Endpoint Protection

 View Only

  • 1.  Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 12:27 AM

    Dear All,

    I use Symantec Endpoint Protection Version 12.x.x.x for my office, i have problem with trojan that acces url http://realtime.services.disqus.com/api/2/thread/, all computer user in my office access this URL and this high traffic. Because in log squid, access this URL  continuously

    This log my squid :

    .....

    .....

    .....

     

    1355980497.949      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.951      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
    1355980497.952      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.955      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
    1355980497.955      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.956      1 172.16.64.143 TCP_IMS_HIT/304 288 GET http://www.gstatic.com/bg/vCt3jT-yDKiibCfPvg7VU88K5y9oo1XwPZhbNBmPvNI.js - NONE/- text/javascript
    1355980497.959      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
    1355980497.962      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.963      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
    1355980497.966      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.968      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
    1355980497.970      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/471090431? - NONE/- application/json
    1355980497.971      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/801387214? - NONE/- application/json
     
    ....
    ....
    ....
     
    Oke... Thank's
     


  • 2.  RE: Remove Malware http://realtime.services.disqus.com

    Broadcom Employee
    Posted Dec 20, 2012 05:04 AM

    Hi,

    Could you please confirm name of the Trojan?

    SEP is detecting it? Do you see any action against it?

    Make sure SEP clients are updated with latest definitions & machines are having latest microsoft patches and service packs.



  • 3.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 06:07 AM

    Run a full scan in safe mode with latest defs on one of the affected machines.



  • 4.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 06:10 AM

    Hi 

    I agree above comments.

    you can try symantec tool

    Is your system infected? Symantec tools to help clear an infection

     

    https://www-secure.symantec.com/connect/forums/remove-malware-httprealtimeservicesdisquscom

     



  • 5.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 11:26 AM

    You can download the latest Rapid defintion and after that scan the system in safe mode.

    Link

    http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr



  • 6.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 05:07 PM

    Disqus is used for commenting systems on many reputable websites. Is the traffic to this site the only thing that makes you think there's a trojan, or is there other suspicious behaviour? (Is it possible your end users are visiting and heavily commenting on one or more websites?)

    sandra



  • 7.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 09:16 PM

    I don't know name of trojan, because SEP no detect this trojan. and SEP client use latest definitions & machines are having latest microsoft patches and service pack.

     



  • 8.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 09:22 PM

    Hi Moh

    If symantec antivirus not detect virus you can submit the file symantec

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

    More information

    https://www-secure.symantec.com/connect/forums/whats-process-submit



  • 9.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 09:50 PM

    Never heard this... but have you checked the browser add-ons ?

     

    It could be the unwanted one...



  • 10.  RE: Remove Malware http://realtime.services.disqus.com

    Posted Dec 20, 2012 11:20 PM

     

    HI Moh

    If any suspicious files symantec antivirus not detect you can submit file in symantec

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec