Endpoint Protection Small Business Edition

 View Only

  • 1.  W32.downadup.B help -- Network cleansing

    Posted May 11, 2010 11:42 AM
    Here is our setup and the problem being experienced:
    3 servers, roughly 54 computers running on the network

    One of the servers is recording attacks from w32.downadup.B, about 30-50 a day from various computers.  The virus is stopped and deleted before it can infect the server.
    The problem i'm running into is that when i scan and go through the computer that the attacks are originating from in the SEP log, the computers are coming up as clean and uninfected.

    It appears as though the virus isn't installed on any computers but part of it is bouncing around the network still attempting to install.

    about two months ago a full manifestation of the virus hit a computer on our network and i went through and cleaned it out myself via registy changing and file deletion.
    i've been updating and scanning for about two days now and feel hung up, any help would be greatly appreciated.


  • 2.  RE: W32.downadup.B help -- Network cleansing
    Best Answer

    Posted May 11, 2010 11:49 AM
    Have you tried enabling "Risk tracer" located in the SEP manager?
    Risk Tracer can be extremely useful in informing what computers to isolate and scan.

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument


  • 3.  RE: W32.downadup.B help -- Network cleansing

    Posted May 11, 2010 12:04 PM
    that was exactly what i needed, i'm still working my way to familiarity with the program and that lead me directly to the files that weren't being caught so i could manually take them out.  i'll update later to see if it worked in a long term sense but all of the risk locations have been cleaned and are now being rescanned.


  • 4.  RE: W32.downadup.B help -- Network cleansing

    Posted May 11, 2010 03:58 PM

    one of the computers appears to now be clean, the problem i'm running into is with one who's attack source isn't staying.

    the location is a file in system32 called    "xlwpdmbp.rmf"

    when i search for the file it's not there, so i'm wondering if it's being generated each attack, then deleted by symantec when sent out.
    i've simply disconnected that computer from our network for the moment to see if any other sources pop up in it's absence.
    also symantec and McAfee scans both found system 32 to be clean even though it traces the route of the attack back there.



    Edit: not sure if this matters but wheras many of the attacks are from the SYSTEM user, the ones off this computer are using login names of people in the network, ones who i believe have used the computer in the past but who's information i've made sure was deleted from the harddrive.