hello all ,   we have recently deployed FireEye {Advanced Persistent Threat} Web MPs solution. It has reported that our network is infected with latest malwares;  number of Laptop/Desktops are infected with these malwares which is creating call backs to their CnC {Command & Control} servers.

Moreover, those laptop/desktop have installed latest SEP 12.1.4 with updated definition. Would appreciate, you please let me know what course of action should we adopt to clean/fix our endpoints from these malwares. 

Attachment(s)

Malware Summaries.pdf   47 KB 1 version

Run the symhelp and submit report to symantec security.

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

James thanks for your reply but doesn't SEP IPS component usually detects the malicious network activity or botnets in the network ? 

The problem is that Fireeye can detect the presense of malcious malware and activity on the infected machines but why isn't SONAR or even IPS detecting and catching it ? 

The list of malwares that is attached with the post, doesn't Symantec already have signatures for these threats in their database and can detect them and block appropriately ? 

see this

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec Endpoint Protection does not

any more information on this ? I need to run SymHelp tool on the affected machines ans then uploas the result/diagnostics to Symantec Support for analysis ? 

You can scan and check the result.

Running a full virus scan on the computer ? or running a scan via SymHelp Tool ?  regards

symhelp tool.

These posts are all well and good but they don't address being proactive. What are you doing to be proactive and not reactive to this?

Do you have all the components enabled and fully utilized? Are they not set at just the defaults? SEP does a good job but it won't catch everything so being able to utilize fireeye is a nice extra layer which allows you to get those machines cleaned. Don't forget fireeye is pretty advanced. Are you following best practices and recommendations?

Security Response recommendations for Symantec Endpoint Protection 12.1 settings

http://www.symantec.com/docs/TECH173752

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Symantec Endpoint Protection – Best Practices

http://www.symantec.com/page.jsp?id=stopping_malware

Yes all components are installed , the problem with fireeye is that it does not provide remediation for this

Correct. It only does detection.

That's fine that they're installed but how are the components configured, more aggressive?

Do you use application and deivce control, system lockdown?

they are configured moderately standard default AP policies are configured system lockdown is not in place. 

Hi Outrageous,

Thanks for the post.  Network monitoring tools like the one you mention can be a great benefit to an organization.  They can provide excellent leads toward identifying infected computers, suspicious traffic, and so on.

One consideration: that's a different vendor's product, so has different criteria about what traffic is considered malicious/suspicious.  Traffic that is from what many vendors would consider Potentially Unwanted Applications gets flagged by some of these network monitoring tools: Symantec is often aware of those programs, but they do not meet our criteria for being called malicious.  An example: connections to streaming sports video sites, sites that host gaming/gambling software downloads, etc might be flagged as "unwanted/block" by some network monitoring products but intentinally ignored by SEP.

Definitely look into the endpoints which are highlighted by that tool, and run the SymHelp with Threat Analysis Scan there.  Submit any files that are considered suspicious by Symantec's tool.

Here are some good recomendations on how to tune SEP for advanced security:    

Security Response recommendations for Symantec Endpoint Protection 12.1 settings
Article URL http://www.symantec.com/docs/TECH173752

Hope this helps!

Mick
 

Please go thru the links I posted. You may need to make a few adjustments.

Thanks all for your replies.

I think we are skirting around the issue here, really!

SEP is an Antivirus product, isn’t it? :-)

SEP (for that matter any AV) alone will NOT protect your network 100%.

Antivirus "is dead," says Brian Dye, Symantec's senior vice president for information security.

Read this:http://online.wsj.com/articles/SB10001424052702303417104579542140235850578

FireEye (or similar products) is exactly what you want to give that level of insight. Towards the end of the above article, there is mention of FireEye and the infamous Target security breach……… read and weep, that’s all we can do if you think about how foolish Target was even after being warned by Fireeye.

And of course, the old New York Times hack by Chinese, where Symantec had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period.

Defence-in-depth is what going save us.....if at all that's possible....