Introduction
This is the ninth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
- The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
- The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
- Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network
- The Day After: Necessary Steps after a Virus Outbreak is for use after the attacks have ended. This fourth article intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.
- Killing Conficker: How to Eradicate W32.Downadup for Good gives admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm.
- Symantec Insider Tip: Successful Submissions! aims to provide advice and examples of how to get your suspicious files to the correct team, in the correct format, with all the correct information necessary for speedy processing
- All About Grayware describes software classified as “Potentially Unwanted Applications” (PUA) and Symantec’s response to them.
- SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy provides an offbeat way to understand the various components that comprise the Symantec Endpoint Protection suite of security.
The capabilities and appearance of the Symantec Help ("SymHelp") diagnostic tool has really evolved since its early days. This article illustrates how best to use the current SymHelp to identify suspicious files on a computer and get them submitted to Symantce Security Response.
Just Accept all the Defaults, Right?
No way! SymHelp is a versatile tool. If you're using it specifically to hunt for malware on a computer, use the Threat Analysis features. Click the Start Scan button beside "Scan for potential threats," not the one intended for install requirements and common issues.
Here are the official Symantec articles on how to run the tool for Threat Analysis:
About the Threat Analysis Scan
http://www.symantec.com/docs/TECH215550How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519
Basic, Expanded, or Root kits?
Mick2009 says: if time allows, go for the most thorough scan- Root kits.
This Isn't My Machine. I Don't Know What's Normal on Here.
Don't worry- SymHelp knows what to look for. If you are an admin who has logged in to a colleague's computer to run SymHelp, be sure to check the "Scan load points in other user profiles" advanced option. That will look for suspicious files not only in your profile, but in the directories and folders used by previous users of the machine. This is an absolute "must do" if you are not the only user of this machine!
Click "Specific profiles" and provide the user credentials for these other users, if possible!
I'm Fighting a Threat that Spreads via USB Thumb Drives and Network Shares
SymHelp has added a new feature that allows you to scan network or removable drives for any malicious files that may be hiding (and spreading from!) there. (Yes, this old infection vector remains popular, even here in 2015.) Click on Advanced Options, Custom files and folders and browse to the directory, volume or drive you suspect. I definitely recommend checking the "Include subfolders in search" checkbox.
This "Custom files and folders" option is also excellent for narrowing searches to specific files or folders, rather than having SymHelp scan the entire drive. An example: using the power of SMR to check the shared-out folder on the company's file server to see if any of the clients which connect there have uploaded any suspicious material.
One warning:depending on how many files are on the removable drive or network share, scanning and collecting file hashes can take a long time! SymHelp is not a freeware tool designed to scan and clean whole networks.
OK! The Threat Analysis Has Completed! Now What?
The tool sorts the results into Potential Risks, Autorun details, Processes and Registry Load Points. Here's an example of a very heavily compromised computer:
Hundreds of files with a poor reputation were identified and labeled as "Bad." Not all of these are confirmed malware! They are files that are often seen on infected computers. The following video does a good job explaining how Symantec's reputation-based intelligence works:
The files that are unknown to the admin and have a poor reputation should be submitted to Symantec Security Response and then deleted. Read this article for details on how to get the suspicious files submitted so that new defenses can be built against them:
Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
Removing the suspicious files is easy thanks to a tool built into SymHelp. In previous versions this was called "Power Eraser." Now all that's necessary, once the Threat Analysis Scan has completed, is to select the file and click Remove. In this example some unknown party has uploaded a password cracking tool to the server- never a good sign! Get rid of that and then ensure all old user accounts are dsabled and all current, valid user accounts receive a new, strong password.
Can We Get some Experienced Eyes on That?
In this example there are hundreds of potentially dangerous files highlighted by the tool. Rather than blindly removing them all, it is wise to get a second opinion after the admin has identified which are known and unknown in this environment.
Be sure to save the SymHelp diagnostic and send it to Symantec Technical Support if you are unsure about which files to submit or how to proceed. The engineers there have years of expertise when it comes to fighting malware, and can swiftly recommend which files to submit for analysis and which to safely ignore.
If the threat analysis features described above were used, the resulting saved file will have a _TSF.sdbz extension. If the diagnostic has just a plain old .sdbz it will be of limited use to Symantec Tech Support.
Anything Else to Know?
Symantec Help (SymHelp) FAQ
https://support.symantec.com/en_US/article.TECH203496.htmlWhat command-line parameters are available for Symantec Help (SymHelp)?
http://www.symantec.com/docs/TECH170732
Conclusion
SymHelp, especially with its recent enhancements, is one powerful tool in keeping your network, your users and your data safe from malware. Please do familiarize yourself with its features and functionality!
Many thanks for reading! Please do leave comments and feedback below.