A Nasty Little Email - Norton360 - Is it Crap?

[neozoon]

Hi neozoon,
I am afraid that all that tells me is that NEITHER product did their job, which is to protect you? You ended up doing it manually?

yes, neither detects it as a virus, luckily i found it quickly and could stop it from reaching servers, it was a real pain to find which pcs caught but cleaning was easy:
kill+find+delete

the source was a usb disk, an employee keeps working late at his home he brings his files in the usb disk which was infected (so was his home pc of course ^^) but i reported the file to kaspesky

about the system indicating a problem, the symantec process was there but with few megabytes, i guess it patched it or something to stop it from running

back to the usb disk, i was going to make a thread and ask if someone had the same issue as me, cause GPO active directory has ways to block usb disk which i tried but unseccessfully. the reading writing authorisations are not spread on the network. but i'll read through out the forum before making the thread ^^
ps:it's nice to be back to the forums, i was member as student now that i finished, i have time to read and get informed and share knowledge of course ^^

[nihil]

Hi neozoon,

I don't know anything about the size or distribution of your organisation but have you considered what we call a "sheep dip". These are usually older computers that are re-deployed purely as security tools. [The name comes from the troughs of chemicals that farmers use to rid their animals of parasites ]

I would load one (or more if you need) with Avira AV, Online Armor by Tall Emu, AdAware (interactive scanning set to "on"), WinPatrol from BillP Studios, and Malwarebytes (and anything else you like) The user account should be least empowerment.

With any luck those will spot any attempts to mess with the system.

The sheep dips are stand alone, and all media brought from outside the organisation has to be scanned. I would just let Avira scan with the deepest level of scanning and scan compressed files. That process should kick off any malware that one of the products will hopefully detect.

Disabling Norton without alerting Windows is an interesting touch........this looks rather like a trial run for something more sinister, so you can expect other AV products to be included at a later date. I wonder if it turns off the AV to hide what activity is planned for the future?

You really should have autorun disabled on your machines, as this is a common way to launch this sort of malware.

The alternative is not to allow any external media or devices, which may well be counterproductive?

Given that you don't need that many "sheep dips" the licencing should be reasonable as well.

[neozoon]

only symantec had the issue, kaspersky works fine!
as for "sheep dip", i have some here, but didn't know the name thanks for the tip ^^

back to the usb disk, i was going to make a thread and ask if someone had the same issue as me, cause GPO active directory has ways to block usb disk which i tried but unseccessfully. the reading writing authorisations are not spread on the network. but i'll read through out the forum before making the thread ^^

i'm new in the company, and like i said, their server have trouble spreading the authorisations, if i can solve that, it would be very nice because i wanna tighten the access as much i can on everyone (users have many rights they don't need like installing softs)
the company leader wants me to solve many issues(that's why he hired an engineer )
it's problematic and the network is spread on many buildings and cities and many OS(xp,vista,7, and macs), it's really complicated
for now i handle backing up data, i'm done with it, i'll care about policies next and see what i can improve, i guess it's time to take a day off and then dive into the depths of the forums to try to solve this issue
sorry for my bad english

[nihil]

Hi neozoon,

I was afraid that you would have a multiple site, multiple software environment.

(users have many rights they don't need like installing softs)

That means that they have at least local admin rights. I would imagine that they logon as such all the time? I would suggest that if you have trusted users in remote locations who you need to be able to take local administrative action, you give them a separate admin ID, and tell them that its use is monitored Otherwise, is remote installation & update possible for you?

the network is spread on many buildings and cities and many OS(xp,vista,7, and macs), it's really complicated

Just as I feared! I would guess that this is made worse by all sorts of different applications, and the same applications at different versions?

If you still have a copy of the malware please send it to Symantec...........I would be interested to know what their response is.

"Toka Koka"...............we have something similar: "No gain without pain"...........fortunately, it is not mandatory to listen to users screaming

[neozoon]

your fears are confirmed again dear nihil : same applications at different versions since the licences don't have the same price !

my main fear is that the domain servers were wrongly setup! it would be realy problematic to restart from the begining. working with the current setup won't give results(which happened already when trying to lock usb, it worked on 4/12)

but i didn't really concentrate on that before so after i finish my reports, i'll dive into that shitty 2003server lol ^^