Endpoint Protection

Dear All,

Please your help to remove the W32.Sality which affect many Pc's

It replicates itself in the windows tem folder which led to get the low disk space massage

And also create itself in the quarantine folder.

The Symantec detected it and the actions taken while be deleted but after few time you get it come up again  

Best Regards

Hello,

Please try to scan in save mode. and please update your windows if you can, safe mod scan is very important. 

Best Regards.

Fatih

W32.Sality will infect executable files on local, removable and remote shared drives,remove the the infected system from netrowrk and scan the system in safe mode after updating the system with the latest definition.

If any suspicious files/programs submit it to symantec for analysis.

check out this link

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99&tabid=3

Thank you pete :)

I coulnd't find this link. Thank you again ;)

Best Regards.

Fatih

Thank you

are the network shares open, if yes please close the one that are not required. for others implement strong password.

Block autorun on the system.

As mentioned in the earlier link, there is a IPS signature as well, which you can use on the client machines where IPS signatures are enabled. This will tighten the security.

@Faith

are you not able to check this link?

Jamal ,you also should consider about the Virus Source .If it comes again and again ,it is possible that there is some machine in the network which is running with old virus signatures and is causing the infection .If so ,use the unamanged detector Or find unmanaged machines feature  from Symantec console to find machines without Antivirus or running with very old signatures.

Also if Symantec is not able to clean fully ,you should also consider using other tools such as MSRT(Microsoft tool)  Or combofix (Use bleepingcomputer link ) .I have seen good results with them for conficker .Once cleaned ,than you can use Symantec to run a full scan. On the infected machines (ones getting infected again and again) ,use netstat -an Or tcpview to see which computers are making connection.This is one good way to find out the source

Jamal, take the computer status details whichever is having 30 days old definition

1.Login to console go to Monitor -- logs -- Computer status click on Advanced filter choose  older 30 days from definition.

2. See which are the machine is out of update then update those clients scan full pc in safe mode with system restore off.

no i can see. Thank you :)

Best Regards.

Fatih

Hi Jamal,

Sality is a persistent and dangerous threat to have in your network. 

Here is a very good set of steps for how to proceed: Best practices for troubleshooting viruses on a network  http://www.symantec.com/business/support/index?page=content&id=TECH122466&locale=en_US

It will take time to identify the computer which is infected and attempting to infect others.  Stick with the process, though- it will work.

Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

One vote for my side, this Best pratices is a well done document to isolate and prevent the virus from spreading.

Dear all,

Thank you for your valuable support

yes i mange to solve the issue with your support

Best Regards