Endpoint Protection

All of my workstations use Symantec Endpoint Protection 11.0.2010.5 and yesterday the network threat protection on one of the workstations keep pop up the message every 2-3 minutes alerting the user about the HTTP Nukesploit P4ck. I tried to look up the solution on Symantec KB and followed the instructions on Symantec website to troubleshoot the issue; however none of these troubleshooting methods work. The infected workstation runs Windows XP w/SP 3, I.E 8. I disabled the Windows XP system restore and performed the full system scan in the safemode but the antivirus software didn't find any viruses or spywares. I ran CCleaner to fix the changes or errors in the registry but still didn't helped. My Symantec Endpoint Protection's definitions are all up-to-date. I believe I've done all possible troubleshooting methods so far but still haven't remove that HTTP Nukesploit P4ck message. If someone encountered the same problem and know the solution, could you please advise? Thank you very much!

Here's the full message that I got from Symantec Endpoint Protection.

[SID: 23363] HTTP Nukesploit P4ck Activity detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe
 

 

its warning you about an attack where an attacker uses a specfic patter to target the vulnerability, its not a virus which could be scanned by a scan.
you need to check the source and the ip, sometimes it might be false, just check where its comming from

Hi Aprilsnow, On another note you, should consider upgrading your clients off that very old SEP build. There are thousands of fixes since version 11.0.2010.5 was released. The latest build is 11.0.6000.562.


Cheers,
Thomas

Update your XP machine with all Updates/Patches available.
Clear everything in TEMP folders and delete Temp Internet files.

The signature indicates suspicious traffic, which could indicate a threat that is as yet undetected by the definitions you have.  If Rapid Release defs can't detect it, I would suggest using the Support Tool with Load Point Analysis to see if suspicious files are found.

Title: 'The Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008071709480648

Title: 'About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548

If there are, you can submit them for analysis.

I second Thomas' recommendation to migrate up off of MR2 MP1 (from May of '08).  I would ensure, though, that the machine is not actually infected, since trying to install AV onto an infected machine is sometimes problematic.

sandra

There is a malicious file that runs from Startup area or C:\Documents and Settings\<userprofile>\<userprofile>.exe
Have a look there and submit the file asap if its unknown to you.