Endpoint Protection

Dear All,

since last some days we recieve some emails from hotmail, gmail and yahoo containing a link inside to our domain, when the person click on link the computer then gets hanged, and gets very slow, after each 5-10 minutes it get stack, and i have installed Symantec i think it doesnt detect the virus, can someone help me in this I have Endpoint Protection 11, installed in a server then on clients,

If the content of the mail is a link, Symantec won't probably detect it as it's not an attachment. You should rather configure your mail server to block such inbound mails (Note: keep in mind SEP is not an Antispam solution).

You can block that URL using NTP or IPS.

Do  you have Symantec Mail security?

I am completly agree with you, if dont click on link and directly delete the email I am sure nothing will happen, but the problem is that most of the client dont know about the link and they click on the link, and when its clicked, then the PC gets infected, but the Symantec doesnt stop that Virus or maybe spam,

thanks for reply,

its not only one link to block it, everytime a new link. each email contains a new link, how to block that,

and ofcourse symantec has email security but it only blocks the Attachments, not the link inside the email body

You will probably want to lock down in one of two ways:

1. Using Application and Device Control to lock down the areas usually affected by drive-by infections and fake AV: https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers - https://www-secure.symantec.com/connect/forums/turning-settings-sep-deal-fakeav The down side is that at this time, with SEP 11, this will not work with 64-bit systems.
    
2. Use your proxy, perimeter firewall, or even use the SEP firewall rules to block access to mail sites (Yahoo, Hotmail and Gmail) over which you have no control of the contents of the email, like you might with Exchange (using Mail Security for Microsoft Exchange, which is not the same as the email protection included with SEP).

sandra

Hi NSaghar, does the SEP clients have the full package installed with Proactive Threat Protection (PTP) and Network Threat Protection (NTP) also installed aside from the Antivirus and AntiSpyware.

Do you have a copy of that email? If you want to test it out for yourself, you can view the sourcecode of the email or right-click on the link instead of left-clicking and save the HTML or executable file. And you got a sample.

One of the reasons that SEP might not detect it is: if you don't have NTP and PTP installed on the client. Especially if it's a new threat. Try increasing the Bloodhound (TM) level.

Another least likely possibility is that the malware runs remotely giving only the users the end result of the program. Must be a link to enable VPN. Check the Firwall logs to be sure.

Hi NSaghar ,

                I suggest you to run hijack tool or the sep support tool . Atleast you find what is running in your machine and analyze  the results . Look throughly the results , you will find some clue . If you can attach those logs it will be better . So that we will find something for you . It might take some time for you but it is possible to clear from the network . If you can attach Links source code , i know there are several links but some thing different technique needed. so , can you attach the source code .

Hi NSaghar,

The first thing that I recommend doing is isolating any computers that have already clicked those links: they are probably infected, and could potentially be infecting other computers they interact with.

The second thing: see if you can find the suspicious file that is downloaded when that link is clicked.  It is probably still in the computers' temporary internet cache.  Please submit that to Symantec Security Response fr analysis.  With that in hand, detection and defences can be provided.

Here is some additional excellent advice: Best practices for troubleshooting viruses on a network (http://www.symantec.com/docs/TECH122466)

Thanks and best regards,

Mick