Hello,

Today I found that our EXE file can't execute. after I check my server  I found that Symantec Endpoint alert this virus.

W32.Sality.AE

Symantec endpoint can quarantied but can't kill it on my system. it still generate virus on my server as below.

Please anybody advise the way to clean it on our system.

I see at symantec instruction on this link. but I don't have time to edit all registry to fix it on every server.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3

and I have tried rmsality.exe also. it don't work.

Please help me.

thank you.

Update it with latest rapid release update then scan in safe mode...

our server can't execute EXE now. Please help me. Safe mode is the best way? I can't stop server for scan 1-2 days

update the client using the jdb, then scan the system in safe mode.

Scan may take few hours.Before doing this assure that you are updating with latest rapid release updates.Then scan in safe mode.In safe mode virus cannot act much so removal will be  easier....

For updating your server refer this KB

How to update definitions for Symantec Endpoint Protection using the Intelligent Updater

My Definitions update is lasted version already.

scan the system in safe mode. it shows pending analysis, usually it requires a reboot to take the affect.

Disable the system volume restore if it is enabled before the scan.

I think windows 2003 disable system restore by default. then I will restart and scan full again because my server can't down long time.

ok, its always good to start the scan in safe mode for better handling of threats..

NO, I mean I can scan after boot and user still working to this server.

...to reset the ability to run exe files.

Tool to reset shell\open\command registry keys
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

sandra

Hello,

At the moment, I can run EXE file but 3-4 hours it will hang again. I think there are some virus on my server but I can't clean it. I am scanning it on my server again. user still accessing to working.

i still think scanning in safe mode would be quicker as windows processs will not be active.

definetly scanning in safe mode will be more effective to clean the threats as in normal mode the processes would be locked by application/OS.

Hello Theseng99

As per the ScreenShot which u have posted, it shows that Pending Analysis Below Action Taken. It means Auto-Protect has not yet received the results from the Side Effect Repair Engine. After the Side Effect Repair Engine finishes the scan, the Action column of the Auto-Protect Results window shows the action that was taken.

For Details Pls, go through below Link

http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005092614484748?Open&dtype=corp&src=&seg=&om=1&om_out=prod

And also try Rebooting the Server.

Hello,

I found root cause of virus. It is on NAS Drive. it's buffalo share drive and connect via LAN Cable. As below Drive U: is NAS and try to generate virus when people try to access it. (file U:\rbuix.exe is virus that is generated)

NAS drive can't logon to safe mode How can we do? I try to scan map drive U: from our server.

I would recommend that you use Symantec Endpoint Recovery Tool and update it with the latest definitions.  You can find the recovery tool on file connect. Here is the a KB that explains how to update the boot CD.

Install latest defs for the recovery tool:

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Is there an autorun.inf file on the NAS device?  Disable autorun if you haven't already.

sandra