What to do if you suspect a botnet in your network
search cancel

What to do if you suspect a botnet in your network


Article ID: 152177


Updated On:


Endpoint Protection


What to do if you suspect that computers on your network are members of a botnet under control of a remote party.

You have noticed e-mails or spam sent from inside your LAN without the users consent.



One or more computers are infected and are acting as zombies or bots in a botnet, performing DOS attacks or distributing spam e-mails using user privileges and address books available on the computers.


Follow the recommendations in the Best Practices for Troubleshooting Viruses on a Network article.

A full system scan with Symantec Endpoint Protection (SEP) is likely to detect and remove botnet infection on file system level:

  1. Assure that SEP client is installed on all your computers.
  2. Assure that all SEP client protection components are activated.
  3. Assure that all clients have the latest definitions.
  4. Run full system scan on all computers.
  5. If step 4 is not detecting and removing the infection then disable system restore, reboot system in SAFE mode and run full system scan.

As a preventive action, block the spam on the e-mail server level using antispam filtering (i.e. Symantec Brightmail Antispam or Symantec Mail Security for Microsoft Exchange)