heavily infected and the old version of SEP didn't do a thing to clean it up. The clients do communicate with the manager and get definition updates, but it is as if SEP doesn't work at all. I have to Remove and RE add the PC to the domain. Once I do, I run cleanwipe, then install the most recent version of SEP. Most of the time I have to run Malwarebytes in order to remove the threats.

    This is what was found on the most recent PC with this issue

     

    Trojan.Zbot
    Trojan.Maljava
    Trojan.Maljava
    Trojan.Maljava
    Trojan.Maljava
    Trojan.Maljava!gen35
    W32.Fujacks.CE!html


  • 2.  RE: An unusual pattern

    Posted Dec 11, 2013 02:35 PM

    Old version as in 11.x?

    Do you have all components enabled in 12.1?

    You can run a load point analysis to check for suspicious files

    http://www.symantec.com/docs/TECH203027

    Or yea, you may need to run another third party tool if SEP isn't catching it.



  • 3.  RE: An unusual pattern

    Posted Dec 11, 2013 02:37 PM

    Yes, 11.x



  • 4.  RE: An unusual pattern

    Posted Dec 11, 2013 02:43 PM

    Not surprised...going EOL soon so it's good to get them on 12.1, which IMO is much improved in terms of features and detection capabilities.



  • 5.  RE: An unusual pattern

    Posted Dec 11, 2013 02:45 PM

    The problem is, if the machines have the trust relationship, SEPM cannot find them. I want to get them all, but I can't find them.



  • 6.  RE: An unusual pattern

    Posted Dec 11, 2013 02:45 PM

    What do you mean by "trust" relationship? AD?



  • 7.  RE: An unusual pattern

    Posted Dec 11, 2013 02:46 PM

    They usually manifest by taking huge amounts of bandwidth, that's how we know about them, and are able to pinpoint the issue(s )



  • 8.  RE: An unusual pattern

    Posted Dec 11, 2013 02:47 PM

    Could be corrupt defs (due to the malware messing everything up)



  • 9.  RE: An unusual pattern

    Posted Dec 11, 2013 02:48 PM

    Agreed.



  • 10.  RE: An unusual pattern

    Posted Dec 11, 2013 02:53 PM

    AD trust relationship will not have relevance on communication between SEP client and SEPM. It will communicate as far as the client can reach SEPM.



  • 11.  RE: An unusual pattern

    Posted Dec 11, 2013 03:08 PM

    It will have relevance if I attempt to upgrade it and the PC's cannot be found.



  • 12.  RE: An unusual pattern

    Posted Dec 11, 2013 03:12 PM

    In that way, yes it could, unless you know the domain/authentication but assuming the malware affects than yea it could be an issue.

    Communication-wise, as long as clients can talk to the SEPM over 8014 it shouldn't matter.

    Have you seen credentials/domain being changed?

     



  • 13.  RE: An unusual pattern

    Posted Dec 11, 2013 03:14 PM

    From time to time, I will see something go through my AD, and Alphabetically lock out an AD account, it will automatically unlock after like 15 mins. I have never seen PW's or User accounts added or compromised.



  • 14.  RE: An unusual pattern

    Posted Dec 11, 2013 03:26 PM

    Whoa blush



  • 15.  RE: An unusual pattern

    Posted Jan 08, 2014 02:48 PM

    Every figure this out?