Endpoint Protection

 View Only

  • 1.  Getting notifications "[SID: 29714] System Infected: Trojan.Snifula Activity 9 detected"

    Posted Mar 02, 2017 01:19 PM

    Hi,

     

    We have SEP 12.1.7 running in our environment and on one of computers we are constantly getting the error "[SID: 29714] System Infected: Trojan.Snifula Activity 9 detected". I have attached the screenshot for reference. Can anyone tell more about this error and how may i be able to remove it? Running a full scan is of no help evidently and as it only shows tracking cookies in Risk Log. I have attached the results of Full Scan as well.

     

    Thanks.



  • 2.  RE: Getting notifications "[SID: 29714] System Infected: Trojan.Snifula Activity 9 detected"

    Posted Mar 02, 2017 01:21 PM

    There is an infected process on the machine trying to send what the IPS detects as malicious traffic. It doesn't appear that SEP has an AV detection for it.

    Have you tried running Norton Power Eraser on it? That is a more aggressive tool which may detect it.

    You could create a firewall rule to log all application traffic to see if you can narrow it down. Personally, I'd just have it re-imaged.



  • 3.  RE: Getting notifications "[SID: 29714] System Infected: Trojan.Snifula Activity 9 detected"

    Posted Mar 02, 2017 04:43 PM

    It is infected. No doubt. Try running power eraser (symhelp) as described in this article:

    https://support.symantec.com/en_US/article.TECH215519.html



  • 4.  RE: Getting notifications "[SID: 29714] System Infected: Trojan.Snifula Activity 9 detected"

    Posted Mar 03, 2017 07:05 AM

    Hi sym_wizard,

    Thanks for the post.  Open the logs (or run a Network Threat Protection Attacks log from the SEPM) to see what process is responsible for the malicious traffic.

    Here's a good tool as well:

    Using Today's SymDiag to Combat Today's Threats
    https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats