Endpoint Protection

 View Only

  • 1.  How to make SEP11 detect and remove "WS.Reputation.1" ???

    Posted Sep 15, 2010 08:06 AM

    I've some users infected with a malware that uses autorun feature. It basically uses 4 files :

    autorun.inf 488bytes

    desktop.ini 62bytes

    rundll.exe 139.264bytes

    system.exe 57,625bytes

     

    I've sent those files to Virustotal.com and according to their reports Symantec is able to detect it as "WS.Reputation.1" , but, on my environment, SEP11 DO NOT detect or remove it !?!?!

    Is there a setting I should enable to use those detections by reputation ??

    Anyway, I've sent the files to Symantec Security Response, the tracking numbers are : #17423521 and #17423487 .

     

    Thanks for replying

     

     



  • 2.  RE: How to make SEP11 detect and remove "WS.Reputation.1" ???

    Posted Sep 15, 2010 08:25 AM

    If it is detecting in VirusTotal then download and use RapidRelease Definitions and it will get detected.

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    The files you have mentioned above are used by Threats to spread/infect however they themselves are not virus they are system files.



  • 3.  RE: How to make SEP11 detect and remove "WS.Reputation.1" ???

    Posted Sep 15, 2010 01:01 PM

    File: C:\FTP\vi\system.exe

    Determination: This file will be detected as 'Trojan Horse, ' with a forthcoming Rapid Release definition set. Protection will be available in Rapid Release definitions with a sequence number of 115018 or greater.

     

    File: rundll.exe

    Determination: This file will be detected as 'W32.Pilleuz, ' with a forthcoming Rapid Release definition set. Protection will be available in Rapid Release definitions with a sequence number of 115018 or greater.

     

    autorun.inf is a malformed autorun.inf file which is used by a malicious program. You should delete this

    Desktop.ini is not malicious itself, but may be an artifact of a threat.

     

    I've just applied the latest rapidrelease set and the malicious files were detected and removed. :)

     

    The funny thing here is that Symantec was able to detect it before (WS.Reputation.1) but didn't cleaned it up



  • 4.  RE: How to make SEP11 detect and remove "WS.Reputation.1" ???
    Best Answer

    Posted Sep 15, 2010 06:39 PM

    If you have anything detected as WS.Reputation in Virustotal, best to have it submitted to us for further analysis.
    WS.Reputation flag simply says "this file is not known to be a good file" .

    For proper detection and remediation, we need Symantec analyst to check and def the file if it is proven to be malicious.

    Hence what Vikram saying above is partially correct.

    More reading at :

    http://208.74.204.196/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155