Video Screencast Help

w32.downadup.b risk logs

Created: 14 Aug 2012 • Updated: 14 Aug 2012 | 6 comments
thanos21's picture
This issue has been solved. See solution.

Hello everybody.

I have a situation and i need a solution. One client of a customer's SEP infrastructure risk logs are full of w32.downadup.b risk. All these risks have the same filename (tatvg.kjs). Despite the fact that it says that the file is successfully deleted, it continues to pop up notifications about the same file which say

action taken pending side effects analysis access denied

This happens the last 15 days. Our sep client is 11.0.7000.975. It is managed by a manager. It is updated with the latest definitions (13th August).

My questions are:

1. Why is this happened every time since the file is deleted the first time? What regenerates the file?

2. Same happens with other clients too but not the same risk. What am i suppose to do?

Please advise

Comments 6 CommentsJump to latest comment

pete_4u2002's picture

enable the risk tracer and check if you can identify the source.

did you scan the system in safe mode?

 

SOLUTION
thanos21's picture

What is the risk tracer? What do you mean by saying "identyfing the source"?

Why should i scan the system in safe mode? What is the reason to do that? It says that the file is cleaned and deleted. And after 5-10 minutes it prompts again for the same file

Mithun Sanghavi's picture

Hello,

Check this Article:

What is Risk Tracer? http://www.symantec.com/docs/TECH102539

and Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Inaddition to this, please check the Article provided below and work upon the same.

1) Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

2) Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

thanos21's picture

thanks for the replies guys. The following are the notifications pending about the risk

Firts is

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: W32.Downadup.B
File: C:\WINDOWS\system32\tatvg.kjs
Location: C:\WINDOWS\system32
Computer: ........
User: Administrator
Action taken: Pending Side Effects Analysis : Access denied
Date found: Tuesday, August 14, 2012  10:37:48 AM

and after that

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: W32.Downadup.B
File: C:\WINDOWS\system32\tatvg.kjs
Location: C:\WINDOWS\system32
Computer: ..............
User: Administrator
Action taken: Cleaned by Deletion
Date found: Tuesday, August 14, 2012  10:38:10 AM

 

It is obvious that the file is deleted. But it prompts again and again. I do not think that i can do what Mithun Sanghavi told because customer is a telco company and i cannot have access to their systems in order to do that.

Could you please give an easier solution to this? I have also to inform you that customer has already run D.exe tool in safe mode without networking and had no results. D.exe found nothing. After that, customer uninstalled SEP and installed AVg which cleaned everything and no notifications pop up using AVG. So there must be an easier solution

Thanks a lot.

cus000's picture

You'll need to search for the source.... try enable 1 client as "risk tracer" in SEPM as mentioned by Pete..

Also you may take a look at suspected PC how many "svchost" running in task manager... and double check the "scheduled task"....

 

I don't think there's any easy way to do this... unless they can confirm every single PC connected to their network is installed with updated AV and fully Windows patched?

thanos21's picture

We have enabled risk tracer to this specific client and the risk log has as "source computer" another server of the network. We have also enabled risk tracer in this computer and we are in the middle of a full scan. thanks a lot guys. If something else happens, i will inform you