Endpoint Protection

 View Only

  • 1.  [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 01, 2018 04:08 AM

    Hello

     

    We have a machine on our network that is getting the following message from Symantec EPP:

     

    [sid: 30253] system infected: bitcoinminer activity 6 detected

     

    A full system scan has been run using SEPP, Norton power eraser and Malwarebytes...Nothing is found / removed. System restore has been turned off.

     

    I've looked on the Symantec website but cant seem to find much on the issue. Any advice would be appreciated.



  • 2.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 01, 2018 11:49 AM

    At this point, unless you try a third party scanner, you're probably best off wiping the machine and building it from scratch. It very well could be a browser add-in or coming from lefit process that was injected with the malware, which can be very difficult to remove.



  • 3.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 02, 2018 04:31 AM

    Hi Brian

    It seems severe to have to wipe a machine to remove it. How come the Symantec software is unable to remove it despite being aware of it? 

     



  • 4.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 02, 2018 06:52 AM

    At this point SEP doesn't have a signature to detect nor does it seem it's advanced capabilities can detect it. I'll assume you're running SEP 14 and it's configured correctly though.

    Also, malware will inject itself into legitimate Microsoft processes or bury itself deep into the OS which can make things difficult to detect.



  • 5.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 05, 2018 03:35 AM

    Fair enough. Cheers anyway dude.



  • 6.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 05, 2018 12:30 PM

    Hi Steve Re,

    Have you run a SymDiag with Threat Analysis Scan and asked for Tech Support's assistance? 

    Some miners use powershell and other valid built-in tools. Tech Support can provide expertise to detremine what process is responsible for the IPS alerts you mention and how best to react.

       



  • 7.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 05, 2018 04:56 PM

    Look at the source application in the IPS log. If the "attackers" application is iexplorer or any other browser its just a random web based bitcoin script that has been blocked, 

    I see these all the time. Nothing you can do about it.



  • 8.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 06, 2018 05:04 AM

    BTW...

    A full system scan has been run using SEPP, Norton power eraser and Malwarebytes

    Don't run more than one file-scanning AV product on a computer at a time.  They can conflict.  Uninstall all but one!



  • 9.  RE: [sid: 30253] system infected: bitcoinminer activity 6 detected

    Posted Feb 08, 2018 06:46 AM

    Hi Steve Re,

    Just a ping to see if there is anythign new to report?  The thread is still marked "Thread Needs Solution"