Endpoint Protection

hi guys,

I am having problem with shortcut virus long time ago at my company.

when I scan the thumb drive with SEMP 12.1 version, the virus still in it.

even the pc infected.

I've tried to use SymHelp but nothing happen. 

can you guys show to me how to remove the virus automatically when I plug in the thumb drive?

or may I know the person incharge so that I can contact him/her immediately?

Hello,

With reference to recent virus/worm issues, Symantec has strongly recommended us to update the below mentioned patches on priority as this helps worms/viruses to gain advantage of the vulnerabilities found on
unpatched machines. Also recieved virus defination from symantec for submitted worm.

Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability

Microsoft Security Bulletin MS10-046/ (KB2286198) 

http://www.securityfocus.com/bid/41732/solution

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

Nortel Response to Microsoft Security Bulletin MS08-067/ (KB958644)

http://www.securityfocus.com/bid/31874/solution

Secondly, I would advise you to upload this suspicious file to the Symantec Security Response Team on - 

https://submit.symantec.com/essential

OR

http://www.threatexpert.com

Secondly in your case, it is advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine.

Preventing a virus from using the AutoRun feature to spread itself

http://www.symantec.com/business/support/index?page=content&id=TECH104447

Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

If you have ADC in use with your SEP, you can block that file's MD5 by policy: How to use Application and Device Control to limit the spread of a threat.

A few more recommendations...

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network
 

IPS can help prevent the spread of many threats, including ones that are copied up to file servers / shares.  Please ensure that it is in use in your environment!

Once you have found the suspicious file (and hopefully any additional suspicious files from the computer which originally copied it up to those shares) here's some best practice advice on the best way to submit them:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Hope that helps!!

First of all you can check your system is update with latest definition and all microsoft security patches are up to date
You can add the suspicious file in zip and submit the suspicious file to symantec for analysis
https://submit.symantec.com/essential

 
Check the thread to secure the system from shortcut virus

https://www-secure.symantec.com/connect/forums/usb-flash-drive-shortcut-virus

Did you run the threat analysis scan?

Hi AbdRauf,

If you need professional help, please do open a case with Technical Support!  This forum is intended for peer-to-peer assistance only.

This is the best article to start with:

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466 
  

If the computer is infected, run the SymHelp tool with Threat Analysis Scan.   Here’s an excellent illustrated guide:

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519

Once you have found the suspicious file here's some best practice advice on the best way to submit them:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Many thanks!  Please do keep this thread up-to-date with your progress.

Mick

Hi AbdRauf,

Just checking the status of this thread.  It is still marked "needs solution."

Please do post an update, when time allows!

Mick

I already submitted the suspicious file to symantec few times but the reply is: 

"Due to the large volume of customer submissions to Symantec and in order to minimize our response time to you, we cannot accept more than 10 files per submission. Please try resubmitting with fewer files. Due to the large volume of customer submissions to Symantec and in order to minimize our response time to you, we cannot accept more than 10 files per submission. Please try resubmitting with fewer files."

My uploaded zip file only 4.58MB = 2 folders, 1 suspicious file, 1 application. I've tried to remove more files in it but the response team always reply the same thing. 

By the way, how should I do so that SEMP able to delete the virus automatically when I plug in thumb drive?

I can't affort to run the SymHelp to all 600+ PCs at the office one by one. Most of my users still using Win XP. Since Microsoft has stop the Windows XP updates, the problem looks like unsolved.

Hi AbdRauf,

There's a solution for almost everything.  This is the type of situation where I recommend opening a case with Technical Support.  They can guide you in tracking down the root of the problem and provide advice on what action to take.

Also, can you PM me your tracking numbers?

All the best,

Mick

Hi AbdRauf

I have the same problem in my enterprise.

Did you find any solution I can benfit from it?