Endpoint Protection

 View Only

  • 1.  w32.downadup.b risk logs

    Posted Aug 14, 2012 03:36 AM

    Hello everybody.

    I have a situation and i need a solution. One client of a customer's SEP infrastructure risk logs are full of w32.downadup.b risk. All these risks have the same filename (tatvg.kjs). Despite the fact that it says that the file is successfully deleted, it continues to pop up notifications about the same file which say

    action taken pending side effects analysis access denied

    This happens the last 15 days. Our sep client is 11.0.7000.975. It is managed by a manager. It is updated with the latest definitions (13th August).

    My questions are:

    1. Why is this happened every time since the file is deleted the first time? What regenerates the file?

    2. Same happens with other clients too but not the same risk. What am i suppose to do?

    Please advise



  • 2.  RE: w32.downadup.b risk logs
    Best Answer

    Broadcom Employee
    Posted Aug 14, 2012 03:40 AM

    enable the risk tracer and check if you can identify the source.

    did you scan the system in safe mode?

     



  • 3.  RE: w32.downadup.b risk logs

    Posted Aug 14, 2012 03:46 AM

    What is the risk tracer? What do you mean by saying "identyfing the source"?

    Why should i scan the system in safe mode? What is the reason to do that? It says that the file is cleaned and deleted. And after 5-10 minutes it prompts again for the same file



  • 4.  RE: w32.downadup.b risk logs

    Trusted Advisor
    Posted Aug 14, 2012 03:54 AM

    Hello,

    Check this Article:

    What is Risk Tracer? http://www.symantec.com/docs/TECH102539

    and Work on the Plan of Action as given below for a 100% result.

    Plan of Action:

    1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

    2) Install MS08-67 patch download [KB 958644] on ALL computer.

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

    4) Disable Auto play with GPO

    http://support.microsoft.com/kb/953252

    5) Disable Scheduled Tasks with GPO

    http://support.microsoft.com/kb/310208

    6) Enable Security Auditing with GPO

    http://support.microsoft.com/kb/300549

    7) Scan ALL the machines...

    NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

    Inaddition to this, please check the Article provided below and work upon the same.

    1) Best Practice for Downadup.B and Additional information on the same.

    https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

    2) Simple steps to protect yourself from the Conficker Worm

    http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

    Hope that helps!!



  • 5.  RE: w32.downadup.b risk logs

    Posted Aug 14, 2012 04:05 AM

    thanks for the replies guys. The following are the notifications pending about the risk

    Firts is

    Scan type: Auto-Protect Scan
    Event: Risk Found!
    Security risk detected: W32.Downadup.B
    File: C:\WINDOWS\system32\tatvg.kjs
    Location: C:\WINDOWS\system32
    Computer: ........
    User: Administrator
    Action taken: Pending Side Effects Analysis : Access denied
    Date found: Tuesday, August 14, 2012  10:37:48 AM

    and after that

    Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Security risk detected: W32.Downadup.B
    File: C:\WINDOWS\system32\tatvg.kjs
    Location: C:\WINDOWS\system32
    Computer: ..............
    User: Administrator
    Action taken: Cleaned by Deletion
    Date found: Tuesday, August 14, 2012  10:38:10 AM

     

    It is obvious that the file is deleted. But it prompts again and again. I do not think that i can do what Mithun Sanghavi told because customer is a telco company and i cannot have access to their systems in order to do that.

    Could you please give an easier solution to this? I have also to inform you that customer has already run D.exe tool in safe mode without networking and had no results. D.exe found nothing. After that, customer uninstalled SEP and installed AVg which cleaned everything and no notifications pop up using AVG. So there must be an easier solution

    Thanks a lot.



  • 6.  RE: w32.downadup.b risk logs

    Posted Aug 14, 2012 04:44 AM

    You'll need to search for the source.... try enable 1 client as "risk tracer" in SEPM as mentioned by Pete..

    Also you may take a look at suspected PC how many "svchost" running in task manager... and double check the "scheduled task"....

     

    I don't think there's any easy way to do this... unless they can confirm every single PC connected to their network is installed with updated AV and fully Windows patched?



  • 7.  RE: w32.downadup.b risk logs

    Posted Aug 14, 2012 05:08 AM

    We have enabled risk tracer to this specific client and the risk log has as "source computer" another server of the network. We have also enabled risk tracer in this computer and we are in the middle of a full scan. thanks a lot guys. If something else happens, i will inform you