Endpoint Protection

Hi

My machine is infected with Backdoor.Pihar. I am getting below security log every hour. Please help.

 

[SID: 27101] System Infected: Backdoor.Pihar Activity detected.
Traffic has been blocked from this application: C:\Windows\System32\svchost.exe

My machine is using Symantec Endpoint Protection-Ver 11.0.5002.333

 

Regards

Vishal

First off, you're on a very old version. Have you considered upgrading to 12.1?

Have you taken your system offline, put into safe mode and run a full scan?

Run a Load Point Analysis, see here on how to do it:

http://www.symantec.com/docs/TECH203027

You can also run the Symantec Power Eraser, see here:

http://www.symantec.com/theme.jsp?themeid=spe-user-guide

Symantec Power Eraser using Symantec Help (SymHelp) Tool.

 

https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

 

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

 

Edit :

Backdoor.Pihar - Removal

http://www.symantec.com/security_response/writeup.jsp?docid=2011-120817-1417-99&tabid=3

Thanks for your response Brian and James.

 

All these days I was trying to scan and remove possible infected files. This is what i did so far:

1. I Updated Symantec Endpoint 12.x and after that when I did scan it detected some infected sites which I deleted.
2. I also did Power eraser which also detected infected files and I removed them.

After that i have scanned my laptop with Symantech Endpoint and Power eraser many times (since last three days i am scanning in all possible ways but its all clean).

Issue: I am still getting attack which is getting blocked by  Symantec but i am worried what exactly is happening. Is my machine still compromised? What is the measure i should take at this point of time?

PFA the snapshot.

 

Regards

Vishal

Download and run ComboFix:

http://www.bleepingcomputer.com/download/combofix/

It can also help to find malwareon your system. Once complete, it will generate a report which you can attach here for review.

You can also try RKill:

http://www.bleepingcomputer.com/download/rkill/

open a support ticket. run Load point on the system and ask for analysis. check if the system is trying to reach remote site /machine is local or on internet.

Hi,

Please do remember that SEP is just a fragment of your protection. In my experience most recuring attacks came from unpateched OS and software installed on it. Make sure all you're machines are patched. Zero day malware runs on unpatched systems.

Thanks,

Hi Vishal A,

It looks like the IPS direction for those events is "incoming."  Perhaps it is another cmputer that is infected, and IPS is successfully preventing this client from becoming infected-?

This article may be of interest:

Two Reasons why IPS is a "Must Have" for your Network

https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

Vishal A,

Have you gotten this sorted out?

Hi

Due to time limitation I had to reimage my machine since nothing was working and my time was running out. After reimage I updated it on 12.1 and while scanning my backup files it cleared the infected files.

I learned Updating it to 12.1 and Load Point analysis is helpful in such events.

Thanks to all for the guidance. 

Sorry for delay reply as I was engaged with work.

Regards

Vishal