Maybe this URL helps: http://securityresponse.symantec.com/avcenter/defs.download.html
Mike Thommes -----Original Message----- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bad logons sorry to keep harping on this as its way OT, but do you know any place i can get this info about update defs and frequency of change specifically to Symantec? I can't find anything on their site or in the docs. maybe i have to call them? thanks again -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 2:10 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] bad logons Find out first what the virus is for sure. Once you do that, you'll have a better chance of understanding the attack vector used. FWIW, pattern defs are not indefinite. They're updated constantly on an as needed basis. By updated, I mean defs are added and removed on a regular basis (there's just so much memory to work with, right?). The frequency of the updates and the criteria differ among vendors last I checked. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 06, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bad logons seems to mostly be w32.spybot.worm and [EMAIL PROTECTED] my only question, which i know should be posted on a Symantec group but i thought maybe you guys had some thoughts, is- how can i become infected with a virus that is a year old(w32.spybot.worm) and all my clients up to date? even if someone came in with an un protected laptop, my clients which have the current defs should be protected(they have also been patched for rpc-dcom and lsass vulnerabilty). just something that puzzles me. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 1:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] bad logons Could be all sorts of things, but likely is a virus based on the description. Check the defs, rerun the anti-virus scan and if that doesn't work, it's likely not a bad idea to call Symantec for support. (several refs to similar behavior such as code blue worms, etc.) http://www.hkcert.org/valert/vinfo/lsass_worm.html is one reference of an interesting worm. -ajm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 06, 2004 10:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] bad logons I'm running win2k AD in mixed mode sp4. My issue is, my GC's are running over the top with lsass.exe sometimes hitting 99%. I have a ton of logon failures in the security log. they are mostly coming from "THE LOGON TO ACCOUNT ADMINSITRATOR(SOMETIMES GUEST OR ASPNET) by Microsoft_Authenticaition_Package_v1_0 has failed." I also have some workstations running an svhost(not svchost) which when i kill, they can logon. Is this some virus or worm i'm unaware of? it seems like it. The only thing that comes close is a w32.spybot.worm(from Symantec) but that virus is over a year old and my defs have been current. i turned up logging on directory related events to 1 but no info that helps. my Exchange 2k server is logging rpc failures to my gc, however the gc is up and dns is fine. any help would be great( i just got back from vacation and this si what i'm saddled with. go figure, life of a net admin). Thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
