Endpoint Protection

A few PC keep pop up this message this morning. Full scan shows no virus found. What's going on?

You can scan your system Symantec Power Eraser and submit the submiision file

Symantec Power Eraser using Symantec Help (SymHelp) Tool

https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

What is backdoor houdini?

check this link

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27071

Hi Low,

If the computers are showing the pop-up, the most likely thing is that they have blocked an attack coming in from another computer.

Another possibility is that removable media (USB drives, etc) that were plugged into those computers are infected with a threat that opens up a backdoor.  I recommend scanning them!

VBS.Dunihi
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091222-3652-99

This would also be a good time to ensure that all patches are up-to-date, all passwords are strong and changed freqently, etc.  Here are some good receommendations:

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!!

Mick

Check the NTP logs, does it show the source IP attacker?

Hello,

I agree with above comments - 

Backdoor Trojans allow the remote attackers to perform various malicious activities on the compromised machine.

System Infected: Backdoor Houdini Activity

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27071

Take a close look at the Traffic logs, where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, you can Run the SymHelp Utility to check if any suspicious files are found and if there are, submit the same to Symantec Security Response Team.

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Thanks. I will look into it.

even we are facing the same issue, user is getting it again and again. And the IP it is showing is our Bluecoat proxy ip. How do we find out what is the actual cause. No other users are facing it. And the symantec is completely updated 12.1.2 version and full scan shows nothing:

Have you gotten this figured out?

I too have a system showing this continuously. Please suggest removal!

Are the attempts coming from an external address and is it being blocked? If so, SEP is doing its job by protecting you against this.

Download pskill.exe

Then create a .BAT file with the following:

Dont get upset guys

Just install cc cleaner

run cccleaner->tools->startup

most of the cases it was script file with .vbs extension

other wise delete .exe files from startup you have ever known

restart your system

HOPE THIS WORKS

Followers of this thread may be interested to know that Symantec has now released an enhanced heuristic detection against this family of threats.  More details can be found at:

VBS.Dunihi!gen1
http://www.symantec.com/security_response/writeup.jsp?docid=2014-011312-0745-99

Do you need more assistance with your problem or were you able to get it resolved?

If you could post an update for followers of this thread that would be most helpful.

Otherwise, if resolved, you can close the thread out by clicking the "Mark as solution" link at the bottom left on the most helpful post.

Thanks and take care,
Brian

erm i had the same problem, i know the programme is helping but it keeps popping up, will it stop in a sense that it will stop attacking?

Is the attacking IP remote or something on your internal LAN?

IP remote i believe

You can also create a firewall rule to block the offending IP.

alright i shall try, thanks for the info

You're welcome. Let me know how it goes.

so far it has stopped popping up on my screen so i have probably successfully blocked the ip so thanks ,however what happen if my subscribtion to the programme is over and i didnt immediatly renew it , will the attack come back immediatly?

assuming you're running an unmanaged client, there is no expiration.

Is this SEP?

alright didnt know that, now i know thanks alot for the help, i had a panic attack for a second there when that pops up now its solved thanks!

happy to help :)