Checklist for scanning suspicious files 1. Disconnect any drive mappings and check to see if the PC has any shared folders 2. Stop the shares if they are present, they can be reestablished if necessary after cleanup 3. Take the PC OFF the network 4. Check disk space, lack of disk space can cause multiple issues 5. Check to see if any users have local admin rights, if they do, remove them 6. Check the “Run” Key in the registry for any suspicious entries (Check on HKEY_LOCAL_MACHINE AND HKEY_CURRENT_USER Delete any suspicious entries from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7. Check for old windows user profiles, check with the current user before deletion of old profiles 8. Check the C:\ProgramData (Hidden folder) for any suspicious entries 9. If you can, clear C:\TEMP and C:\Windows\temp 10. Clear content from C:\Users\Username\AppData\Local\Temp 11. Clear content in %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files 12. Check the control panel for any suspicious programs or toolbars (Yahoo, Ask, etc) 13. Remove all toolbars or suspicious programs, verify with the user of the validity of the program 14. Check and verify versions and definitions are up to date on Malwarebytes and SEP 15. Check the SEP Client for suspicious entries 16. Run a full scan with SEP, then Run a full scan with Malwarebytes and remove suspicious entries 17. Select the “View Quarantine” section, if there is anything check to see what it is and verify with the user (s) if it can be removed. 18. Restart the PC after scanning is complete. 19. It would be highly advisable to run a Load Point Analysis and submit the output file to Symantec Support. Suspicious files can be submitted to Symantec through the following link.
20. I will use NPE as a last resort, I am wondering if I should use it as a PRIMARY resort https://submit.symantec.com/websubmit/retail.cgi Do not submit a file with a .exe extension, rename it to something like .zip or .rtf To open a support case, user the following link. https://my.symantec.com/webapp/faces/login;jsessionid=kD5pTYtLVGQp1tT6YGNPnJ1RDP1J63M72VYQG51KplzHFSq7vcpC!852198726?_afrLoop=762864225321000&_afrWindowMode=0&_afrWindowId=null#%40%3F_afrWindowId%3Dnull%26_afrLoop%3D762864225321000%26ct%3Dus%26lg%3Den%26_afrWindowMode%3D0%26_adf.ctrl-state%3Dlinjnbbce_4
More often than naught, SEP scans find nothing.
Hi Bryan,
"Thumbs up" for me! There's some good info in the points, above. The one main change I would recommend would be to run a full SEP scan before NPE is run or anything is manually removed. If certian keys or files of a threat are removed manually, then SEP's ERASER components may not be triggered against that threat and the other parts of the threat may be left behind. (ERASER scripts should get rid of the whole thing.)
Another tip: IPS logs can be an excellent pointer toward malicious files which are making unwanted network traffic.
Here's the best official Symantec article to guide admins through dtection and removal:
Best Practices for Troubleshooting Viruses on a Network http://www.symantec.com/docs/TECH122466
And here's an article on what to do AFTER the malware has been found and removed:
The Day After: Necessary Steps after a Virus Outbreak https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak
Thanks once again!
Mick
HI Bryan and other Experts,
Thanks for this info. Also pls share the steps and links , the process to find malware and how to detect with malware infected system in manual process. file mon, process monitor tool etc.
A. How can I find if any system is infected with adware, malware or any type of trojan etc ?
B. To Identify the source of spreading threats system? some best process.
pls share some useful links.
Agreed, it's a first resort, not a last. It's just hard to do it on pc's in remote locations.
Good Job! But sometimes worms and viruses disable the registry and folders access so it is better to run first the advanced scanner of Symantec, NPE..
RE: first part, Use NPE as step #1
Thanks for the Blog,
just in case if someone is looking for load points
Here are the links, not sure what happened in the first post
https://submit.symantec.com/websubmit/retail.cgi
Do not submit a file with a .exe extension, rename it to something like .zip or .rtf
To open a support case, user the following link.
https://my.symantec.com/webapp/faces/login;jsessionid=kD5pTYtLVGQp1tT6YGNPnJ1RDP1J63M72VYQG51KplzHFSq7vcpC!852198726?_afrLoop=762864225321000&_afrWindowMode=0&_afrWindowId=null#%40%3F_afrWindowId%3Dnull%26_afrLoop%3D762864225321000%26ct%3Dus%26lg%3Den%26_afrWindowMode%3D0%26_adf.ctrl-state%3Dlinjnbbce_4