Endpoint Protection

Hi,

I have a computer displaying message "System infected: Miner.Bitcoinminer Activity 7 detected" since 3/08. Is Symantec client dealing with the threat? What should I do so that risk is removed?

Thanks to help!

The IPS is detecting/blocking outbound traffic. Did the AV component find/alert/remove on anything? If not, the system should be taken offline and scanned. Re-imaged if possible.

Hi Brian, I am having a look at the Scan Reports section. Can you please let me know which report I should generate to know whether the AV component has removed the threat. I generated the 'New Risks Detected in the Network' report and found Trojan.Gen.6 1 / Malware:Virus (File) was detected on 31/07/18 and Trojan.Gen.9 1 / Malware:Heuristic Virus (File) was detected on 6/08/18. Want to know what actions were taken against the 2 threat.

Thanks

Review the risk logs on the SEPM for that machine name.

Hi Gavinash,

If the IPS events are continuing, there is likely something still there.  If they stopped after the AV detections, you are likely cleaned. Run a manual scan with the latest definitions and perhaps a Power Eraser scan from the SEPM or a SymDiag Threat Analysis Scan to look for any additional suspicious files.

An article that may help:

Coinminer protection and removal with Symantec Endpoint Protection
http://www.symantec.com/docs/TECH249302

Hi,

I ran a full scan/ active scan and no risks/ detections were found; but still the notifications are popping up. Should I worry about it? What can I do about it? Should I open a case?

Thanks

If SEP's scanning isn't finding anything and you're still getting notifications for brand new IPS events then it's possible it's user activity causing these detections (i.e. they are accessing an infected site, daily).

Otherwise, you may wish to run power eraser on the machine for a more in-depth scan (https://www.symantec.com/docs/HOWTO101744)