How to determine which remote computer has created a malicious scheduled task

book

Article ID: 181672

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

A threat is remotely creating scheduled tasks on computers throughout the network.  In order to find and eliminate the root of the infection, it is necessary to determine which user and computer they are coming from.  

(An example of such a threat is W32.Downadup, also known as Conficker.  This threat can be difficult to eradicate from a network as one infected computer will constantly re-create such tasks on its neighbors and attempt to spread its malicious files. Full details of how this threat functions can be found in the The Downadup Codex: A comprehensive guide to the threat’s mechanics.)

The optional Risk Tracer feature of Symantec Endpoint Protection can often assist in locating the remote infected machine, as can the logs from SEP's IPS component.  Another possible way to trace the source is by using built-in Windows capabilities.

In Windows 2008 and above, the Windows Event Viewer has a special section where the Task Scheduler events are recorded. In the Event Viewer console, examine the entries under Applications and Services Logs\Microsoft\Windows\TaskScheduler\Operational:

This logging may not be enabled by default.  To enable it, right-click on Operational and click on “Enable Log.” If the logging was not enabled, it will ne necessary to wait for the creation of a new scheduled task by the virus.

If the logging is enabled and you know that some scheduled tasks have been created by a virus, check for EventID 106 entry corresponding to the creation of a new scheduled task. (Right-click on Operational and click on “Filter Current Log” to display the Filter Window.  This will allow you to perform a faster search of events.)

Once you have found the EventID 106 events, this will tell you the name of the user who created the task and the exact time of creation of the task:

 

 

Now check the Windows Security event logs for a connection (Logon) event in the Security log at the exact same time.  The Network Information will contain details of which Workstation Name and Source Network Address the user account was logged onto at that time.

(Please note that by default the Windows Security log has a limited size.  If the log is checked too long after the event, the connection trace may be already purged. It may be necessary to increase the size of the Windows Security event log during an outbreak.)

 

The computer identified is very likely infected with a threat like W32.Downadup.  Isolate that computer from the network and examine it to ensure that it has a working SEP client.  Examine that computer for malicious files.   More information on exact steps can be found in Best Practices for Troubleshooting Viruses on a Network.

 

 

 

 

Attachments