Endpoint Protection

 View Only

  • 1.  Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 10:00 AM
    I apologize if this post goes long I just want to make sure I include as much information as possible.

    I have been battling a couple of viruses lately that just wont go away. There have been 3 in total but I reinstalled windows to get one of them to go away. I really would prefer not to have to go through that again if possible. That is why I am turning to you all.

    We had a desktop that kept getting bombarded with "Bloodhound.Exploit.213." If I recall the files that were being flagged were all in the folder C:\Users\UserID\AppData\Local\Temp. According to Symantec documentation all you needed to do was update virus definitions and do a full scan. This never cleaned the system. It would remove the file but the problems returned almost immediately. I tinkered with this for a long time and finally had enough and reinstalled windows etc.

    I am having almost the very same symptoms on 2 other desktops. However symantec is labeling the viruses differently. One is, "Trojan Horse," and the other one is, "Trojan.Malscript!html." They both act very similar. 

    Here is the deal. When the user logs on to the computer they get the AutoProtect pop up saying that Trojan.Malscript!html or Trojan Horse has been found.. The files are always .tmp files in the C:\Users\UserID\AppData\Local\Temp folder. A couple examples of the file names are, DWHD4EC.tmp, DWH84E9.tmp, and DWH14D9.tmp. And we are not talking just a few files, we are talking thousands. If you use windows explorer and watch that folder, you can see them just coming in every couple of seconds. I have ran full scans with Symantec in normal windows and safe mode with no luck.

    I "Think," I remember reading someplace about Symantec and false positives in the Temp folder, and there being a patch but I am not sure. I saw the post about the upgrade to 11.0.5002.333, here. I am not sure if we can install this on our clients or not. Currently I am running, 10.2.0.276. 
     
    If anyone can help point me in the right direction I would be very happy!

    Thank you for your time,

    Mike


  • 2.  RE: Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 10:24 AM


    As far as upgrading to SEP RU 5 11.0.5002.333  is concerned you can upgrade. However please do remember that unlike SAV you will have to install SEP i.e. Symantec Endpoint Protection on the server which has the SEPM installed. Merely installing the SEPM console does not prevent the server from threats(You will need to install SEPM(Symantec Endpoint Protection Manager) in case you want to go in for Managed clients. For Unmanaged clients you will in any which ways install SEP on all the clients).

    For the removal of Bloodhound.Exploit.213 please refer the below link.

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-110718-2219-99


    Please ensure that you have the latest virus definitions installed.


  • 3.  RE: Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 10:50 AM
    Most likely this is what you are seeing:

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548

    Clearing out the quarantine in safe mode should help in case you're not able to upgrade at this time.


  • 4.  RE: Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 11:59 AM
    Yes, I believe so.. I am currently on hold with Support to start the upgrade process.. I am a little discouraged as though I just learned that the person holding the longest has been holding for 1 hour 50 minutes.. Sigh...  Thanks!


  • 5.  RE: Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 01:09 PM
    What I usually do is to remove the hard drive and install it as a slave hard drive in a clean computer and scan the slave hard drive. If Symantec does what it is supposed to do, it should find the virus although it won't clen the registry of that infected hard drive.
    When done, put the hard drive back to the original computer, turn it on but do not connect it to the network then see if the infection has been removed. Eventually update the definition then scan or use a removal tool to clean the registry.
    In my opinion, Symantec Endpoint Protection or SAV don't fully protect computer. I have computers who have been hit by viruses/spyware although they are up to date. Currently I'm trying to kill a spyware that drops a file named totewazu.dll and add itself to the registry to start automatically.


  • 6.  RE: Infections that won't go away. Patch needed, maybe? Please help!

    Posted Jan 29, 2010 01:55 PM
    I finally got a support guy on the line and he is telling me that I can;t upgrade unless I clean the computer first.. I am pretty sure I am having the problem listed here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548 and the soloution is to upgrade.. i don't get it.. Maybe I am not relaying my issue clearly to the tech?

    I jsut need assistance in upgrading. I want to upgrade to the latest edition that I can..