Endpoint Protection

I have users that are sending thousands of e mails, we think there was some kind of infection that caused this, I do not see anything in the SEPM that registers these machines to be infected. I would like to know if there is someway that can be caught/stopped using SEP?

We are using Outlook 2007 and Exchange 2003

Also, I am wondering what could have happned to cause this.

Yep, use the firewall to block the port. It should also show the process name doing the sending.

Another quickie is to do a netstat or use tcpview to see what's going on. Assuming it's over port 25, should be easy to spot.

Hi Bryan S,

A couple questions.... are the mails going out through Outlook/Exchange?  Or being send by some small stand alone SMTP engine?  Hav eyou seen any of these mails- are they spam content?

If yoyu are using the optional SEP mail plug-ins, this article may be of interest...

Many unexpected pop-up messages from the client email plugin appear
http://www.symantec.com/docs/TECH122425
 

Perform a SymHelp with Threat Analysis scan on one of the computers that is sending the unexpected mails.  Does anything suspicious appear?

Please do keep this thread up-to-date with your progress!

Mick

Yes, this is on an Exchange 2003 Server, Outlook 2007 platform.

We do not use the outlook extension of SEP because it was causing other issues.

The threat analysis came back completely clean. I do not think this is a process that is initiated from the users workstation.

If you do a netstat can you see the port/process doing the sending?

We turn the e mail off overnight, then it stops. But this is becoming a serious issue as it leads to us getting blacklisted :-(

Do you have the firewall running or at least the component installed for this box?

You can create a log only rule to do some checking

No FW, and no SEP Outlook component...

Here is what MWB found

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.05.13.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514

5/13/2014 8:48:25 AM
MBAM-log-2014-05-13 (09-48-52).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 321792
Time elapsed: 49 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCR\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKCR\IEHlprObj.IEHlprObj.1 (Trojan.FakeAlert) -> No action taken.
HKCR\IEHlprObj.IEHlprObj (Trojan.FakeAlert) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKCR\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKCR\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\KSDSVC (Trojan.Agent) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\WINDOWS\SYSTEM32\IEHELPER.DLL (Trojan.FakeAlert) -> Data: 1 -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|1 (Trojan.Agent.Gen) ->

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\IEHelper.dll (Trojan.FakeAlert) -> No action taken.
C:\Windows\SysWOW64\IEHelper.dll (Trojan.FakeAlert) -> No action taken.
C:\Program Files (x86)\Kingsoft\PowerWord PE\ksdsvc.exe (Trojan.Agent) -> No action taken.

(end)

Did you manually remove those?

A couple of them were necessary to keep, so I unchecked them, the others I let MWB take care of.

Do you have access to an "infected" box?

I think one more may be messed up, one thing that puzzled me is that the person who was sending like this, was doing so a week after a person in their department did the same a week earlier.

Here is the body of the e mail

Compensation Cheque payment of €1,859,000 EUR. Please Send your Name, Address, City, State, Zip Code, Country and telephone number to (ups.cc.ng@dgoh.org…

Do you have access to the machine? You can run wireshark on it and sniff the traffic to figure out what process is doing it. Then you can submit the file.

Next report I get, I will take that approach

Wow, I can get €1,859,000 EUR just by sending in my personal details?  Is this offer open to everyone?  Let me grab my check book in case there are any advance fees that must be paid.... &: )

Definitely spambot activity somewhere in your network, I would say.  If you have Exchange mailserver, is there a mail security product active on it?  If not, I recommend putting SMSMSE onto it.  There is a free trial and the install should take only a few minutes.

 https://www4.symantec.com/Vrt/offer?a_id=20032

Trialware Download: Symantec Mail Security for Microsoft Exchange

Symantec™ Mail Security for Microsoft Exchange combines Symantec™ AntiVirus with advanced heuristics to provides real-time email protection against viruses, spyware, phishing, and other malicious attacks while enforcing content filtering policies on Microsoft® Exchange Server 2007, 2010 and 2013. In addition, Mail Security leverages Symantec™ Premium AntiSpam, powered by Brightmail technology, to stop 99 percent of incoming spam with less than 1 in 1 million false positives. It supports Hosted, Microsoft® Hyper-V, orVMWare® virtualized Exchange server environments. Symantec Mail Security for Microsoft Exchange complementsother layers of protection by preventing the spread of email borne threats and enforcing data loss prevention policies.

Support for 64 bit Windows and Virtualized Exchange server environments, centralized management, clustering, hyper-threading and in-memory scanning ensures Symantec Mail Security is optimized for your environment and minimizes cost of ownership. Initial setup can be completed within 10 minutes, with no requirements for tuning, allow listing, or block listing.

New Features:

• Support for Microsoft Exchange 2013 and Microsoft® Hosted Exchange environments
• Out-of-the-box content filtering templates for protection against data loss
• Improved anti-malware and anti-spam effectiveness through advanced heuristics
• Improved manageability with full message quarantine
• Up to 30 percent performance improvement for mailbox scanning
• Microsoft® Systems Center Operation Manager 2007 R2 support for Exchange 2007 and Exchange 2010
• Continuous protection with lightweight scanning

Symantec Mail Security is also a component of the Symantec Protection Suite, which compliments other layers of protection by preventing the spread of email borne threats internally and by serving as a first line of defense from threats in mail stores and in case of perimeter failure.

Outgoing mails are not scanned for spam, if I remember correctly, but they are scanned for viruses and threats.  Make sure your organization is not sending out Trojan.zbot and other mail-circulated malware!  That would be even worse than spam.

Hope this helps!

Mick

This was a funny and very informative post, I think we already DO use SMSMSE, not sure what is going wrong here. May need to escalate this to that dept in Syantec and to my exchange admin.

Thank you Mick!!!

I didn't see much in the way of Exchange 2003, I know it 's old, but it's what we have.

Try enabling the Outlook scanning plugin within SEP for the affected client(s).

I tried, but did not even see it as a selectable option.

Should be in the AV policy under Microsoft Outlook Auto-Protect

We took that away, because it was causing issues with Oulook, it was quite a while ago, so I cannot remember why we took it away.

OK, Created a new group with the policy enabled and added a few workstations to the group, including my own. I want to stress test this before going full blown.

That plugin has been problematic in the past for me as well...

Maybe it's better in the newer versions?

No clue but I'll be testing again when we go to RU4 Mp1

Checking my HD Database

Entered on 07/23/2013 at 13:42:35 by User:
My e-mail keeps freezing up, and will not let me respond until I close it all down and
restart it. Please check and advise. Thanks...

Entered on 07/23/2013 at 14:26:51 by Bryan:
Deleted extend.dat and removed the Outlook plugin in that uses SEP.

That's the version I am using now

Then I'll rely on you partly to help test

Sounds right.....

I think part of the problem was, we had Symantec Mail Security for Microsoft Exchange AND the plugin running at the same time.

That's a no-no

Symantec Mail Security for Microsoft Exchange is long gone though. Boss sait it was filtering WAY too much...

It's more than likely that a rootkit was the cause of this. Next time this happens, I am simply going to have a user change their Windows password to see if it may be something that an adjustment to authenticaion can correct.

Not if already infected :)

Party pooper. :-)

That's my job!