Video Screencast Help

W32.Sality.AE issue

Created: 21 Aug 2013 | 10 comments

Hi,

Currently we are using SEP 12.1.x our network fully infected with w32.sality.ae .

we tried all the solutions from symantec but we failed to eradicate it.

 

Kindly help me to resolve this issue.

BR

Lakshmanan

Operating Systems:

Comments 10 CommentsJump to latest comment

mkeil's picture

Hi, 

check this howto: http://www.symantec.com/docs/TECH122466

Best Practices for Troubleshooting Viruses on a Network

 

Regards, 

mkeil

Please "Mark as Solution" if my post is useful

Beppe's picture

Hello,

please, list those solutions you tried, maybe there's something more to do.

Regards,

Giuseppe

Mick2009's picture

"Thumbs up" to the above.  Symantec has release AntiVirus signatures against this, Application and Device Control policies, and IPS defenses as well.  Using these tools in accordasnce to best practice is very effective. 

I also recommend checking logs and reports from the SEPM to ensure that the threat is being cleaned on all computers and not "left alone" on some.  

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Sality is a persistent and dangerous threat to have in your network. 

Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it. For more information, see the following document:

Here is a very good set of steps for how to proceed: 

Best practices for troubleshooting viruses on a network  

http://www.symantec.com/business/support/index?page=content&id=TECH122466&locale=en_US

It will take time to identify the computer which is infected and attempting to infect others.  Stick with the process, though- it will work.

You could also use the Symantec Power Eraser from the SymHelp

Since, There is no Tool for removal of Sality , but if you need to do the following to get the threat out of the network

1.         Disable Autoplay
2.         Disable System restore
3.         Disable the open shares, and C$ and Admin$,
4.         Repair or reinstall SEP, If SEP is corrupted.
5.         Apply the Application and Device Control policy.
6.         Make sure that IPS policies for Sality is there.    
7.        Apply the latest Rapid release signatures and start the scan on the network.
 

One other thing to note, for SEP 12.1.x users, an Application and Device policy is available to combat the W32.Sality.AE threat in the event of an outbreak.

For full details read the W32.Sality.AE page from Security Response - http://bit.ly/w32sality

Check this Article as well:
 
Secondly, as Mick2009 suggested for "checking logs and reports from the SEPM to ensure that the threat is being cleaned on all computers and not "left alone" on some." Check this Article:
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

I assume that SEP is reporting on the threat and taking action? Is it cleaning, deleting, or doing something else?

Secondly, Sality uses autorun to spread itself. Have you disabled autorun? You can use a SEP ADC policy to do this if needed.

Symantec does not have a removal tool for this but you can try this tool which works great:

http://support.kaspersky.com/1874?el=88446

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Lakshmanan Sathyamoorthy's picture

HI Friends,

Thanks for your quick response,which helped a lot.

 

 

 

.Brian's picture

Please don't forget to mark the post that helped the most as the solution so it can benefit future admins searching for a solution to the same problem.

Take care,
Brian

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

This new article will be of interest to followers of this thread:

W32.Sality - Support Perspective and Battle Plan
https://www-secure.symantec.com/connect/blogs/w32sality-support-perspective-and-battle-plan

With thanks and best regards,

Mick