Using Endpoint Protection's Network Activity Tool to Identify Suspicious Processes

book

Article ID: 177578

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

There is reason to suspect that a computer is infected with a virus or worm. Once they receive a sample, Symantec Security Response can analyze the threat and create defenses against it, but the suspicious file has been difficult to identify and submit.

 

Symantec Endpoint Protection (SEP) has a Network Activity Tool that can help to locate suspicious activity on a computer.


Cause


Environment


Resolution

For SEP clients that have the Network Threat Protection (NTP) component installed, a built-in tool called Network Activity can help identify files that are making suspicious network connections.

To access this tool, open the GUI of SEP and click on the Options button of Network Threat Protection. One of the available options is View Network Activity. Right-click on an open area in the lower section of the interface and choose Connection Details from the menu.

The details of all applications that are either making or listening for connections from other computers are now displayed, as well as the protocols, ports and processes involved. As many of today's threats are largely designed to spread to other computers, receive commands from an unknown remote computer, or to download additional threats from the Internet, monitoring the applications and their connections can identify processes that are acting suspiciously.

This method of analysis requires awareness of what legitimate connections a computer is making. It can also require practice. Below are several examples.


Example Number One: Unknown Files Engaging in Network Communications
 



Though the name is similar several Windows system files that are located in the system32 directory, csrcs.exe is not a legitimate file. It is suspicious that this unknown file is making HTTP communications (port 80) to an unknown Web server.

The Network Activity tool also shows a second suspicious connection. It is unusual that ntoskrnl.exe (a legitimate Windows file used in CIFS/SMB communication to network shares) shows connections to a remote computer, as no network shares are intentionally being accessed and no drives have been mapped.

A firewall rule was swiftly created by the network administrator to block this Internet address. The csrcs.exe file was submitted to Security Response for analysis and confirmed to be a previously unknown variant of a worm that spreads by copying itself to network shares and removable drives. SEP 11's signatures were updated, Rapid Release signatures were downloaded and a full scan completely removed the threat.


Example Number Two: Legitimate Processes Behaving in Suspicious or Malicious Ways

Many threats have the capability to inject their .dll's into legitimate processes to make them behave in malicious ways. The Network Activity tool can be used to spot unusual communications and so prompt the vigilant administrator to perform a close examination on the computer.

 




Though there were no Internet Explorer browsers open, Network Activity shows numerous instances of Internet Explorer running and contacting a remote Internet site on port 443.

In this case, the information provided by SEP 11's Network Activity tool served as a warning that the computer was infected. A firewall rule was swiftly created by the network administrator to block this suspicious address, and a full investigation identified the suspicious Trojan Horse file that had opened this back door on the computer.



Example Number Three: More Legitimate Processes Behaving in Suspicious or Malicious Ways

 




Network Activity shows another example of suspicious activity above. C:\WINDOWS\explorer.exe is a legitimate Microsoft Windows Operating System file, but it should not be making connections to internet addresses.

A firewall rule was swiftly created by the network administrator to block this suspicious address and, acting on the suspicion that a worm had spread onto this computer, a full examination of its directories was made. An unexpected entry in the autorun.inf file of a USB drive pointed toward a suspicious file that was submitted to Security Response for analysis. This was confirmed to be a new variant of a worm that spreads by copying itself to removable drives and opens a back door on the compromised computer.


 

 

 

 

Attachments