Endpoint Protection

  • Private Community
 View Only

  • 1.  Receiving virus mail from Administrator

    Posted Oct 22, 2013 10:30 AM

    Received an email with attachment from Administrator account, the domain (@companyname.com) is the same but the email ID is different. The email ID is not existing in our mailbox server.

    The messages is below. Does anyone encountered the same?

     




  • 2.  RE: Receiving virus mail from Administrator

    Posted Oct 22, 2013 10:33 AM

    Do you have a mail filtering solution in place? You can submit the attachment to Symantec to see what it is:

    http://www.symantec.com/security_response/submitsamples.jsp



  • 3.  RE: Receiving virus mail from Administrator

    Posted Oct 22, 2013 10:42 AM

    was this report from SEPM?



  • 4.  RE: Receiving virus mail from Administrator

    Trusted Advisor
    Posted Oct 22, 2013 02:06 PM

    Hello,

    What version of SEP have you installed? Which components have been installed on the client machine?

    Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.

    About Auto-Protect and email scanning

    http://www.symantec.com/docs/TECH95093

     

    You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.

    If you use Microsoft Outlook over MAPI or Microsoft Exchange client and you have Auto-Protect enabled for email, attachments are immediately downloaded. The attachments are scanned when you open the attachment. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature if you regularly receive large attachments.

    Email attachments are frequently the culprits in virus attacks. To protect yourself from viruses transmitted through email attachments:

    • Don't open any attachment you were not expecting, even if it comes from a trusted source, such as a family member, co-worker, or friend.
    • If you do not know the sender of a message that includes an attachment, delete the message without reading it.
    • Do not open any attached file ending in .exe, .vbs, or .lnk.
    • Never open an attachment without verifying that it's virus free. To open an attachment, first save it to your hard drive and then scan it with antivirus software, such as Symantec Endpoint Protection.

    Incase of Suspicion, it is recommended to submit the Attachment to the Symantec Security Response Team on https://submit.symantec.com/essential

    The Exchange servers have nothing to with the Outlook mail scanning plugin. This is completely client-side. Your Exchange servers would have something like Mail Security for Microsoft Exchangescanning the server-side traffic.

    OR

    Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Hope that helps!!



  • 5.  RE: Receiving virus mail from Administrator
    Best Answer

    Posted Oct 23, 2013 07:17 AM

    Hi mhine_

    This looks like a Social Engineering attack, which are sadly very, very common.  Someone has crafted that mail to make it look like the message is genuine and interesting, coming from a legitimate internal source.  (It's possible to spoof that pretty easily.)  

    The end recipients- who would not open an unexpected attachment from an outside address- click on the document and become infected. (These attacks quite often use threats which are new or obfuscated enough to evade AntiVirus).  The Security Response blog recetly highlighted such an attack...

    Backdoor.Egobot: How to Effectively Execute a Targeted Campaign
    https://www-secure.symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign

    Also see:

    Targeted Attacks in 2013
    https://www-secure.symantec.com/connect/blogs/targeted-attacks-2013

     

    Best practice and end-user awareness can provide a defense.  Definitely do submit that file attachment, ensure your mail servers are protected, configured correctly, and have a mail security product on them.

    Hope this helps!!

    Mick     

     

     



  • 6.  RE: Receiving virus mail from Administrator

    Posted Oct 24, 2013 05:05 AM

    Thanks for your advice. Appreciate it.



  • 7.  RE: Receiving virus mail from Administrator

    Posted Oct 24, 2013 05:06 AM

    Thanks for your advice. Appreciate it.



  • 8.  RE: Receiving virus mail from Administrator

    Posted Nov 07, 2013 11:11 AM

    Just adding some additional information.... a new feature in Symantec Messaging Gateway has been unveiled to combat mail-delivered attacks like this.

    About Disarming potentially malicious content in attached documents
    http://www.symantec.com/docs/HOWTO93093 
     

    Other new stuff:

    What's new in Symantec Messaging Gateway
    http://www.symantec.com/docs/HOWTO92864

     

    I recommend that any customer using SMG and SEP together in a layered defense should ensure they have this Disarm feature enabled!  &: )