Introduction
This is the ninth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in February 2019.
The capabilities and appearance of the Symantec Diagnostic Tool ("SymDiag"), formerly known as Symantec Help or SymHelp, have really evolved since its early days. This article illustrates how best to use the current SymDiag to identify suspicious files on a computer and get them submitted to Symantec Security Response.
Just Accept all the Defaults, Right?
No way! SymDiag is a versatile tool. If you're using it specifically to hunt for malware on a computer, use the Threat Analysis features. Click the Start Scan button beside "Scan for potential threats," not the one intended for install requirements and common issues.
Here are the official Symantec articles on how to run the tool for Threat Analysis:
About the Threat Analysis Scan
http://www.symantec.com/docs/TECH215550
Basic, Expanded, or Root kits?
Mick2009 says: if time allows, go for the most thorough scan- Root kits.
This Isn't My Machine. I Don't Know What's Normal on Here.
Don't worry- SymDiag knows what to look for. If you are an admin who has logged in to a colleague's computer to run SymDiag, be sure to check the "Scan load points in other user profiles" advanced option. That will look for suspicious files not only in your profile, but in the directories and folders used by previous users of the machine. This is an absolute "must do" if you are not the only user of this machine!
Click "Specific profiles" and provide the user credentials for these other users, if possible!
I'm Fighting a Threat that Spreads via USB Thumb Drives and Network Shares
SymDiag has added a new feature that allows you to scan network or removable drives for any malicious files that may be hiding (and spreading from!) there. (Yes, this old infection vector remains popular, even here in 2015.) Click on Advanced Options, Custom files and folders and browse to the directory, volume or drive you suspect. I definitely recommend checking the "Include subfolders in search" checkbox.
This "Custom files and folders" option is also excellent for narrowing searches to specific files or folders, rather than having SymDiag scan the entire drive. An example: using the power of SMR to check the shared-out folder on the company's file server to see if any of the clients which connect there have uploaded any suspicious material.
One warning: depending on how many files are on the removable drive or network share, scanning and collecting file hashes can take a long time! SymDiag is not a freeware tool designed to scan and clean whole networks.
OK! The Threat Analysis Has Completed! Now What?
The tool sorts the results into Potential Risks, Autorun details, Processes and Registry Load Points. Here's an example of a very heavily compromised computer:
Hundreds of files with a poor reputation were identified and labeled as "Bad." Not all of these are confirmed malware! They are files that are often seen on infected computers. The following video does a good job explaining how Symantec's reputation-based intelligence works:
Symantec Endpoint Protection 12: Demonstration of Insight Reputation Technology
https://www.youtube.com/watch?v=jN0KI3TVF8M
The files that are unknown to the admin and have a poor reputation should be submitted to Symantec Security Response and then deleted. Read this article for details on how to get the suspicious files submitted so that new defenses can be built against them:
Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
Removing the suspicious files is easy thanks to a tool built into SymDiag. In previous versions this was called "Power Eraser." Now all that's necessary, once the Threat Analysis Scan has completed, is to select the file and click Remove. In this example some unknown party has uploaded a password cracking tool to the server- never a good sign! Get rid of that and then ensure all old user accounts are disabled and all current, valid user accounts receive a new, strong password.
Can We Get some Experienced Eyes on That?
In this example there are hundreds of potentially dangerous files highlighted by the tool. Rather than blindly removing them all, it is wise to get a second opinion after the admin has identified which are known and unknown in this environment.
Be sure to save the SymDiag diagnostic and send it to Symantec Technical Support if you are unsure about which files to submit or how to proceed. The engineers there have years of expertise when it comes to fighting malware, and can swiftly recommend which files to submit for analysis and which to safely ignore.
If the threat analysis features described above were used, the resulting saved file will have a _TSF.sdbz extension. If the diagnostic has just a plain old .sdbz it will be of limited use to Symantec Tech Support.
|
Please do not submit the SymDiag diagnostic file to Security Response! Send the .sdbz to Technical Support.
On a related note, do not attach any suspicious or malicious files to the SymDiag. Those need to go to Security Response and Security Response only.
|
Anything Else to Know?
Symantec Help (SymHelp) FAQ
https://support.symantec.com/en_US/article.TECH203496.html
What command-line parameters are available for Symantec Help (SymHelp)?
http://www.symantec.com/docs/TECH170732
Conclusion
SymDiag, especially with its recent enhancements, is one powerful tool in keeping your network, your users and your data safe from malware. Please do familiarize yourself with its features and functionality!
Many thanks for reading! Please do leave comments and feedback below.