Endpoint Protection

 View Only

Using SEPM Alerts and Reports to Combat a Malware Outbreak 

Feb 25, 2013 12:53 PM

This is the first in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in November 2017.


"Monitor First" runs the good advice from security guru Bruce Schneier.  Millions have typically been spent putting a security infrastructure in place, with AntiVirus clients, firewalls, IDS/IPS, and so on.  These powerful endpoints are able to stop most existing threats, and can report back to a central management console what action they have taken.

But, if no one is reading those logs and acting upon them, the company remains at a disadvantage.  Here is an actual case (with data anonymized to protect this customer's identity) of how using the powerful reporting capabilities built in to the Symantec Endpoint Protection Manager (SEPM), and then acting upon that information, proved helpful to one admin who took the initiative to proactively seek out the cause of the constant re-infections throughout her corporate network.....

A Real-Life Example

Below is an example of how a report generated by SONAR logs can identify new malware for which there are not yet definitions.  This report can also highlight specific computers from among the company's thousands which need immediate attention from the security admins.

This example is taken from a network of SEP 12.1 computers which have the Proactive Threat Protection/SONAR component deployed- on SEP network using only the AntiVirus component, of course, other methods would have to have been used....

It is best to have as many SEP components installed and enabled as possible.

For the past week, the network had been undergoing a persistent outbreak of various types of malware.  Downloading and distributing Rapid Release definitions identified many new threats, but there always seemed to be more suspicious activity reported by end users.

To see if she could locate the source of the infections, the SEPM's admin clicked on Monitors, Logs, and chooses to view a SONAR report with the Advanced filter set to display only the Events where the action resulted in a verdict of "Suspicious."


This generated an on-screen report of "Security risk found" events, which could then be exported into .csv format.  The admin took this file, imported it into MS Excel, enabled filtering, and hid certain columns to allow her to focus in on the information she was looking for.

For sake of space, the Date column is not displayed in this article, but the admin was quickly able to spot some files which the SEP 12.1 clients detected over and over again in the same locations on the same computers. Narrowing in again: she un-ticked the display for the known, approved programs that were listed, un-ticked Tracking Cookies, and filtered to display entries which generated a Detection Score of 80 or above.

Very quickly, the report narrowed to executable files which were found running from very unusual locations.  These files had random names typical of malware....


A quick internet search on VirusTotal.com revealed that several of those SHA1 Application Hashes (unique identifiers) had poor reputations. Action was definitely called for.

She also noticed that all of these suspicious files were located on just a handful of computers.  Very quickly she gave instructions to have those computers isolated from the network to keep them from spreading any infection.  This is an important best practice from the following article:

Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466 

She also gave instructions for the SymDiag (formerly SymHelp) tool to be run on the computers with Threat Analysis Scan (previously called Load Point Analysis) checked.  This tool identifies suspicious files on a computer, which can then be collected and submitted to Symantec's Security Response for full analysis...

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team

Using Today's SymDiag to Combat Today's Threats

Ah ha!  The suspicious files from her report were flagged by the SymDiag tool, along with several other files that were deemed to be possible malware.  The admin zipped them up in batches of nine or less and submitted them to Symantec Security Response.

How to Use the Web Submission Process to Submit Suspicious Files
Article URL http://www.symantec.com/docs/TECH102419 

Symantec Insider Tip: Successful Submissions!

While Symantec was examining the files, she took additional measures to secure the network (hunting for more SONAR samples that had a lower Detection Score, monitoring other logs).  One action taken was to use the MD5 hashes (provided from Symantec automatically by mail after she submitted samples) to create an ADC policy that blocked them.  This was applied to the client groups throughout the company, stopping those threats from executing or spreading any further.

How to use Application and Device Control to limit the spread of a threat.
Article URL http://www.symantec.com/docs/TECH93451 

The computers which had been compromised were fully patched, had third-party components like Java and Adobe brought up-to-date.  Their users were given  strong new passwords and a bit of education about computer security best practices. The machines were kept off the network, though, until they could receive a full system scan with definitions that contained protection.

In due course, the submitted files are examined and new AntiVirus definitions prepared.  These new defs are downloaded via LiveUpdate and applied to all clients throughout the network. Those suspicious files, it seems, were members of the Downloader family.  Evidently a malicious attacker had been using that handful of compromised systems to constantly download new, undetected hack tools and infostealers, staying one step ahead of traditional signature-based AV defenses.  These tools were also crafted in such a way that as to resist the efforts of Auto-Protect products to terminate their processes.   They could not withstand a full system scan in safe mode, though!

By using SONAR's heuristic powers, reviewing the logs and taking action to ensure that compromised machines were fully cleaned before being added back to the network, the persistent infection was cleaned.


Many thanks for reading!  Please do leave comments and feedback below. 

This is just one example of how SEPM's built-in reporting and alerting features can be used to ensure a corporate network's stability and security.  If it would be helpful, I would be glad to provide additional illustrations....



0 Favorited
0 Files

Tags and Keywords


Jul 24, 2015 09:03 AM

Ninth article in this series now available!


Using Today's SymHelp to Combat Today's Threats

Mar 31, 2014 02:30 PM

Nice Article.

Feb 13, 2014 12:07 PM

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good

Jan 09, 2014 06:35 AM

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak


Nov 15, 2013 11:21 AM

Readers of this article may be interested in the series' third installment.....

Two Reasons why IPS is a "Must Have" for your Network

Nov 06, 2013 01:03 PM

Verry Detail article! Congradulations Mick!

Oct 30, 2013 12:59 PM

A second article in this informal series is now available....

Recovering Ransomlocked Files Using Built-In Windows Tools

Sep 13, 2013 04:36 AM

I am glad to discover that Part 2 is now available:

How to utilize SEP 12.1 for Incident Response - PART 2

Sep 12, 2013 02:02 PM

great article.

Sep 02, 2013 03:22 AM

Nice Articles....

Sep 02, 2013 03:17 AM

Superb Stuff!! yes

Jun 05, 2013 05:38 AM

Nice Article. Well Done.yes

May 21, 2013 11:32 PM

Wow this is cool, thanks Mick !

May 21, 2013 12:24 PM

Adding a link to an excellent article that will be of help to admins identifying and tracking suspicious files....

How to utilize SEP 12.1 for Incident Response - PART 1

May 17, 2013 01:40 AM

Great Job! Really Helpful.

May 17, 2013 12:29 AM

thanks Mick2009 for valuable and nice artical +1

Apr 16, 2013 10:20 AM

Just adding a couple of extra helpful links for admins seeking the source of network infections:

What is Risk Tracer?

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection


Apr 11, 2013 08:03 AM

Really good article, thanks!

Mar 24, 2013 06:09 AM

Thumbs up..for this Amazing article Mick.

Related Entries and Links

No Related Resource entered.