Endpoint Protection

Dear All friends,

A few months ago, my network has attacked by w32.downadup.b but it's
already solved now, but i wonder why the email alert still have sent to administrator email every the client start the windows,
I already tried to scan the client and there is no virus found, this happen only in one client, the email notification as flw:

Alert: Virus Found
Computer: PLM02
Date: 04/13/2009
Time: 07:54:23 AM
Severity: Critical
Source: Symantec AntiVirus Corporate Edition
User:
Virus Name : W32.Downadup.B


We can not see the user in the message, can anyone have solution or suggestion?

Regards,
Rudianto

Do you see the notification in the SPM as well? Have you checked the logs on the mail server?

What was the action of the SEP (AV) on the infection, is it quarantined, deleted, left alone?

Double check also the Risk Log on the client side.

Sorry, What is the SPM do you mean?, We use SAV version 10.0 in my network.

Thanks & Regards,
Rudianto

Dear Rudi,

From few months my oraganization network infected with W32.Downadup.B, and symantec (11.0.4000.2295) take action as deleted but every day is shows infection on same clients (near about 30 to 40 clients) in network.

This infection shows at following paths:

C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/KX8ZEX2V/umpt[1].png

C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/KX8ZEX2V/dtjpta[1].bmp

C:/WINDOWS/system32/x

Please guide me for resolve this problem.

Thanx for your greate help in advance....

Regards,
KAILAS

Hi kaila please see attached Symantec Writeup about Downadup.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

Dear Kailas,

We do it these steps to clean our network from the downadup virus :

1. Disable autorun services in all PCs, you can follow the instruction from this link to disable services from your server:
    
    http://www.labnol.org/software/tutorials/secure-computer-disable-autorun/6698/

2. Run the security update windows to All client and server pc, you can download from this link :

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3. Confirm that your virus definition is update for all server and client pc.

4. Run the full scan for all server and client pc.

Regards,
Rudianto

Dear Paul,

I'm sorry for late reply, i was checked the symantec antivirus, i wonder with that, i found diffrent log (risk log, history log,
and event log) when i login as administrator and user, we cannot find the action for dowadup.b in user log but in admin log we can see completely, and in admin log it said that the virus action is quaratined, but when i checked it i cannot find it.

Do you have any suggestion....?
Thanks & Regards,
Rudianto

I'm not sure about the last file, but the first 2 definitely came from the internet. If you can see which sites a user visits and test them, you'll get the infection alert.
It will be quarantined but the file will reappear whenever the user visits that site with the infected files.

Sorry, I was thinking that this was a SEP 11 case.

Thomas

have you turn off your system restore? is so try to have a full scan again then monitor how it goes and delete all the temporary internet files then reoot you pc , before I forgot disable all the start up.