Endpoint Protection

Symantec Endpoint Protection - SID 23615 HTTPS Tidserv Request 2 Detected
91.212.226.7 has been disabled.
How do I rid of this

Looks like an IPS detection.  Scan the computer sending the traffic.  If that computer is not on your network, then IPS is doing its job.

Backdoor.tidserv:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99

sandra

This could indicate that a system is infected or is not up to date with software patches. This IPS signature directly relates to known vulnerabilities that this risk will attempt to exploit.

I recommend contacting technical support and opening a case to speak with a technician for further assistance.

I had this wack three of my end user home PC's in the past two weeks, and while Norton or SEP report it; they don't stop it from getting in in the first place, and neither can remove it. All PC's were fully patched and had current Norton or SEP files on them.

"HTTP Tidserv 2 request detected"

It would seem that a new varitey of this is out in the wild. 

The alerts are simply advising you that malicious network activity was detected and blocked.  It does NOT mean that this system is infected.

If "91.212.226.7" is not on your network, there is nothing more you need to do. If it is, then you need to focus your attention on that machine.  Use SEP Support Tool with Load Point Analysis checked to help determine if there are suspicious items on it.  Contact Support to open a case if you need help interpreting the results.

sandra

I have 3 computers that are triggering both Tidserv IPS signatures.  On one I thought I had fixed it by finally tracking it back to an injected DLL but that just slowed it down for a day.  Today I find the computer constantly talking to an IP in Eastern Europe and SEP11 does not find anything wrong with it.  In fact nothing finds anything wrong with it.  Other than the traffic that is generated and sometimes blocked by the IPS, I can't find anything wrong with these computers.  The IP address listed above is one of the IPs that these three computers talks to, so it seems related.

I am continuing to look but it may be time to just re-image.

You can use Network Activity tool to help identify which process is sending the traffic, then you can submit the files to Security Response.

Title: 'Using Symantec Endpoint Protection 11's Network Activity Tool to Identify Suspicious Processes'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009031811513448

You can also use the SEP Support Tool with Load Point Analysis checked to help identify suspicious files:

Title: 'About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548

Hope this helps.

sandra

hey there there is no issues with your network, its just some website in your iis or some network based application is generating the request with sep is notifying

GO to the manager,

Go to policies

Choose IPS signature click on it

choose exceptions

in the first tab click on add and choose this SID 23615

Save assign the policy issue resolved


--
Haresh Rudrakodi
Symantec Enterprise Support

With all due respect, while that will stop the alerts, it does not address the root issue, and will prevent you from getting future alerts on suspicious traffic.  I don't really recommend doing this.

sandra

OK, I reboot the machine with NOTHING running except SEP and all  by itself,  it opens a HTTPS session to a IP address in  Russia.
SEP reportsTidserv  request detected

Glad to hear I'm not infected and there is nothing more I need to do....



 

If thats the case, then he needs to analyse this ip 91.212.226.7 and check which process is requested for it... if its the genuine he can add it as i said before.. if not he can scan his computer for virus and if he thinks its a  hacker then he needs to report it to cyber crime.. b.coz the product has done its job.

How do I contact technical support to help me with my infected computer...tidserv 2; nsolia.exe Nzw.exe and Nzx.exe.  Also something is causeing my Risk Log to close in Symantec when I try to scroll to see where the risky files are located and dates found.

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Bear in mind that enterprise support does not walk through virus removal.  We can help to identify files to submit for analysis so they can be detected and removed by the product.

Title: 'About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548

sandra

Yeah I know what you are saying.  I have run scans with several AV tools and still am unable to find anything.  I have pegged it to an svchost process but all the dll's check out fine.  These computers are deeply infected. 

After much time wasted on this, I have decided just to re-image the computers.  Though I may take an image of one of the Hard Drives so I can continue to work on it. 

Something to keep in mind:

In IPS, just because the log says the traffic was incoming, does not mean that the session did not originate from your computer.  In the packet captures that I took, I found that all sessions started between the various Eastern Europe IPs and my computers, they originated from my computers.  So ignoring the IPS events would be a bad thing.

Sandra:
Thanks for the tool suggestions.  I used the SEP Support tool but it did not find anything with the Load Point analysis.

 

You're welcome.  For the security of the system and the network, it's probably best to flatten and rebuild.  Even if malicious files are identified and removed it is very difficult to determine what other changes were made to the system.

sandra

I did run the SERT tool on an image of the computer and it did remove the issue. 

I ended up getting another computer infected with the same issue last week.  The issue this time was that the computer was remote so using SERT would not be as useful.  I did some searching and found a tool that worked perfectly.  It is a competitor of Symantec so hopefully they don't remove the link.  The interesting thing about this tool is that it is so simple.  All it really did was do MD5 hash checking on system files and replaced the ones that did not check out.  The new reputation based technology that Symantec is working on will help fix some of this stuff in the future.

http://support.kaspersky.com/viruses/solutions?qid=208280684

@Haresh,

This is very poor suggestion unless the customer has very good reasons for believing that this detection is a false positive. This IPS signature is meant to detect attempts by the Backdoor.Tidserv to communicate with its command and control servers. Given this, it is likely that any machine which receives the notification for the "HTTPS Tidserv Request 2" detection is infected with Backdoor.Tidserv.

Adding the exception you suggested will only make sure that SEP does not detect this threat's attempts to communicate with the servers which control it.

I suggest updating SEP to the very latest Rapid Release definitions and scanning any machine which receives the "HTTPS Tidserv Request 2" IPS detection. If SEP finds Backdoor.Tidserv, you have two options available to you.

1. Follow our removal instructions for Backdoor.Tidserv (follow the link below). You will need to manually replace infected files.
2. Backdoor.Tidserv is a rootkit. As such, it becomes extremely difficult (read: impossible) to ever guarantee the integrity of Windows system files post-infection. You will never know if the entire infection was removed and the machine will always pose an elivated security risk to your environment. In addition, removing a rootkit may also remove files Windows needs to function propertly; this may lead to future stability or administration issues with this machine. The only way to guarantee the integrity of the operating system files so that you can know the machine is a secure state will be to format or reimage the machine.

Hope this helps,
James

--
Backdoor.Tidserv: http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
HTTPS Tidserv Request 2: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23615

Hi Sandra,

I do not think this is technically true.

If you read the writeup for the HHTPS Tidserv Request 2, you will notice that it is meant to detect "Backdoor.Tidserv communication with control servers." For there to be a communication attempt, there must be something to initiate communication. Consequently, it makes sense that machines which receive this detection should be infected with Backdoor.Tidserv.

Regards,
James

--
HTTPS Tidserv Request 2 - http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23615

Good point.  Definitely better to be safe than sorry.

sandra

There is a KB on Backdoor.Tidserv here (http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=3) which might also help throw some light into your problem

Symantec totally failed me. I religiously keep my Symantec up to date and it still failed me. One moment I was checking out some photos of beautiful Ukranian women and the next moment I'm infected. I noticed the Java splash screen flashed momentarily, I thought this was highly unusual, but now I understand that the rootkit attacks vulnerabilites in Java. I also noticed I was experiencing strange errors with Adobe Acrobat even though I was not using Acrobat, the rootkit also attacked Acrobat. My computer was trying to communicate with European hackers. I tried several tools to identify and remove the problem, but none helped. Then thank God I found this forum and the entry above discussed Kapersky's free removal too and it worked like a charm.

One has to wonder if perhaps mighty Symantec has lost their edge, Symantec's failure to catch/remove the rootkit cost me a lot in lost productivity. I could not even use Google because the rootkit kept redirecting me to some crappy pay per click search results. My machine bogged down.

C'mon Symantec, how long have you know about this issue?
Where's the fix?
Where's the Symantec removal too?

Go with the Kapersky free removal tool mentioned above, those folks got it right.

One moment I was checking out some photos of beautiful Ukranian women

I hope you're kidding.   Please tell me you're kidding.

sandra

Sorry to post in a couple of different threads on this one but I, too, have recently been bitten by this backdoor. 

I am running SEP-11.  Initially, SEP-11 was reporting via pop-ups that incoming and outgoing activity was flagged/halted.  I eventually ended up using the Kaspersky TDSSKiller app to fix the problem.  Or so it seems.  Lately, newer updates to SEP-11 have quarantined a couple of tmp files as having been associated with backdoor.tidserv as well. 

However, I still can occasionally get a BSOD similar to the one shown in the tidserv removal KB that has been referenced in various threads here.  I am paranoid enough as it is so I am feeling like there is still a malingering trojan running around.  SEP-11 doesn't see anything, Spybot Search and Destroy is clean, TDSSKiller is clean, and Malwarebytes Malaware is clean (thus far).

None of the registry entries referenced in the KB exist, I don't see the files (TDSSServ.sys, etc.) anywhere.  I did see a couple of registry entries that I believe may be holdovers from the earlier infection but I have wiped those and am monitoring them.

When running SEP quick scans, I do see "TDSSServ.sys" and "...\FauxVirus\.." scroll through the list of scanned items.  My other post is related to this -- are these files on the system? Or are they known files that SEP displays as it looks for them?  Seeing them on the scan list is disconcerting after having been hit by them.

Had one pc with this very same problem.  The older version of the tool (Kaspersky tdskiller) would not remove it, however, version 2.4.1.2 did the trick.  Just wanted to let others know.
SEP did not even detect it, on a full scan, however it did show the SID 23615 HTTPS Tidserv Request 2 (which is how I found this thread, and the eventual solution).  Turned out to be Rootkit.win32.TDSS.Tdl3, according to that tool.
All is quiet on the western front now. 
It's a shame that we even have to deal with this stuff, but I guess you'll never stop the root cause, which is people creating these awful things in the first place.
That is unfortunate.

Thanks Haresh;

I have been dealing with this problem for almost 2 weeks. I tried tech support (free version) and it failed. I refused to pay 100.00 to remove a virus that I had already PURCHASED software that should have prevented me from getting a virus in the first place. But I follower the link (http://www.symantec.com/business/security_response...) and installed the tool & it repaired my machine. Now I can get updates again. My MBR was infected with it. Thanks again.

@porche

You've got to be kidding me with this post?!?!

I keep getting popup message that i am infested with tidserv avtivity 2.

I have downloaded FixTDSS.exe.  When I run it , it says that this virus is not on my computer.  Yet, the

popup keeps occuring.  Any suggestions?

Check your logs, is the traffic inbound or outbound?