Endpoint Protection

Expand all | Collapse all

Clicked on php link - Endpoint Protection found nothing

  • 1.  Clicked on php link - Endpoint Protection found nothing

    Posted 03-15-2011 07:18 PM

     

    I received an email from a trusted source, clicked on link in email (without thinking) and was redirected to a website for Viagra.

    I started a Full Scan with Symantec Endpoint Protection v11.0 and nothing was found.

     

    Can any of you white-hats (or whatever the good guy hacker term is) determine what this thing did?  Here is link I clicked on in email - spaces added to prevent accidents

    ht tp:// asuntokauppoja.fi/images/asw.p h p

     

    Thank you in advance,

    Chris



  • 2.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 12:11 AM

    It could be kind of phishing attack. Can you check with the trusted source of sending the URL included in mail?



  • 3.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 06:59 AM

    Hi,

    Have you configured Symantec mail security in your environment ? SEP and Symantec mail security are two different product.

    Symantec mail security will stop such kind of Spam emails.

    To be safer side it is recommended  to install all the SEP features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

    You windows machine should have all the latest windows updates /Patches.



  • 4.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 07:49 AM

    It may not mean anything other than you were re-directed to that particular site.

    This particular site does not have anything malicious on it. Just don't buy anything cool



  • 5.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 10:16 PM

    We've been hit by a few of these in the past few month and they seem to be creating new variants on a daily basis.  Not sure how Mail Security (which we're running) would help if these things are being sent out rapid-fire before definitions are updated. 

     

    We had a user click a link to:

    htt p://marl uci amartins.com.br/ima ges/aqq.ph p (spaces added, and the link is now dead).

    In that case, the user ended up with a new variant of SecurityShieldFraud that wasn't detected by even the rapid release defs at the time.

    Today's victim had defender.exe dropped in their application data directory after clicking a similar link.  There was no prompt to run an application - it just loaded.  This one still isn't detected by the rapid release defs.

    I submitted a sample (Tracking #19520683) and haven't yet heard back.

    We're going to take a machine and try to see what the infection vector is.. we think it might be a java vulnerability because a user got this at home and reported seeing the java console load just before they got hit. 



  • 6.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 10:41 PM

    Heard back:

    We have processed your submission (Tracking #19520683) and your submission is now closed. The following is a report of our findings for the files in your submission:

    File: defender.exe

    Machine: Machine

    Determination: This file is detected as 'Trojan.FakeAV, ' with our existing Rapid Release definition set.

     

    This is not true.  I downloaded the latest definitions available here:

    ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease/

    03/17/11 01:31AM [GMT]    101,011,328 symrapidreleasedefsv5i32.exe

    After installing them, I get the 16 March 2011 r36 version, and this is not being detected when I perform a scan for viruses on the sample.  The eicar test string is detected though.
     



  • 7.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 11:11 PM


  • 8.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-16-2011 11:49 PM

    The detection results message should specify the minimum required revision, not "the existing set".  This is crucial if people click the link and they download the latest available defs on the RR ftp site at the time (it was r36) and that version doesn't provide the protection.

    We're using SEP 11, so when I go to http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr, it says that symrapidreleasedefsx86 is for:

     

    Supports the following versions of Symantec antivirus software:

    • Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
    • Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
    • Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
    • Norton 360 version 1.0 for Windows XP/Vista
    • Symantec AntiVirus 3.0 CacheFlow Security Gateway
    • Symantec AntiVirus 3.0 for Inktomi Traffic Edge
    • Symantec AntiVirus 3.0 for NetApp Filer/NetCache
    • Symantec AntiVirus 10.0 Corporate Edition Client
    • Symantec AntiVirus 10.1 Corporate Edition Client
    • Symantec AntiVirus 10.2 Corporate Edition Client
    • Symantec AntiVirus for Bluecoat Security Gateway for Windows 2000 Server/2003 Server
    • Symantec AntiVirus for Clearswift MIMESweeper for Windows 2000 Server/2003 Server
    • Symantec AntiVirus for Microsoft ISA Server for Windows 2000 Server/2003 Server
    • Symantec Mail Security for Domino v 5.x
    • Symantec Mail Security for Domino v 7.x
    • Symantec Mail Security for Domino (32-bit) v 8.0.x
    • Symantec Mail Security for Microsoft Exchange
    • Symantec Mail Security for SMTP v 5.x
    • Symantec Web Security 3.0 for Windows
    • Symantec AntiVirus Scan Engine for Windows

    Shouldn't Endpoint Protection 11 also be listed if this is the one i'm supposed to be using?  

     

    Anyway, after running this, i'm at r37, and is now detected if i scan the .exe itself.  What complicates this is that when I scan the .zip file that I uploaded to symantec when I made my submission, it doesn't detect anything.  Shouldn't that work when scanning 3 levels deep inside a zip file is turned on?



  • 9.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-17-2011 09:41 AM

    You are correct, I was mistaken. I thought I was on the SEP 11 definitions listing.

    Time for glasses. : )

     

    I am unsure as to why the zip file was not getting detected. Are you running the Security Response recommened settings for your AV?

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948



  • 10.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-17-2011 05:28 PM

    Interestingly enough, the x86 defs did update sep11!

    Just double-checked all settings.  We're at the Symantec Security Response Recommendation setting for everything except for the Tru-Scan frequency. That's set to 1 hour (default) rather than 15 minutes.  Given that the virufs defs are only updated three times or so a day, wouldn't this be adequate?  This shouldn't affect whether an on-demand scan would miss a detection in a zip file.



  • 11.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-17-2011 08:44 PM

    SEP email scanner and Symantec Mail Security (SMS) are purely anti-malwares. I don't think they scan for spam emails. They do however look for scripts and malicious attachments in emails. If the sender is a trusted source, have their computer scanned as it's probably their PC that's infected. And I hope none of them accidentally added your email to one of those spam sites.

    What you need is an Anti-spam like Symantec Brightmail Gateway.

    :)



  • 12.  RE: Clicked on php link - Endpoint Protection found nothing

    Posted 03-17-2011 09:10 PM

    I was testing last night and managed to get my test PC infected with InternetSecurity2011 (on purpose), and I had to find a BlackHat Search Engine Optimization link and follow some links, but this one was definitely social engineering. 

    Other users deny accepting any prompts and still getting infected with defender.exe after clicking an emailed link (ending in .php), so we suspect it might be an unpatched vulnerability.  The problem is, these links disappear quite quickly so it's difficult to troubleshoot.  If any of your users get stung by defender and you still have the email they received, I'd love a copy of the link posted (safely, with spaces) here so we can try to replicate.