Endpoint Protection

I have an question, mostly directed at symantec itself.

I work in The Netherlands as an IT Specialist with an company that services about 100+ customers.

We almost exclusivly use Symantec Endpoint Protection and Mail Foundation but my faith is starting to fail in these products.

At several of our customers we have had outbreaks of virusses recently, none of which endpoint of mail foundation stopped.

Oh yes, of course the management interfaces show that threats have been stopped but we have to many occurences that get through.

Our most recent issue has been the anserin (http://www.symantec.com/security_response/writeup.jsp?docid=2005-112315-0608-99) virus. The problem with this one it that the phone home traffic gets you on spam blacklists even with port 25 closed for everyone except the mail server. Causing big disruption with the small to medium business clients.

This is an virus that's pretty old and this gets though endpoint.

By now I'm wondering why symantec's AV products can be bypassed so often when to product is up to date, with full protection enabled...

Even when infected, endpoint was unable to detect the virusses. We had to use an competitors off-line scan solution to find en disinfect the computers.

My goal btw is not to handle every individual case but to discus the general performance of the product.

Any response from symantec would be greatly appriciated.

Dominic

you should be opening a support ticket and take help of security response for the issue.

pete_4u2002, like i said; i don't want to handle individual cases by opening support tickets. I what to know why symantecs AV products don't do their jobs and discus about that.

That way if someone else has this problem they can read this topic and learn from the conclusions and/or tips and tricks we end up with.

Which version? 

Which features are disabled if any? 

What security best practices (disable autorun, etc.) are in place?

Hi,

You need to know the best practices for responding to active threats on a network

Best Practices for Troubleshooting Viruses on a Network

What version of SEP are you running and what components are you using for it?

Here are some KBAs for 11.x and 12.1 which will get you started

11.x

Security Response recommendations for Symantec Endpoint Protection settings

12.1

Security Response recommendations for Symantec Endpoint Protection 12.1 settings

Hello,

Could you please let us know what version of SEP are you running?? Is that SEP 11.x or SEP 12.1 ??

I would suggest you to run the SymHelp utility on the client machine with suspicious activies, which would then scan the machine for suspicious files. Check this Article:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

In your case, it is also advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine via GPO. http://support.microsoft.com/kb/967715

4) Disable System Restore before you do this as the virus also creates entries in the System Restore Points store volumes.

Make sure to review some of the best practices:

http://www.symantec.com/business/theme.jsp?themeid...

Also, tighten up security on the SEP client. Out of the box settings do not cut it:

http://www.symantec.com/business/support/index?pag...

Hope that helps!!