If Symantec is showing them up while scanning but they are not on the system I wonder what’s going on.
That has got me thinking mate! ..................... looking at it from a reciprocal viewpoint: "What can Symantec see that I cannot, using conventional tools?"
The ones that spring to mind are:
1. RAM
2. The page file
I don't know about alternate data streams and "slack space" or "cluster tips"? If it can't detect something in the latter it isn't much good, I would have thought?
I am not yet sure where I would go from here
On my desktop machines I usually set the Registry value to have Windows overwrite the page file on shutdown. That isn't realistic with a server which is on 24/7
At this point I would set the page file to minimum size. Because this is used by Windows for mini-dumps, I guess malware would not be able to access it.
I would then run "Eraser" [link below] to wipe "free space" as this would get what what was in the former page file and it also wipes alternate data streams and cluster tips.
That then leaves you with the question of how this is happening? It really has to be something that they are not scanning? Possibly:
1. Portable storage media
2. Portable devices
3. Printer Servers
4. Mail Servers.............sure the e-mails are scanned, but what about the server itself?
5. "Orphan" clients (PCs in conference & training rooms, libraries, reception areas etc.) These are sometimes overlooked when nobody has direct responsibility for them?
Works with Windows 98, ME, NT, 2000, XP, Vista, Windows Server 2003 and Server 2008. Eraser is Free software and its source code is released under GNU General Public License.
EDIT 2:
Sorry ByTe, you did title your post "examining" so here you go:
A tool for examining ADS and deleting nasty stuff. Sorry, but it only works with NT4.0, 2000, XP and 2003 Server.
This one will work with Vista and Win 7, but you have to pay $11 for the commercial version that lets you delete stuff. I think it is called "ADS Scanner Engine".
Whilst you are on that site you might like to scroll down and get "Hidden File Scanner". It is the same deal as the one above...."Look for free, pay to touch"
Hidden File Scanner also does a quick scan at start up to detect the appearance of autorun.inf files on all devices including removable medias. If such an autorun.inf file is found, a dialog box will pop up where you can either delete, unhide or inspect the content of the autorun.inf. This tool will automatically rate the autorun.inf files as normal, hidden, suspicious or dangerous file.
I am sorry, but I don't know of a utility to examine cluster tips. I guess I would use a Hex Editor or Disk Investigator.
Nihil all these files have a path! If they are in the swap file (which if I am not wrong cannot be scanned by an AV) the path would be to that file. I am sure they are not in the RAM because I know what's loaded onto the memory (It's highly unlikely that a VBS and INI files are loaded in the memory and I cannot see them). I've used systeminternals to go through the current processes and all the files attached to that process.
I am planning to have a meeting with some senior Symantec engineer who can assist us ruling out a product glitch (which would be really pathetic). Every time I open a case with Symantec I have to run the stupid load point analysis and diagnostic tool.. LONG STORY !
Anyway I've uploaded few jpeg's showing the scan window and the file names. I’ll hopefully sanitize the longs so I can upload them here. Because ADS and other logs have come back with lot of data but not a single file which looks suspicious.
Thanks again mate. I'll go through your post again tomorrow (today).. I'm sleepy, it's (originally 001114 Hrs before i started uploading the print screens) 0125 Hrs here.
Please check your Private Messages.............I have sent you an e-mail address that accepts attachments up to 10 megabytes. We might find that useful in future?
I will raise the issue of attachment policies, as we have reverted to the vBulletin defaults since the " night of the great upgrade"
Obviously, I do not want to take discussions "offline" of the forums.....it is simply an issue of how to handle data over a long distance. Hey, ByTe, you must be about 9,000 miles away from me?
Now, to the case in hand:
ByTe, are you saying that Symantec is reporting malware at a particular location (path) and that when you go there, you cannot find it?
I am planning to have a meeting with some senior Symantec engineer who can assist us ruling out a product glitch (which would be really pathetic)
Hmmmmmm......................................
OK, let's have another look?
1. Malware might attack a normal ( visible) system by three basic methods:
a) append to an existing item
b) prepend to an existing item
c) inject into an existing item
2. Your AV is finding stuff that quite sophisticated analytical tools can't?
I've presented my report. Basically (preparation, detection, containment and current analysis). I'll update soon (possibly 2 or 3 days). I met a symantec rep who wasn't too happy with the findings, nor was the central anti-virus head; knowing we had almost ALL servers down with the same thing.
I am not sure if anyone has paid any attention to this but since this incident involves Windows Server 2003, I have to compile a report on the security aspect of the OS itself.
I was going through secunia to see how many vulnerabilities have been reported and so on and honestly this shocked me. There are - 14 unpatched vulnerabilities!. I was hoping Microsoft to be little more responsible towards server grade OS's but no! I just wanted this to be a part of the thread since it might help someone else prepare a report. Also my break-in (or at least the date i noticed it) was close to some popular site's getting DDOS'ed. While these servers have been infected in the past without any reason’s being found. It is still worth noting.
I wanted to get few files for analysis and I tried using Knoppix live CD but it didn't work because for some odd reason knoppix is not able to mount the drive. Server uses a SCSI interface.
I get the following error, anyone who can assist please let me know.. I will google it once i get home (leaving office right now)
The ftp site I gave you should have the latest and great copy of that LiveCD. Just edit the ftp URL to "ftp://ibiblio.org/pub/linux/distributions/knoppix"
If you need additional modules for starting controllers needed at boot
time, just copy the corresponding *.ko files from /lib/modules/* over to
/modules in the initial ramdisk (remaster needed).
You will need to uncompress initrd to a temp directory; make your changes; compress back into a initrd image; remaster the CD. Initrd howtos are available on the interweb.
Last edited by Linen0ise; January 16th, 2010 at 09:10 PM.
Sad as it is. Spending new years eve and other time doing stuff that ... (anyway)
This is the reply from Symantec:
*******************************************************************
> Question/Issue:
How does Active (Quick) Scan function?
> Symptoms:
Active Scan is scanning files that cannot be found on my machine.
> Cause:
The file is not located on the machine, it is part of a script of most common file types, viruses, and file names that the active scan is searching for on your machine.
> Solution
The Active Scan, scans the system memory and all the common virus and security risk locations on the computer very quickly. The scan includes all processes that run in memory, important registry files, and files like config.sys and windows.ini. It also includes some critical operating system folders.
Memory Examples:
- The processes that are located in Task Manager.
Common infection locations and viruses would be for example: - C:\Windows\System32\dll.dll
Common registry keys Example:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scans the common infection locations in addition to all files or the types of files or directories that you selected
These locations are all well-known virus and security risk locations in addition to all files or the types of files or directories that you selected. This will quickly assess if your machine has one of the more common viruses located in the common locations.
There is still 2 servers with confirmed infection, i'll send updates as we progress from here.
Also these files showed up while full scan, that is due the fact (feature) that all full scan's start with active scan.
I would say that what you are seeing whilst the scan is in progress is what it is scanning FOR, not the files actually being scanned.
(post #4 in this thread)
The file is not located on the machine, it is part of a script of most common file types, viruses, and file names that the active scan is searching for on your machine.
Looks like my initial suspicion was pretty much correct then?
Nice to know how it works.............I am sure to come across this, and now, thanks to your efforts, I have some sort of an answer.