 外国人比卡饭好说话多了,直接贴问题和求助帖,不影射不吐脏字,基本上是贡献出所有自己知道的和样本来和工作人员讨论。
以下是节选赛门铁克安全响应中心代表的首次详细回复:
Hi,
I'm JohnM and I work for Symantec Security Response. My team analyzes threats and adds protection updates, so for the purposes of this thread you can consider me the horse, or at least one of them. First of all, I'd like to thank you and your family for your continuous support of Norton through the years. You must surely have witnessed some major changes during that time.
I'll try to address your concerns as I understand them, your main points being how these trojans are getting onto people's computers, and whether or not Norton products are able to block them. FWIW, I believe your questions are reasonable and you are entirely justified in asking them. Discussion such as this go a long way to informing and educating people how to better protect their private information and that of their family.
NOTE: This post is fairly long as my main intent is to respond to the questions posed and attempt to educate people about the issue at hand (and I highly recommend you read the post in it's entirely to better understand what you are dealing with) but if anyone is simply in a hurry to find out what they need to do to rescue their computer from a Trojan.ZeroAccess infection that just won't go away, skip to the bottom.
How do these threats get in?
Threats attempt to infect computers in a variety of ways, such as an email containing a malicious attachment, hidden inside a video available for download or viewing on the Internet, via an Internet website containing code that exploits a vulnerability in software installed on the computer (often referred to as a drive-by download), through P2P filesharing applications, over network shares if the computer is part of a local area network (LAN), and various other means. Reading this forum is actually a good way to learn how people got infected with Trojan.ZeroAccess. Recent examples I've seen are via P2P files, malicious videos and driveby downloads but there are surely others.
Is Norton able to block them?
In order to answer the question of whether Norton products detect them or not, we need to consider several different scenarios.
A. A threat that Norton is able to detect and block
Norton products are able to detect the vast majority of threats and prevent them from installing themselves onto the target computer. It doesn't matter how deeply a threat would embed itself in the operating system (OS) or what it would do once it got there if it can't get onto the computer in the first place. This is the ideal protection scenario and one that we at Symantec strive for 24 hours a day, 7 days a week.
B. A threat that Norton is unable to detect and block the installation of, but after a subsequent definitions update is able to effectively remove from the computer
There could be several reasons why a threat manages to install itself on a computer in the first place, but for argument's sake let's say the security product simply doesn't contain what is required to prevent that particular threat getting in at the time. It would be ideal if this were never the case and your antivirus blocked 100% of threats 100% of the time, but unfortunately that's not the reality of it. Some threats do manage to get in, and need to be removed after the fact.
C. A threat that Norton is unable to detect and block the installation of, and even after a subsequent definitions update is still not able to effectively remove from the computer
This is a fairly rare case, but it does exist. I believe this is the scenario that applies to some of the forum threads which prompted this particular thread. So, how does this happen and more importantly why can't Norton remove it.
ZeroAccess is a complex threat, obviously having required much time and skill to develop. There are different variants of ZeroAccess, but many of them have one thing in common - they overwrite critical operating system files, effectively replacing them with their own malicious version. Malicious, but designed to still fulfill the function of the original file it overwrote so that the computer can continue to work, albeit under the relative control of the malware creator. Because the system file or files are essential to the normal running of the computer, if Norton simply deletes them the computer will no longer function properly and may not even start after a reboot. In many cases Norton is able to recover the original file and put it back in place. But there are cases where the original file is not recoverable - it may have been deleted, corrupted or modified by the threat to the point where it no longer functions as intended - and needs to be restored from a known good backup. So rather than delete these malicious files and potentially render a computer unusable Norton brings them to the attention of the computer user, along with the recommendation that the files are restored manually. There are various means of doing this, usually involving either the Windows installation disk or some form of the Windows Recovery Console (XP) / System Recovery (Windows 7).
What is Trojan.Gen?
A quick note about Trojan.Gen and Trojan.Gen.2 detections. A detection with "Gen" in the name is what is known as a generic detection, written with the intention of catching a wider range of threats or variants of a threat family than a normal detection which has a specific name, such as Trojan.ZeroAccess. A Gen detection basically casts a wider net. So Gen detections sometimes catch 'specific' threats, without knowing exactly what that particular threat is. The Gen detection doesn't really care what the threat is, it's goal is simply to stop it in it's tracks. Now, when a user sees a Norton pop-up telling them "Auto-Protect blocked threats" or similar, only to see the exact same alert every time they start their computer, it can indeed be confusing. If we go back to our ZeroAccess example above where the threat overwrites critical system files we are able to see how this can happen. So in our scenario ZeroAccess has overwritten a critical start-up system file, which Norton is unable to restore for reasons outlined above. This malicious file runs at start-up, creates additional malicious files on the computer which Norton then blocks - hence the pop-up. But as Norton is unable to restore the critical system file which is causing the subsequent malicious files to be created, it happens every time the computer starts. In this scenario, the computer is safe - Norton has done it's job of blocking the main threat. But until the critical system file is restored (manually, from a clean backup) the scenario will repeat itself. Annoying to say the very least.
So, what to do if you are unfortunate enough to get infected with one of these nasties that your Norton product is having trouble removing?
I got infected - what do I do now?
Firstly, you have my sympathy, as you have a bit of pain ahead of you but there isn't much that can be done about it at this point other than work through it. If you suspect the threat is Trojan.ZeroAccess the first thing is to download our Trojan.ZeroAccess Removal Tool and run it. If it removes the problem, you're in good shape. If it doesn't (for the reasons outlined in B above), try Norton Power Eraser. If that doesn't help, you still have options. You can either attempt to fix the problem yourself by following the manual removal instructions on our Trojan.ZeroAccess write-up, you can contact Norton Support, or you can ask for help via this forum or elsewhere.
Anyway, there's a fair bit there to digest, and I hope it all makes sense. Please know that we are continually working to prevent the pain and hassle our customers can experience when dealing with virus infections, but sometimes the solution is not quite as seamless or painless as we would like. Oh for that perfect world.
Thanks for listening.
JohnM
===============
Tips
Here are some recommendations for general computer use that should help avoid a disaster scenario.
Backup your data
It never ceases to amaze me how many people don't do this, and then regret it when it's suddenly gone forever. If you keep any information on your computer that would cause you grief in the event you lost it permanently, keep a regular copy of it somewhere else. Back it up to a separate hard drive or flash drive, or even better, online. Another good option is backing up to once-writable media (so it can't be inadvertently erased or overwritten) and keep it somewhere safe. It's insurance in the event your computer gets stolen, suffers a critical failure, or a nasty piece of malware renders it unrecoverable. These things can and do happen.
Ensure you have some form of a recovery disk
Back in the good old days before software piracy became a significant factor, new computers used to come with the operating system installation disk. But these days most don't, instead coming with a small hidden partition called the recovery partition which contains a copy of the operating system as it was when it was first installed. This recovery partition can then be used to repair the computer in the event that the operating system gets corrupted. It works well, but has one drawback. The recovery partition could also become corrupted. And while it's true that even a physical recovery disk could become unusable (e.g.. if it gets scratched badly enough) having one is still useful as a second option to help recover from an OS failure or corruption.
Keep your security product definitions up-to-date
In fact, keep all your installed software up to date with latest updates, patches and security fixes. A lot of the problems computer users experience could be avoided by following this simple rule. |
楼主: 尘梦幽然
发表于 2014-5-15 13:06:54
发表于 2014-5-15 13:08:14
楼主
你最后一次收到这些样本的处理回复是什么时候。