Video Screencast Help

Virus Files that SEP doesn't catch

Created: 06 Feb 2012 • Updated: 06 Feb 2012 | 12 comments

Hello,

I'm using Symantec Endpoint Protection 11.0.6 version in my enterprise, with 3000 active users on it.

So, i have a question about SEP's Antivirus solution, that it exist some kind of viruses in our LAN which Symantec doesn't see and doesn't know these files as viruses. We've found these files not in two or four users machine, they exists almost on half of Endpoint members.

In general, The case deals with the two virus files, they are: ACC1.exe and Worm.Win32.Generic.

As for ACC1.exe i have submitted this file in the symantec security response team a long time ago - in december 2011, but no results.

I've used also a site virustotal.com to scan these two files and to unsure they known as viruses. Symantec's fields in both cases are blank. Outcome is the following:

Comments 12 CommentsJump to latest comment

AravindKM's picture

Please submit these virus samples to Symantec. You may use below URLs (The URL will change depend up on the support which you purchased, you may refer your license document for more details)

https://submit.symantec.com/websubmit/retail.cgi

https://submit.symantec.com/essential 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Mithun Sanghavi's picture

Hello,

Did you Submit these Files to the Symantec Security Response Team??

If yes, could you please PM me your Tracking #?

An Older Thread is already open by you:

https://www-secure.symantec.com/connect/forums/some-viruses-sep-110-was-omitted

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

bagrationi's picture

Let's start from the bellow,

Yes, of course an older thread is already opened by me, but the problem still exist with this ACC1.exe file.

As for submission of this file mentioned above, i've submitted this file 2-3 months ago, but without results.

I could send you a Tracking #, please see your PM

 

Thanks in advance,

Swapnil khare's picture

Hi

Could you please help with information below :

  1. The machine on which you suspect this threat does it have a shared drive ?
  2. What components of Sep are installed ?
  3. Is it a DB server ?
  4. Is this machine accessed by a group of users during production hours to save data or to access some files remotely ?
  5. Is autorun.inf disabled on this machine ?
  6. Is there any machine in the network which is out of definitions or self managed ?
  7. Any user accessing this suspected machine remotely ? VPN users
  8. Have you isolated this machine completely  scanned it using all Sep components with current defs on it or with NSS ?
  9. What do you see in processess do you see any specific process spiking up ?

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

bagrationi's picture

Hi,

1. The machine on which you suspect this threat does it have a shared drive ?

 -  No. A machine that have this virus, it doesn't have a shared drive.

 2What components of Sep are installed ?

 -  We use the following SEP components on all our machines: Antivirus, AntiSpyware, Firewall, IPS

 3. Is it a DB server ?

 - No.

 4. Is this machine accessed by a group of users during production hours to save data or to access some files remotely ?

 - No.

 5. Is autorun.inf disabled on this machine ?

 - No. It is not disabled

 6. Is there any machine in the network which is out of definitions or self managed ?

 - The machines where this virus file is located all have the latest definitions. As for computers in the network that are out of definitions - we have them in the LAN aproximatelly 5 percent from whole 3000 machines (they are dead computers ).

 7. Any user accessing this suspected machine remotely ? VPN users

 - No.

 8. Have you isolated this machine completely scanned it using all Sep components with current defs on it or with NSS ?

 - Yes.

 9. What do you see in processess do you see any specific process spiking up ?\

 - There are no any specific process like spiking up or something else.

pete_4u2002's picture

have you submitted the files to Symantec Security response team?

Mick2009's picture

Hi Bagrationi ,

>  5. Is autorun.inf disabled on this machine ?

> - No. It is not disabled

I really recommend that autorun be disabled.  This will prevent the spread of many threats.

Other best practcies to keep your environment safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!

 

 

With thanks and best regards,

Mick

Swapnil khare's picture

Mick is correct disable autorun once disabled unplug the network cable of this machine "Might have to do this off production hours" scan the machine with SEP all protection installed "once unplugged from network"

Reboot the machine once scan is complete, connect to the network and observe the status .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

sandra.g's picture

PLEASE remove this thread's file attachment. NEVER post suspected malicious files to the forum.

sandra

ETA: clearly need more coffee. It's a PNG...  :-/

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

cus000's picture

You can raise the case and speak with the on-duty manager, also it shouldn't be that long before the release an update to clean the virus.

From experience it would take 2-4 days maximum. Unless threat infecting you is very specific with no known fix O o

 

Sometimes the vulnerability not come from M$, it may come Adobe, Flash or browser hole?

 

Swapnil khare's picture

Please check below and see if there is any other file Hooked up with acc1.exe i am sure this is not the only coulprit some other file is surely calling this exe to execute or remain in the system .

Once found please submit it to Security response team at submit.symatec.com\gold

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [[drive:] [path] filename] [/S [/D]]

 

+ Sets an attribute.
- Clears an attribute.
R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.
/S Processes files in all directories in the specified path.
/D Process folders as well.

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.