Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

W32.Downadup.B a.k.a Conficker

  • 1.  W32.Downadup.B a.k.a Conficker

    Posted Sep 14, 2010 05:36 AM

    Hi All,

     

    What's the current trend in worm/virus now? This old virus keep bugging me since i start handling SEPM.

    I knew the solution... (Microsoft KB) but to update each PC one by one would be a long process

    I just wanted to know, what's the best way to efficiently end this particular worm infection. E.g say i have 1k PCs under SEPM console with unknown windows patch version etc

    I do check reguarly SEPM 'Risk logs' per 24hrs and check manually the PC hostname by ip using nbtstat -an xxx.xxx.xxx.xxx and ask local FE to clean the worm and update Windows patch.

     

    regards



  • 2.  RE: W32.Downadup.B a.k.a Conficker

    Posted Sep 14, 2010 05:58 AM

    Have a look at this article.With the help of this PC you can find out the PCs which is creating problem in network.Remove it from network,update os patch and virus defs.You can also use downadup removal tool.

    Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker



  • 3.  RE: W32.Downadup.B a.k.a Conficker

    Posted Sep 14, 2010 06:04 AM

    I think untill you have the mirosoft patch installed on all the computers, you could make sure that all your computers have SEP installed and updated. SEP AV/AS , with updated definitions would detect and clean any downadup attack on the  computer.

     



  • 4.  RE: W32.Downadup.B a.k.a Conficker

    Posted Sep 14, 2010 06:15 AM

    Say you have 10000 Clients in your network all patched up , with latest defs and all components of the SEP installed. You have one user who brings his laptop and connects to the office network and that laptop is not ptached. This one laptop is cable to infecting the entire network.

    You will keep on getting annoying AP alert saying that W32.Downadup found, this is becasue SEP has deinftion for the owrm

    Untill and Unless you don't have 100% machines patched up with the MS patch, your network is vunerable to downadup worm



  • 5.  RE: W32.Downadup.B a.k.a Conficker



  • 6.  RE: W32.Downadup.B a.k.a Conficker

    Posted Sep 14, 2010 11:44 AM

    Well, since this worm takes advantage of security holes in the OS your best bet is to patch all your OSes pretty much. Otherwise it can still get by your AV solution.


    Title: 'Simple steps to protect yourself from the Conficker Worm'
    Document ID: 2009033012483648
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648?Open&seg=ent
     



  • 7.  RE: W32.Downadup.B a.k.a Conficker

    Posted Sep 22, 2010 04:13 AM

    Hi All,

    Thanks for the inputs, i'm still fighting this worm. Gonna be a long fight..

     

    regards



  • 8.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 08, 2010 10:51 PM

    Hi All,

    Just to suggest, why don't SEP integrate a build in menu or submenu for admin to be able to check any PC installed with SEP their Windows patches? (how to rephrase this one better?)

     

    So far i'm using /systeminfo in cmd to check each PC patches manually. Any other suggestion?

     

    regards



  • 9.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 08, 2010 11:10 PM

    In fact there is an other product from Symantec SNAC which can be integrated with SEP can can be manged from the same console.Using this you can even restrict the PCs from connecting to production network if it is do not having the required OS patches.For more info refer this article

     

     

    What all can you do with Symantec Network Access Control?



  • 10.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 08, 2010 11:14 PM

    I see... hmm too bad it's in SNAC... they should bundle it together in the future

     

    Thanks for the info!



  • 11.  RE: W32.Downadup.B a.k.a Conficker

    Broadcom Employee
    Posted Nov 08, 2010 11:43 PM

    the component of SNAC is installed within SEP product, you need to purchase the SNAC license to activate it :-)



  • 12.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 09, 2010 12:23 AM

    I think for purchasing bundle is available already.You may check with You may check with sales dept..



  • 13.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 09, 2010 03:03 AM

    Well actually i dont want SNAC, it's the component inside SNAC that interest me:

     

    Patch Requirement- With this requirement you can search if a specific patch is installed on a Windows System or Not. IF it is not installed you can direct the user from where they can install this patch. It checks for each patch my Microsoft KB number (e.g.: KB958644 for MS08-067), must create a single HI requirement for each patch to check. Most customers use a custom check for a build number or patch mgmt flag to check for overall patch level. The Windows Operating Systems supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.

    Service Pack Requirement- Is used to create a Host Integrity rule to check that a particular operating system service pack is installed on client computers. If not, options are provided to download and install the service pack to remediate the system. The Windows Operating System supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.

     

    I mean it would great if SEPM include a panel or sub-panel to view which PC is updated to which KB and which PC is not..

    It's rather for monitoring purpose since Windows patching is required to avoid certain threats.



  • 14.  RE: W32.Downadup.B a.k.a Conficker

    Posted Nov 09, 2010 04:58 AM

    Hi Cus000,

    Here are a few recommendations that may help speed your fight:

    >I just wanted to know, what's the best way to efficiently end this particular worm infection. E.g say i have 1k PCs under SEPM console with unknown windows patch version etc

    Keeping all computers on the network updated with the latest patches is absolutely crucial- I recommend using the Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx) to determine patch levels in your organization.

    There are numerous non-MS vulnerability scanners and auditing suites that can also scan the network and determine patch levels.  I really do recommend, as a top priority, finding out the current situation and then taking steps so that patches are applied and kept up to date. MS have a tool called WSUS which can automate that updating.  (http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx)

    Keep in mind, though, that exploitin gthat MS vulnerability is only one method by which W32.Downadup can spread. It is alos important to ensure that autoruns and network shares are locked down, strong passwords are implemented throughout the organization, and that an IDS program is used to detect and block suspicious network traffic before infection can spread to any potentially undefended computers. Symantec's write-up for the threat has the full details.

    Final general recommendation: http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

    Please let the forum community know if these tools and techniques help!

    Thanks and best regards,

    Mick