Endpoint Protection

Hello,

in germany we habe a new wave ransomeware Mails targeting personal accounting.

I checked one mail, virustotal reports goldeneye, but symantec is listed as "no infection found". German Newspaper "c't" reports on 06.12. about this, my scan is from 08.12. Is symantec this slow about detection?

The lokal client also reports "no virus found". (Manual scan, not opened the file)

https://www.heise.de/newsticker/meldung/Goldeneye-Ransomware-greift-gezielt-Personalabteilungen-an-3562281.html

We use Symantec Mai Security 7.5 with Rapid Release and SEP 14 Client Side.

Hi Stefan_L,

Many thanks for the post.  Symantec does have definitions in place against Goldeneye ransomware, which is indeed a dangerous new threat:

Ransom.Goldeneye
https://www.symantec.com/security_response/writeup.jsp?docid=2016-120715-1834-99
 

If your organization receives suspicious mails with unexpected attachments, please do not open them!  Malicious macros must be manually enabled in order to cause any damage.  The most powerful defense is an educated end user.  &: )  More good tips:

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

If you have identified a mail which you feel is suspicious, please do submit it to Security Response for analysis!  I cannot see  the hash in the screenshot above so cannot confirm if we have a sample of that one.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Please do update this thread with any additional questions, or mark it solved if you have received your answer.

With thanks and best regards,

Mick

Hello Mick,

attached the link to virustotal. Now 10 detections, but no Symantec.

https://www.virustotal.com/de/file/b2edd25f011045a840df297c0514997ec9662603ad781be0dbe1bbdfcf6c87d1/analysis/

...and you have all of SEP 14's detection capabilities enabled and they're functioning?

Many thanks for making that submission, Stefan!  That file had not yet been submitted.  It should be examined shortly.  Chances are that is is a downloader (W97M.Downloader, Trojan.Mdropper or similar) of the ultimate malicious payload.

I just submitted the file:

TRACKING]: Symantec Security Response Automation (Tracking #40310961

Yep, I spotted it from our side.  &: )

You should receive a closing mail with the determination within coming hours.

Hi again,

Just checking that you have received your closing mail?  That sample is detected with sequence 182278 or higher.

Sequence Makes Sense
https://www.symantec.com/connect/articles/sequence-makes-sense

Please do update this thread with any additional question, or mark it Solved if you have received your answer!

With thanks and best regards,

Mick

Hello Mick,

i must appologize, but " Im not be able to see the forest for the trees" regarding "mark solved" ?

Hi Stefan,

This thread is indeed missing its "life preserver" or green check.  (Check out the main forum page to see what I mean.)  Anyway, glad that this one has been answered.  Have a great wekeend!

&: )

Mick