Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Symantec Power Eraser and users' Load Points

  • 1.  Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 05:13 AM

    Hello,

     

    Symantec Power Eraser seems to examine only Load Points of the Current User,  and not the Load Points of all users who have profiles on the host.

    Some tools like Autoruns from Sysinternals ( http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ) are able to enumerate auto-starting locations for all the users on the host.

    It would be nice if Symantec Power Eraser could do the same.   (the people doing the investigation in our company are not the same as the people that are infected,  they do not use the same account etc.)

     

    Best regards,

     

    Antoine



  • 2.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 05:18 AM

    Symantec Power Eraser is the latest Symantec Recovery tool. The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.

    http://www.symantec.com/theme.jsp?themeid=spe-user-guide



  • 3.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 05:23 AM

    Are you using this utility as Admin User? If not please do so. It should Gather Log from Host.

    http://www.symantec.com/business/support/index?page=content&id=TECH134803&actp=search&viewlocale=en_US&searchid=1343985648932



  • 4.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 06:00 AM

    Hello,

     

    Answering to Kashish33: 

    • we would like to  use Symantec Power Eraser to find new variants of existing threats that are not detected by the current definition sets,  this seems to be one of the goals of Symantec Power Eraser

    • as you may know a lot of virus ensure persistence through a HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run registry key  (here,  CURRENT_USER = the infected user)

     

    Answering to Ajit Jha:

    Yes we use an admin account.

    Symantec Power Eraser successfully examines  some Load Points like:

    hkey_local_machine\software\microsoft\windows\current version\run

    and

    hkey_current_user\software\microsoft\windows\current version\run   (here,  current_user = the admin account)

    But it doesn't seem to examine user profile registry hive for users different than the current user.

     

    Best regards,

     

    Antoine

     

     



  • 5.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 06:12 AM

    You may Contact Symantec Customer Care on 

    http://www.symantec.com/support/assistance_care.jsp

    Regional Support Telephone Numbers:

    United States: https://support.broadcom.com (407-357-7600 from outside the United States)

    Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

    United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp



  • 6.  RE: Symantec Power Eraser and users' Load Points

    Broadcom Employee
    Posted Aug 03, 2012 08:25 AM

    Hi Antoine B,

    Actually no need to call support on this issue.

    You are correct that Symantec power eraser examine only load points of the current user & it's by design.

    By default windows loads one profile at a time.

    There are few common load point it can be specific to user profile.

    Check following article to know more about it.

    http://www.Symantec.com/docs/TECH99331

    As per your comment -(the people doing the investigation in our company are not the same as the people that are infected,  they do not use the same account etc.)- In this case people that are infected should run power eraser, investigation person should not use his login credential to run this tool.

    However you can give request to product enhancement:

    http://www.Symantec.com/business/support/index?page=content&id=TECH95412



  • 7.  RE: Symantec Power Eraser and users' Load Points

    Broadcom Employee
    Posted Aug 03, 2012 08:46 AM

    Hi,

    You can add it under an idea section also.

    https://www-secure.symantec.com/connect/node/add/idea



  • 8.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 03, 2012 08:52 AM

    Thanks Chetan Savade,  I will open an idea.

     

    For your suggestion about the infected user running the tool,  this doesn't work:

    • they are not working in IT
    • they do not have administrator rights  (best practice)  and Symantec Power Eraser doesn't seem to work fine with non administrator account


  • 9.  RE: Symantec Power Eraser and users' Load Points

    Broadcom Employee
    Posted Aug 03, 2012 09:01 AM

    Hi Antonie B,

    With this situation you need to temporarily elevate the user rights and fix the issue and revert the permissions.

    OR

    Run complete scan using SEP /NSS /SERT.

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

     



  • 10.  RE: Symantec Power Eraser and users' Load Points

    Posted Aug 08, 2012 12:23 AM

    Nice point there Antoine.

    Let us know if you already pushing the idea.



  • 11.  RE: Symantec Power Eraser and users' Load Points

    Broadcom Employee
    Posted Aug 08, 2012 01:51 AM

    Hi,

    I can see idea is being created.

    https://www-secure.symantec.com/connect/forums/symantec-power-eraser-and-users-load-points#comment-7491171