Endpoint Protection

 View Only

Here is my list of steps to find malicious files, infected files etc etc. Please feel free to add or advise 

Mar 14, 2014 11:42 AM

Checklist for scanning suspicious files
1.    Disconnect any drive mappings and check to see if the PC has any shared folders
2.    Stop the shares if they are present, they can be reestablished if necessary after cleanup
3.    Take the PC OFF the network
4.    Check disk space, lack of disk space can cause multiple issues
5.    Check to see if any users have local admin rights, if they do, remove them
6.    Check the “Run” Key in the registry for any suspicious entries (Check on HKEY_LOCAL_MACHINE AND     HKEY_CURRENT_USER
    Delete any suspicious entries from
7.    Check for old windows user profiles, check with the current user before deletion of old profiles
8.    Check the C:\ProgramData (Hidden folder) for any suspicious entries
9.    If you can, clear C:\TEMP and C:\Windows\temp
10.    Clear content from C:\Users\Username\AppData\Local\Temp
11.    Clear content in %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files
12.    Check the control panel for any suspicious programs or toolbars (Yahoo, Ask, etc)
13.    Remove all toolbars or suspicious programs, verify with the user of the validity of the program
14.    Check and verify versions and definitions are up to date on Malwarebytes and SEP
15.    Check the SEP Client for suspicious entries
16.    Run a full scan with SEP, then Run a full scan with Malwarebytes and remove suspicious entries
17.    Select the “View Quarantine” section, if there is anything check to see what it is and verify with the user    (s) if it can be removed.
18.    Restart the PC after scanning is complete.
19.    It would be highly advisable to run a Load Point Analysis and submit the output file to Symantec Support.
    Suspicious files can be submitted to Symantec through the following link.

20. I will use NPE as a last resort, I am wondering if I should use it as a PRIMARY resort

Do not submit a file with a .exe extension, rename it to something like .zip or .rtf
To open a support case, user the following link.



0 Favorited
0 Files

Tags and Keywords


May 23, 2014 09:02 AM

More often than naught, SEP scans find nothing.

May 23, 2014 08:36 AM

Hi Bryan,

"Thumbs up" for me!  There's some good info in the points, above. The one main change I would recommend would be to run a full SEP scan before NPE is run or anything is manually removed.  If certian keys or files of a threat are removed manually, then SEP's ERASER components may not be triggered against that threat and the other parts of the threat may be left behind. (ERASER scripts should get rid of the whole thing.)

Another tip: IPS logs can be an excellent pointer toward malicious files which are making unwanted network traffic.

Here's the best official Symantec article to guide admins through dtection and removal:

Best Practices for Troubleshooting Viruses on a Network

And here's an article on what to do AFTER the malware has been found and removed:

The Day After: Necessary Steps after a Virus Outbreak

Thanks once again!


Apr 01, 2014 12:18 AM

HI Bryan and other Experts,

Thanks for this info. Also pls share the steps and links , the process to find malware and how to detect with malware infected system in manual process. file mon, process monitor tool etc.

A. How can I find if any system is infected with adware, malware or any type of trojan etc ?

B. To Identify the source of spreading threats system? some best process.

pls share some useful links.


Mar 30, 2014 09:13 PM

Agreed, it's a first resort, not a last. It's just hard to do it on pc's in remote locations.

Mar 30, 2014 08:37 PM

Good Job! But sometimes worms and viruses disable the registry and folders access so it is better to run first the advanced scanner of Symantec, NPE..

Mar 30, 2014 04:51 PM

RE: first part, Use NPE as step #1

Mar 14, 2014 11:52 AM

Thanks for the Blog, 

just in case if someone is looking for load points

Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003


Related Entries and Links

No Related Resource entered.