Endpoint Protection

I'm still getting alerts from SEPM of clients getting W32.Downadup in the C:\Documents and Settings\...\Temporary Internet Files\IE6 folder.
I've checked some of the clients and they have been upgraded to the patch released by MS and the virus does get deleted.
I've asked the user if they're browsing the Internet and they said that they're only using the Intranet (internal webpage).

The infected files were jpg extensions as shown in the SEPM logs in the monitors page.
Either the web server is infected or someone is lying?

Any ideas or explanations?

(This is one of those days that I'm too tired to even think. :( )

Here's a check list of sorts:

Title: 'Simple steps to protect yourself from the Conficker Worm'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648?Open&seg=ent

The Microsoft Baseline Security Analyzer is also your friend :)

sandra

If the Downadup is on your USB stick then doesn't matter if you have internet connection or not..
Even if its patched you'll get it..however good thing is SEP catches all variants of DownadUp.
You just need to find the source..
Enable risk tracer and monitor your IPS Logs.

Hi Mon,

Anotehr way that Downadup spreads is via poorly protected network shares.  Mapped drives should be protected by strong passwords.

I don't know if that would account for .jpg files in that location, though.... definitely check the SEP Risk History to see what is being detected, where, and what action is being taken against it!  (Left alone/log only/partial removal is not full remediation.)

Thanks and best regards,

Mick

1. Even a single computer in whole network is not fully patched up with Microsoft Patches, or doesn't have latest definitions protection. It is potential risk to your environment for infection of W32.Downadup. So Make sure all computers are compliance with both of these.

2. Make sure users have complex passwords. As when any computer gets infected with downadup. It tries to hack user accounts from Activer directory. You might have seen user accounts getting locked up when there is infection of downadup. This is due to default policy of locking up account after 3 failed attempts in AD.

3. All admin (C$) share should be disabled. all shares should be password protected.

4. Autorun MUST be disabled. As it has been seen that this is generally main reason. Note that Autorun.inf is not infected file (its only a text file). However, the entries inside it would get executed if autorun is enabled. In other words, when autorun is enabled, threats can easily execute themselves with autorun from different media, computer shares, etc.

5. Intrusion prevention technology with Symantec Endpoint protection could be crucial against downadup. As only Antivirus & antispyware can't fully protect against downadup due to network attacks. Enable risk tracer after intalling intrusion prevention feature for SEP to trace the attacker machine.

and Last but not the least. Never assume that because you have definitions, so you can't get infected with viruses. Attackers are constantly trying to create new variants of threats so nobody is 100% protected and I guarantee that no security providers can give 100% guarantee that you computer will never be infected. If they do, they are liers.

Just be sure that you are fully up-to-date with all patches, definitions. Taking necessary measures for environment protection. and Most important, as soon as any possible infection. Immediately contact Support for further help if the threat is not getting detected.

I already have the autorun covered.
I created an Application and Device Control Policy to block access to autorun.inf in all drives (local and network)

I'll look into the Risk Tracer after I've gathered enough logs.

Risk History shows W32.Downadup and W32.Downadup.B

I'll also see what we can do with C$. At the moment, it can only be accessed by supplying a username and password.

I've also been receiving reports that various computers having failed login attempts to the AD using one of our administrators credentials.

Hello Mon,
Downadup did very hurt me before (before i meet Symantec :) )
Another friends said rigth there are a few things about downadup. Downadup can try weak passwords. I will try to demonstrate how i beat it.

• First update Microsoft machines via WSUS. there is very important to install Security and critical updates.
• Than I search machines without install SEP and Install them SEP latest version.
• Update all sep clients to date.
• Change Virus First action to Delete second action is quarantine
• Check domain admins passworks are weak or not. If they weak please change it to complex passwords.
• Create a daily network report for find most attackted computer and most target computer.
• Close all USB drivers Excep some Directors. :)
• And i created Full system Scan 2 times in a week (first action is delete)
• And i created Active Scan everyday in lunch time.

I hope this will help tp you too.

Best Regards.
Fatih

We're almost halfway done with the MS patch. And I just remembered that the internal web server is running on *nix.
All the infected PCs have definitions that can take care of the virus and the logs do show that the threat was indeed deleted.
I have enabled the Risk Tracer and will try to get some reports on the following work week.
SEP Firewall and IPS is currently disabled as requested by our client for further testing or rather it's enabled but only to log the events.
And we still have PCs here that doesn't meet the System Requirements of SEP 11 as shown in the admin guide.
Startup scan is enabled.
One thing I don't have control of at the moment is the use of USB modems which some of the employees use to surf without restrictions.

Hello Mon,
I created an article about how to block 3g modems. Here is the link
https://www-secure.symantec.com/connect/articles/how-block-3g-modems-application-and-device-policy

Best Regards.
Fatih

All that's left for me is to try and get their browsing history, I guess.
Does Symantec Endpoint Protection have this option? Sources of Attacks perhaps?

Risk Tracer is the one to know source attack within the network, you may need to enable this else as you would be knowing the network sniffer is the best way to capture the traffic :-)

Hi Mon,

Here's an article that you may wish to read: Intrusion Detection alerts received on a SEP client for ntoskrnl.exe (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010040206121548)

Are you using NTP?  Are you seeing any of those "[SID: 23179] MSRPC Server Service BO detected" in your network?  Check out the IP address that are triggering the block on SEP-protected clients.  Those IP's are very likely the ones spreading the threat in your network. 

Thanks and best regards,

Mick

I can't seem to make SEPM to show the logs for this. Need help in navigating to the right page. Thanks.

HEllo Mon,
Which logs want to you see?

Best Regards.
Fatih

Hi Fatih,

I'm looking for the one that shows the ntoskrnl.exe from the IPS. I'm pretty sure we still have unpatched XP workstations in here and I read in here that I can use that as a basis.

Thanks.

Hello Mon,
I have few ideas will share with you. :) You can log ntoskrnl.exe with application and device policy.
Another is with Wsus. have you got a domain in there? can you install wsus for MS updates?
HAve you got a snac or Nac ? Therefore you can create a rules and said "if there is a workstation haven't got a downadup patch don't join LAN" and user will call you " I cannot read my e-mails" :)
and you can export all clients report and you can look there for what is OS's Service pack in that report. Therefore you can find that client.
If you have a SCCM you can deploy MS patch force with SCCM

Thats'all what in my mind. I hope this help.

Best Regards.
Fatih

Another is with Wsus. have you got a domain in there? Yes
can you install wsus for MS updates? Not at the moment, but it is planned. I'm not the one personally in charge of that.
HAve you got a snac or Nac ? NAC of a different vendor, I'm also not in charge of that. :D
Therefore you can create a rules and said "if there is a workstation haven't got a downadup patch don't join LAN" and user will call you " I cannot read my e-mails" :) - and you can export all clients report and you can look there for what is OS's Service pack in that report. Therefore you can find that client. I'm itching to do that, but the users here are a bit stingy when it comes to IT service.
If you have a SCCM you can deploy MS patch force with SCCM. Tried looking into their site and my IExplorer closed.

Thats'all what in my mind. I hope this help. Yes it did, Thanks. :D
 
I just remembered that I can export the logs. It contains a lot of info including the SP versions.