• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

NAV Symantec DetNat pwsteal false positives ??

O.S. is NT server (don't laugh), Norton/Symantec Corporate AntiVirus 8.01
I have been getting numerous W32.DetNat alerts, all over my NT servers. It's not hitting  2003 servers, but it has hit one Win2000 workstation.
The alerts have been preceeded by alerts for PWSTEAL lineage.
However, when I run AVG or TrendMicro on-line scan, they find nothing. I searched for a couple of days on the net, but could find no reports of false positives until I came across Sopho's site saying Symantec may have a false positive (See http://www.sophos.com/virusinfo/hoaxes/pwsteal.html).

Has anyone else been seeing what might be "false positives" from Symantec on W32.DetNat ?
Also, NAV's write up of DetNat does not quite match what I am seeing, for example they tell you to look for a HKLM\Software\Microsoft\Windows\Current Version\Run\Delphi key - I haven't seen that anywhere on the servers that report themselves infected.

To my chagrin, I have had NAV deleting infections as the primary option for the last 3 years. I thought it was better to kill something immediately. Since it has deleted (apparently) uninfected files I have to go to backups..
I set NAV to clean, and if it can't, leave the file alone. I finally stopped NAV and am running AVG temporarily.
Oh, and my NAV corporate server was one of the infected servers.

Anyway, anyone else seeing W32.DetNat's out there that other AntiVirus products don't see ?
Thanks in advance,
Christina
0
challBOE
Asked:
challBOE
  • 4
  • 2
1 Solution
 
rpggamergirlCommented:
Hi Christina,

Did you check in this part of the registry?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\delphi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delphi

It supposedly uses rootkit technology to hide from the user.
Maybe Blacklight may show something:
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Also, let us look at your Hijackthis log:
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet,
copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
challBOEAuthor Commented:
Thanks Rpggamergirl,
Yes I checked the registry for all control sets and for currentversion\Run and current Version\RunOnce and RunOnceEx. No Delphi... Hijack analysis is at http://www.experts-exchange.com/Security/Q_21834067.html#16581971  but I looked at it and I think I recognize everything. Its an HP server so it has HP software, arcserve and it's an Exchange server with NAV for Exchange 5.5, so there are NAVMSE entries.
BlackLight isn't available for NT servers, but I downloaded their AntiVirus software and am running it (v5.52) now.
Thanks,
Christina
0
 
challBOEAuthor Commented:
Opps, the log is at http://www.hijackthis.de/logfiles/8c2c988aabe9e3e5c165eb431b895785.html   not, as I posted, this page..
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
challBOEAuthor Commented:
I put the quarrantine console up on NAV. It sends copies of infected files to NAV for analysis. When I looked, all the files that had been submitted and Symantec indicated that they were not infected and it was a false positive. This just leaves me a bit uneasy, since I other than Sophos I dont see anyone else having the same problem. Oh well, Thanks for you help Rpggamergirl.
0
 
rpggamergirlCommented:
Glad to hear you sorted it out and that it was just a false positive.

Oh thank you very much for the points that's so generous of you. If you like, you can get a refund for your points, just post at Community Support and ask for a refund.
http://www.experts-exchange.com/Community_Support/

Best wishes!

0
 
challBOEAuthor Commented:
No problem, you're welcome to it, you were willing to help. Attitude counts too :-) Thanks again !
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now