Endpoint Protection

My network was affected with W32.Downadup.B, i disabled the system restore and ran the full sytem scan. but still its popup the virus affected message, I'm using symantec endpoint protection 11.0.2 in windows 2008 r2 server and win7 clients, any help. 

I've checked the symantec risk log virus properties to found the source computer.  then isolated the source computer after removed the virus from the source computer.  

did you ran the scan in safe mode?

have updated the system with the latest patch?

reference: https://www-secure.symantec.com/connect/forums/conficker-malware

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Downadup (conficker) is quite old virus. If all machines are patched and udpated with the newest virus definitions you should be safe. However, there are few things to be verified. This is well described in the following document:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Hi smdeva,

Ensure that your network shares are secured with strong passwords and that all users have strong passwords.  That's a very effective way of stopping one of this threat's methods of infection.

symantec endpoint protection 11.0.2

As soon as this outbreak is over, upgrade away from that very old version to SEP 11 RU7 MP2.  SEP 11 MR2 has known issues and vulnerabilities.

Also: ensure that SEP's optional IPS component is being used in your network.

Please do keep this thread up-to-date with your progress!

As mentioned by others, you'll need to cover all machine in your network. (OS patching & AV protection)

No shortcut to it i guess... Downadup is still king in malware world

Still top 10 as per last Symantec report

As Mick mentioned you need to upgrade your SEP.

I faced with same issue at the begining of the Downadup issue and I solved it to upgrade my SEP. Because some futures not run on 64-bit on SEP 11.0.2.

I advice tou upgrade 12.1 ru1 mp1 as soon as possible

One bit of advice:

Please don't upgrade a computer that is currently under attack.  It's a bit like tearing down the fortress to build a castle in the middle of a battle.... there's a good chance that the baddies will take advantage of the time when the defences are lowered. 

If the computer is isolated and cleaned and shows no signs of infection, it's safe to upgrade at that point and add it back to the network.  

Hope this helps!

Mick

Thank you all for valuable suggestions., I removed the Virus.

Is there any advice or experience that you can pass on to other admins in this situation, smdeva?  What steps or action proved most important?

(If time allows, can you also mark this thread as complete rather than "needs solution"?)

Cheers again! &: )

Hello,

Can you please let me know the steps for removing this Virus as I am also facing this type of issue. Here I am attaching the snap shot of detected Risk. I have tries every thing but there is no result.

Request you to please help me out in this issue.

Don't forget to apply the patch for it.

Hi,

Surely this will help you

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

also use this tool is from Symantec.

http://ultradownloads.com.br/download/Symantec-W32Downadup-Removal-Tool/

Find out the source computer spreading the virus then isolate the computer to remove virus.to do this right click the virus then click properties in view quarantine tab.

hi,

Risk tracer will help to identify the source, have you enabled it?