Hello Carlos,

It sounds like you need to enable the IPS drivers.  Please review the excerpt from a training document I sent to my managed partners.  I have the sample policies and white papers if you would like to review them.

Consider the Intrusion Prevention feature in SEP 11. This technology, when deployed, uses a single signature to protect SEP 11 clients from multiple variants of the same or similar threat. When Intrusion Prevention is not deployed the Anti-Virus signatures must constantly be updated to protect against every unique variant of a threat. While this is possible it is much more difficult to maintain the best possible protection for your customers as some threats have hundreds and even thousands of variants. Review the attachment “Leveraging IPS technology for better protection” for more details.

If you think of the multiple protection technologies in SEP 11 as a layer then Intrusion Prevention is the second layer after the Firewall. Next is the Generic Exploit Blocking layer which analyzes the application behavior. This engine will catch true zero day threats – threats where there may not be an IPS or AV signature. The last layer is the traditional AV engine. Stopping threats at the outer layers is more efficient and faster; if the threat never runs then there is no clean up to perform later. With all the protection technologies deployed the client is fully protected from zero day threats and known threats can be stopped before they execute on the protected client.

The next thing to consider is the policies that govern the behavior of the protection technologies. The provided default polices are intended to be reviewed and changed prior to deployment as they are designed to be acceptable in a very large range of environments. Some suggested changes for example is to change the GEB action from “log” (let the malicious code execute and report it) to “terminate” (shut down the program). In the attached ZIP file you will find some sample policies that have been based on the template “high performance” polices created when you install the product that have been tightened to provide better and more aggressive protection. Please take a minute to import these policies into your test labs and review them. There is a policy designed for workstations and one for servers with the main difference being the enablement of GEB and the email scanners (GEB is not supported on the server OS and generally speaking email scanners should not be deployed to servers). Many of these settings are from the attached best practices guide – newer versions of the guide are being worked on.

Finally let’s consider the software itself. As with SAV 10, there are numerous updates and changes in SEP 11. Fortunately the process of updating the server and clients in SEP 11 is much simpler than it ever was in SAV 10. A good practice is to allow minor code updates to be deployed by the SEPM server. This can be accomplished by checking the “Download SEP product updates using a Live Update server” option in the Live Update policies. Recently a new IPS driver was deployed (details below) but it would only get deployed to the clients if the policy is modified. This will not deploy maintenance releases; only product patch files and updates. Again – I have included a sample policy for review in the attached ZIP file.

To recap:

1.) Deploy all of the components of SEP where supported. The “Proactive Threat Scan” engine (GEB) is not supported on x64 and Server. Rely on the IPS engine to prevent malicious code from executing so the AV engine does not have to clean up after the threat executes.
2.) Lock the settings on your policies. This prevents the user from changing the settings and makes the protection more consistent in a deployment.
3.) Enable the Tamper Protection feature. You can find this in the Location-independent Policies and Settings area under General Settings. Set the action to “Block” and lock the setting. Symantec owns 40% of the endpoint security market – every hacker and script kiddie inserts a “smc –stop” command in their code.
4.) Ensure that product patches are deployed as soon as possible with the live Update policy. Maintenance Releases should be applied shortly after release – you can track the releases by signing up for them here: http://www.symantec.com/business/support/news_bull... (all products are available for this free service)
 

Did you submit the suspicious files to Symantec as well? How?

   Douglas, thank you !

   Unfortunately, sometimes we have to deal with low-performance computers, implementing all the modules will make the computer much safer, but impossible to use due performance matters.

   But i did understand what i have to do in order to have variants like that caught by antivirus, and the importance of all layers, your explanation was very useful to me, i will try some tests in a lab environment.

   If you can send to me, or attach the ZIP file/documents you mentioned, it will be great !

   Thank you very much !
   Carlos Oliveira

   Giuseppe,

   Is it possible to submit the file to Symantec using the SEP Client ? How can i do that ?

   Thanks,
   Carlos Oliveira

Just submit the samples here:
https://submit.symantec.com/basic

Regards,

   Giuseppe, thanks !

   I wasn't able to submit by the address you told, since it asks for "Contact ID" that i do not have.

   But i "googled" and found another submit page, with no "Contact ID", so i could submit the infected file.

   www.symantec.com/business/security_response/submitsamples.jsp#

   Thanks,
   Carlos Oliveira

You should really contact customer care to get your contact ID number because the submissions associated with a contact ID get processed days faster than the ones submitted via the retail link. 

Here are the links for submitting a suspected file:

For Basic - https://submit.symantec.com/websubmit/basic.cgi
Gold - https://submit.symantec.com/websubmit/gold.cgi
Essential - https://submit.symantec.com/websubmit/essential.cgi
Platinum - https://submit.symantec.com/websubmit/platinum.cgi

Retail - https://submit.symantec.com/websubmit/retail.cgi

 Have you even tried to enable the other features to test it's performance?  I think you are mistaken on the impact.

WIth MR4 MP2, something like 11.0.4204.x I think...  I have ALL the features installed and enabled, and at rest I'm using less than 35MB of RAM at idle.

When I'm doing a HDD scan, rtvscan.exe uses more RAM, but less than 5% CPU time.  Some where in the 45-55MB of RAM used total!

Many people I've met or talked to with SEP, have little idea on the additional features, and based on assumption or fear of the additional complexity choose not to enable them.  Thus more infections.  What they fail to understand is that viruses are no longer just viruses.  They are now active malicious attackers that require more than just "reactive," signature based detection.  They need proactive protection, e.g. IPS.

@ carlos,

you can try sending viruses from the sep console, Quarantine tab, and on the lower right, you can find the "submit" button... that's it, ofcourse just need an internet connection...  :-)

If you need assistance determining what items are loading on a particular machine, please refer to the following documents:

1) 'Common loading points for viruses, worms, and Trojan horse programs on Windows NT/2000/XP/2003'

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001060517115206?Open&seg=ent

2) 'Common loading points for viruses, worms, and Trojan horse programs on Windows 98/95/3.1x'

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1999052415383948?Open&seg=ent

3) What is Risk Tracer?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

4) How to prevent a virus from spreading using the "AutoRun" feature

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/2c3dd6a59d7d1688802574130041a738?OpenDocument

5) The 5 Steps of Virus Troubleshooting

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/59ced4261979d3e78825725f007bfde5?OpenDocument

6) General security practices for network administrators

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004070210271548

7) To submit a file directly from the Quarantine of Symantec Endpoint Protection:
'How to submit file(s) from quarantine using the new user interface within Symantec Endpoint Protection 11.0'

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007031308253048?Open&seg=ent

8) How to create email notifications in the event of risk outbreak or virus definitions out-of date in Symantec Endpoint Protection Manager (SEPM)

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032116480748

9) What to do when you suspect that a Symantec antivirus product is not detecting viruses

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/73537d3ec91e9d3288256a220027acf0?OpenDocument
10) Example of an Emergency Containment Plan to respond to a virus infection

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d4fe4fd2aa5d954c88256aab0064959f?OpenDocument

11) Microsoft 0-Day - Advisory 935423 (BID 23194) - Cursor And Icon ANI Format Handling Remote Code Execution Vulnerability

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/94a2db75850880ee88257348007a2531?OpenDocument

To submit a file directly from the Quarantine of Symantec Endpoint Protection:

Title: 'How to submit file(s) from quarantine using the new user interface within Symantec Endpoint Protection 11.0'
Document ID: 2007031308253048
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007031308253048?Open&seg=ent

To create exceptions for the original location of the file in Symantec AntiVirus Corporate Edition to restore from Quarantine and manually submit the file:

Title: 'Excluding specific drives and folders from Symantec AntiVirus scans'
Document ID: 2002092413394848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002092413394848?Open&seg=ent

To manually upload a file that is being flagged as a threat and you see as a false positive to Symantec Security Response, please follow the manual submission process at the following URL:
https://submit.symantec.com/gold/

Fill out all the information on this page when submitting and note that this is a false positive detection being flagged as a threat. Please do not send any submissions to the email address this message was sent from. Submissions to this email address will not be accepted and could cause delays in the examination of the submission.

Once Symantec Security Response has confirmed that the file is a false positive, we will create new virus definitions to resolve the false positive detection. With the new virus definitions and information from Security Response, the file should not be added back to Quarantine after it has been restored back to its original location.