Categories
Antivirus

Free Cloud Antivirus

Why we need free cloud antivirus?

1. It’s free (Pro/commercial version come with addition features)

2. Second layer of the antivirus protection

Why not more than one traditional antivirus?

It’s not recommended to install more than 1 traditional antivirus software in your PC because it might cause the computer slow down (because more of the traditional antivirus come with huge footprint that usitilize lot of system resources) and software conflict. I have even seem some case that even the simple virus cannot be delete because multiple antivirus try to hold the virus file at the same time.

My recommendation:

1. One traditional antivirus. You can easily get one commercially or free version. For example, Microsoft Security Essential that has be given out free from Microsoft (if you are using genuine Microsoft Windows Vista/7)

2. 2nd layer of protect with Cloud antivirus that have smaller footprint and hardware resources requirement.

Free Cloud Antivirus Software

Below are some of the list of the free cloud antivirus in the market.

Free Cloud Antivirus solution/brand website / download
Immunet Cloud Antivirus http://www.immunet.com/free/index.html
http://download.immunet.com/push/immunet/ImmunetSetup.exe
Panda Cloud Antivirus http://www.cloudantivirus.com/
http://acs.pandasoftware.com/cloud/PandaCloudAntivirus.exe
ThreatFire AntiVirus http://www.threatfire.com/download/
Kingsoft Cloud Antivirus http://www.kingsoftsecurity.com/cloud-antivirus.htmlhttp://www.kingsoftsecurity.com/downloads/kingsoft-free-antivirus.exe
Categories
Antivirus

SEP 12 Beta Now Announced

Hi All,

SEP 12 Beta Now Announced.

Register yourself & receive udpates.

http://go.symantec.com/sep12beta 

Categories
Antivirus

Move Symantec EndPoint 11 Database to other location without re-installation

Move Symantec EndPoint 11 Database to other location without re-installation

Symantec EndPoint Protection 11 Manager come with embedded database. The default location for the database is stored in “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db”. This database might grow and this will cause your C: drive running low of disk space.

Solution: Move the DB folder into other drive / location

1. Stop “Symantec Endpoint Protection Manager” and then follow by “Symantec Embedded Database” in Windows services.

Stop Symantec Services

2. Move “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db” to new location. For our example, we move it to E: drive with same folder structure. “E:\Program Files\Symantec\Symantec Endpoint Protection Manager\db”

3. Run registry editor “regedit”

4. Replace the location path in the following registry key

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControSet\Services\ASANYs_sem5\Parameters\Parameters””

 "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControSet\Services\ASANYs_sem5\Parameters\Parameters"

For example:

default parameters -c 64m -ch 64m -gp 8192 -gc 30 -gr 30 -o “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\out.log” -oe “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\err.log” -os 1m -gn 80 -n servername “C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db” -n sem5 -sb 0 -x tcpip(localonly=yes;port=2638)
new parameters -c 64m -ch 64m -gp 8192 -gc 30 -gr 30 -o “E:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\out.log” -oe “E:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\err.log” -os 1m -gn 80 -n servername “E:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db” -n sem5 -sb 0 -x tcpip(localonly=yes;port=2638)

Note: You might want to copy the whole parameters into notepad, and then use the replace function to replace old path with new path then copy back to the registry parameter.

5. Modify another registry key below:

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\SymantecEndpointSecurityDSN\DatabaseFile

Symantec Endpoint Security DSN

Change the DatabaseFile value to new DB location path

6. Start “Symantec Embedded Database” and then follow by “Symantec Endpoint Protection Manager” in Windows services.

7. You should be able to login the Symantec Endpoint Protection Manager after re-located the DB location. You can double-check by looking at the file modification date for the files in new DB location.

Categories
Antivirus

Resetting the Symantec EndPoint Protection Manager password to admin

Resetting the Symantec EndPoint Protection Manager password to admin

If you forgot the admin/administrator password for Symantec EndPoint Protection Manager, try the below solution

Solution

You can use the resetpass.bat to reset the password for the Symantec Endpoint Protection Manager admin account.

Note:
If you change the admin account name to something other than admin and then subsequently run resetpass.bat, it changes the account name back to admin.
To reset the administrator password

  1. Open Windows Explorer on the computer that runs Symantec Endpoint Protection Manager.
  2. Locate the <Drive>:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools folder.
  3. Double-click the resetpass.bat executable file. The username and password is reset to admin.
  4. You can now login into Symantec EndPoint Protection Management Console using username and password as admin. It will prompt you to change the password immediately.

Notes:

  1. In case that you received “The Administrator account is locked” in the management console login, please try to reset the password after account unlocked in 15 minutes (60 minutes for certain release version)
  2. Resetpass.bat will only work if you are using Symantec Manager Authentication. If you tight up with Active Directory authentication, then you must use a new Administrator account. Reference: http://www.symantec.com/business/support/index?page=content&id=TECH104726&locale=en_US
Categories
Antivirus

Trojan: winntR1.exe, winntR2.exe, winnt2.exe, winnt3.exe, winnt4.exe, winnt5.exe, winnt.6.exe

 

Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus

 

Infection Method: Email

User received email from his friend or colleague with various subject (e.g. Fotos Data: 17/06) with then content similar to below:

Imagens anexadas: DSC_252.jpg DSC_326.jpg DSC_417.jpg

User clicked and open the Hyperlink because they thought it just a photo from his/her friend.

Note: Please do not click on the jpg link above because it lead you to the actual trojan location

User just ignore the warning prompt:

2009-07-17_150349.jpg

User clicked on “Run”

Windows shown below with “Arquivo Corrompido!” mean you are infected by trojan.


Background Process after Infection:

You would notice the processes below in task manager:

  • winntR1.exe
  • winntR2.exe
  • winnt2.exe
  • winnt3.exe
  • winnt4.exe
  • winnt5.exe
  • winnt.6.exe

Network Activity after Infection:

The infected system will try spread out by sending smtp and http mail as shown below:

200.226.249.3:80

201.76.62.3:25

According to the user experience, the Trojan/Virus will try to spead out by sending email using user’s hotmail account with the contact list in user’s hotmail.

Registry Modification

The following Registry Key was created:

    • HKEY_CURRENT_USER\dark
  • The newly created Registry Value in either location below is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • winntR1 = “C:\winnt_\winntR1.exe”
      • winntR2 = “C:\winnt_\winntR2.exe”
      • winnt2 = “C:\winnt_\winnt2.exe”
      • winnt3 = “C:\winnt_\winnt3.exe”
      • winnt4 = “C:\winnt_\winnt4.exe”
      • winnt5 = “C:\winnt_\winnt5.exe”
      • winnt6 = “C:\winnt_\winnt6.exe”

File System Modifications:

The following directory was created:

c:\winnt_

Removal Method:

Note: The trojan might affected to the particular user only

  1. Login as the user name that infected by the Trojan
  2. Kill (End Task) all the process start with winnt*.exe in task manager
  3. Empty Internet Temporary files.
  4. Delete all the winnt* entries in the registry key below: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  5. Delete HKEY_CURRENT_USER\dark in the registry
  6. Restart the computer
  7. Login in as administrator
  8. Delete “c:\winnt_” folder
  9. Download and run the removal tool from http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe (This tools only able to remove certain infected files only. That’s the reason we have to do some manual clean up before running this tool.)

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by Brain-Cluster.com.
Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.