Endpoint Protection

 View Only

  • 1.  W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 25, 2010 09:30 AM

    Hi,

    Recently we have a virus outbreak where an infected USB stick containing the W32.harakit malware was used on a workstation. That workstation is running SAV 10.1.9.9000 with the latest virus definitions file.

    The funny thing is that the w32.harakit malware jumps form the USB stick onto a file server via that workstation. (The workstation has a mapped drive to the file server).

    How can this has happen? Why didn't the Real Time Scan on the SAV detects and blocks this spreading?

    Any comments or past experience to share? 



  • 2.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 25, 2010 09:40 AM

    real time scan will work when the file is accessed/ opened/modified.

    https://www-secure.symantec.com/connect/forums/what-added-value-running-scheduled-full-scans#comment-4340751



  • 3.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 25, 2010 10:08 AM

    So why didn't the real time scan stops the w32.harakit virus (in the usb) from copying itself into the file server via the workstation?



  • 4.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 25, 2010 04:13 PM

    Please check the Technical Details Section of the Writeup and see what all Prevention and avoidance, it could be any of these reasons.

    Web URL: http://www.symantec.com/security_response/writeup.jsp?docid=2008-102011-5014-99

    Web URL: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23239



  • 5.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 29, 2010 09:23 AM

     

    I logged a case with Symantec Technical Support. See the engineer's reply. Does everyone agrees that part in bold explains why the workstation (with updated AV) is not able to detect the threat is because the threat spreads from the USB to the mapped drive directly? Is that true?

     

     **customer wanted to know why the SAV in the workstation in which the USB was installed didn't detect the infection as the infection is actually from the USB and it was installed only in the workstation and not in the file server.
**informed the customer the characteristics of this worm, informed him that its has spread using the autorun file, customer said that the autorun was enabled in the work station.
**informed the customer that its actually a worm which remodifies certain files and copies itself to the shared folder/files and because of that the actual infection doesnt happen in the workstation as the workstation is only used by the worm and the actual infection has happened in the file server.


  • 6.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 29, 2010 01:50 PM

    Does the file server not have antivirus protection on it?

    sandra



  • 7.  RE: W32.Harakit escape detection by SAV with latest virus definitions file. Possible?

    Posted Nov 29, 2010 02:14 PM

    The purpose of the worm is to spread itself via removable devices and/or mapped so yes it makes sense what is in bold.

    The worm executed from the USB, scanned for removable devices/mapped drives and when it found them, it copied to them.

    It basically used the workstation as a "middle man" or proxy