Oi. Symantec is definitely giving me a lot to blog about recently.
I logged in to one of our public file servers today for a weekly inspection, and as is someone common was greeted with a dozen reports from Symantec Endpoint 11 of infected files being deleted. It’s not uncommon for our clients to open malicious attachments, visit shady websites, and generally make a mess of things, but a combination of good ACL’s, Deep Freeze, and SEP 11 on the server have kept things clean.
So, after reading through the alerts and verifying SEP cleaned all of the detected files, I ran Live Update followed by a Full System Scan, as is standard procedure. Out of curiosity, I watched the first part of the scan process, when I noticed it pause on these files:
c:windowshide_evr2.sys
c:windows9129837.exe
d:autorun.inf
The first two file names made me worried, and the third a little more so, if only because D: is another RAID array and therefore has no reason to have an Autorun.inf. After a little digging, however, I found that none of these files seemed to exist on the server. Now I started thinking ‘rootkit’.
Sure enough, a quick Google later showed that yes, these files are common to a number of different rootkit variants. As such, I busted out my usual toolkit of malware detection/removal utilities and took the server offline.
As I dug deeper in to the server, though, I still couldn’t find any traces of the mentioned files. I tried several different rootkit tools, browsing the hard drive contents from a Linux LiveCD, and even a few tools to check ADS (Alternate Data Streams), but had no luck.
At this point, I was fairly convinced that the server was clean, however why would Symantec report those files as present, unless…. Digging a little further in to the results from Google, I found this forum thread: http://www.antionline.com/showthread.php?t=278671 – apparently, during the initial part of the scan, Endpoint doesn’t actually report just the files that it’s scanning, it also reports the name of the files it’s looking for.
So, a little life lesson - don’t assume that Symantec will do anything that makes sense. And, when in double, Google is still you’re friend – you just need to look harder.
Sample Symantec Endpoint scan showing a non-existent file
The TL;DR version: The scan status on Symantec Endpoint 11 doesn’t just show the actual files on the computer, but it also shows non-existent files that it’s looking for. When in doubt – verify manually!
7:16 am, August 17, 2010jim /
Thanks, you just lowered my stress level quite a bit!
6:18 pm, March 27, 2011Connor /
Same as above, though how do I “verify manually”?
6:25 pm, March 27, 2011Laslow /
Basic ways to manually verify are to go in to Folder Options and set “Show Hidden Files and Folders”, and disable “Hide protected operating system files”. Then, do a search for the file name or look in the suspected folder for the file(s).
Additionally, you can download tools like HijackThis! which will let you check things like Alternate Data Streams (ADS), startup entries, etc… (although be careful with that tool, as it lists everything in the requested locations, and not everything included is bad — check with an expert before acting on it). More information on HijackThis! can be found here:
http://en.wikipedia.org/wiki/HijackThis