Endpoint Protection

Hello,

I'm using Symantec Endpoint Protection 11.0.6 version in my enterprise, with 3000 active users on it.

So, i have a question about SEP's Antivirus solution, that it exist some kind of viruses in our LAN which Symantec doesn't see and doesn't know these files as viruses. We've found these files not in two or four users machine, they exists almost on half of Endpoint members.

In general, The case deals with the two virus files, they are: ACC1.exe and Worm.Win32.Generic.

As for ACC1.exe i have submitted this file in the symantec security response team a long time ago - in december 2011, but no results.

I've used also a site virustotal.com to scan these two files and to unsure they known as viruses. Symantec's fields in both cases are blank. Outcome is the following:

Please submit these virus samples to Symantec. You may use below URLs (The URL will change depend up on the support which you purchased, you may refer your license document for more details)

https://submit.symantec.com/websubmit/retail.cgi

https://submit.symantec.com/essential 

Hello,

Did you Submit these Files to the Symantec Security Response Team??

If yes, could you please PM me your Tracking #?

An Older Thread is already open by you:

https://www-secure.symantec.com/connect/forums/some-viruses-sep-110-was-omitted

Hope that helps!!

Let's start from the bellow,

Yes, of course an older thread is already opened by me, but the problem still exist with this ACC1.exe file.

As for submission of this file mentioned above, i've submitted this file 2-3 months ago, but without results.

I could send you a Tracking #, please see your PM

Thanks in advance,

Hi

Could you please help with information below :

1. The machine on which you suspect this threat does it have a shared drive ?
2. What components of Sep are installed ?
3. Is it a DB server ?
4. Is this machine accessed by a group of users during production hours to save data or to access some files remotely ?
5. Is autorun.inf disabled on this machine ?
6. Is there any machine in the network which is out of definitions or self managed ?
7. Any user accessing this suspected machine remotely ? VPN users
8. Have you isolated this machine completely  scanned it using all Sep components with current defs on it or with NSS ?
9. What do you see in processess do you see any specific process spiking up ?

Hi,

1. The machine on which you suspect this threat does it have a shared drive ?

 -  No. A machine that have this virus, it doesn't have a shared drive.

 2. What components of Sep are installed ?

 -  We use the following SEP components on all our machines: Antivirus, AntiSpyware, Firewall, IPS

 3. Is it a DB server ?

 - No.

 4. Is this machine accessed by a group of users during production hours to save data or to access some files remotely ?

 - No.

 5. Is autorun.inf disabled on this machine ?

 - No. It is not disabled

 6. Is there any machine in the network which is out of definitions or self managed ?

 - The machines where this virus file is located all have the latest definitions. As for computers in the network that are out of definitions - we have them in the LAN aproximatelly 5 percent from whole 3000 machines (they are dead computers ).

 7. Any user accessing this suspected machine remotely ? VPN users

 - No.

 8. Have you isolated this machine completely scanned it using all Sep components with current defs on it or with NSS ?

 - Yes.

 9. What do you see in processess do you see any specific process spiking up ?\

 - There are no any specific process like spiking up or something else.

have you submitted the files to Symantec Security response team?

Hi Bagrationi ,

>  5. Is autorun.inf disabled on this machine ?

> - No. It is not disabled

I really recommend that autorun be disabled.  This will prevent the spread of many threats.

Other best practcies to keep your environment safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!

Mick is correct disable autorun once disabled unplug the network cable of this machine "Might have to do this off production hours" scan the machine with SEP all protection installed "once unplugged from network"

Reboot the machine once scan is complete, connect to the network and observe the status .

You can raise the case and speak with the on-duty manager, also it shouldn't be that long before the release an update to clean the virus.

From experience it would take 2-4 days maximum. Unless threat infecting you is very specific with no known fix O o

Sometimes the vulnerability not come from M$, it may come Adobe, Flash or browser hole?

Please check below and see if there is any other file Hooked up with acc1.exe i am sure this is not the only coulprit some other file is surely calling this exe to execute or remain in the system .

Once found please submit it to Security response team at submit.symatec.com\gold

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [[drive:] [path] filename] [/S [/D]]

PLEASE remove this thread's file attachment. NEVER post suspected malicious files to the forum.

sandra

ETA: clearly need more coffee. It's a PNG...  :-/

Hi

Can you please try Power eraser tool.