Endpoint Protection

My wife's  company (school) recently had a virus outbreak of 'Password.exe sexy.exe Virus".

Not sure what they are running on their network (?? win 7 ?? and some version of Norton).  But the IT guy gave her a Kaspersky disk since he told her that Norton wont detect the virus.

my wife has to use a USB stick to bring work from home (home computer operating SEP 12.1 on Win7 ) and then use it  at school.  They obviously dont have usbs blocked although 90% of their computers are internet blocked or very highly restricted.  Short of it - WE THINK we are not infected; but dont know for sure.

I have seen multiple forum discussions about this virus (a few from 2011 and 4-5 discussions in last 3 months).  But besides Symantec employees begging for the virus file so they can  add to the defs.... I have seen NO CONFIRMATION anywhere that it was actually added to the defs.   Where can I go on the webpage or in my system on computer to find out if this will be caught by my normal virus scan or not?

   I tried running the Kaspersky disk as a rescue disk to scan the computer and it found nothing but I was using 2012 virus defs from the CD as I couldnt connect to the internet while booting from the rescue disk.  So I am not sure her computer is safe or not. IF is actually true Kaspersky will find and SEP wont.

    I am operating on a Mac w/ SEP 12.1.671 so not too worried about my system picking up something from hers but still would like to know for either system (MS or MAC) how do I tell if the virus defs will identify something that is KNOWN TO EXIST on another  network that we HAVE TO INTERFACE with?

 

Quickest way is to upload the suspect executable to https://www.virustotal.com This site checks the executable against over 40 AV vendors to see who can and cant detect it.

thanks very much for the quick reply.  but I am not sure you read what I wrote.

 

I dont work for the school - I dont know that my or my wife's computer is actually infected or not (I believe not). So I DONT HAVE THE EXE file to give to Norton.

  

I dont want to uninstall SEP to run some other software; and then re-install SEP; I just want to be sure I am protected by what I have.

because we dont have any choice but for her to keep connecting to their infected once and 'theoretically cleaned" system every time she goes to work.

The problem with this is if Symantec doesn't have definitions for it than you need to use something else.

Try the Symantec Power Eraser, it's free and works in conjunction with SEP

http://www.symantec.com/security_response/malware.jsp

You can also use second opinion scanners such as Malwarebytes or Hitman Pro which are also free. They can be installed along side AV software as they are only second opinion scanners and don't monitor real time like traditional AV software.

 

Brian,  Thanks.  Those are good tips.

 

But still - my original ?? stands unanswered.  How do I tell if this particular virus is in the SEP defs or not?

The school IT guy says it isnt - but I would rather see it myself or hear from Symantec officially (on website def list, in this forum, however ??)

Search the Threat Explorer, specifically search the virus name on the Threats, Risks, and A-Z tabs at the top.

This doesn't mean this particular one has a definition yet. There are multiple variants which come turn up all the time. Judging by the names the virus is using this sounds like W32.Changeup. However, I know this virus is constantly changed to evade AV detection. So yes, Symantec knows about it and has definitions for many variants but if a new variant just came out than it may take a few hours for Symantec to update the definition set for this particular one.

See the technical details on W32.Changeup here:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2

The same file names are mentioned. Also check the Removal tab as it shows you how to remove.

Hi PatsfansGumby,

There's no way to determine if a vendor detects a specific virus based on its name.  Each of the virus families has thousands of variants.  The bad guys write these variants with little differences deliberately to try to evade security measures.

Brian81's advice about virustotal.com is excellent- keep in mind, though, that VT is not always up-to-date/accurate, and that SEP components VT does not use in their tests (IPS, PTP, etc) can also catch threats.

If your wife runs the SymHelp tool with load point diagnostics, it should do a pretty good job of identifying any suspicious files that are on that network.  That tool can provide the suspicious files' unique hashes, too, for online searches. Here is a link:

Using SymHelp, How to collect Full Support Logs for Symantec Support.
https://www-secure.symantec.com/connect/articles/using-symhelp-how-collect-full-support-logs-symantec-support
 

Hope this helps!

Thanks.

appreciate the link - Sym. tool.   

Also, as an official Symantec-employee - can you say is there a 'scanner-only'/ 2nd opinion virus-software product that co-exists with SEP better than the others?   

 

The Power Eraser recommended above is a great tool.  It's built into SymHelp but needs to be run / does not run every time by default. 

One big point: is that network on SEP 11 or SEP 12.1?  There is a very big difference.  SEP 12.1 introduced Insight/Reputation technology which is extremely effective at detecting new malicious files.   SEP 12.1 + IPS definitions + the heuristic PTP components provide far more protection than an old AV-only SEP 11.

Sorry, cant answer that question (network AV).

My wife is just a part-time teacher (user) and not that IT knowledgeable (she is unsure what they have loaded ).  I have no connection to the school or the IT guy (who is actually the math teacher and only 'additional responsibility' to do IT) to ask specific questions 1:1.

I know they have a horrible mix of both hardware and software (operating XP, Vista & W7 and  office 2003, 2007, & 10 on various machines simultaneously); so my goal is just to make sure they dont transport anything through my wife's uSb onto our home network.  So it would surprise me a bit if they said they actually had SEP 12.1.