Endpoint Protection Small Business Edition

 View Only

  • 1.  Auto-protect not catching malware, manual scan does

    Posted Jan 06, 2012 03:42 PM

    Just an FYI.  We've seen a few of these fake US Postal Service emails come through our corporation.  They are getting through our mail server's filters and Symantec's Auto-Protect and Outlook Auto-Protect modules are not catching them either.  I had a user forward one of these emails to me asking if it was legitimate or not.  I was able to download the attachment (I did not unzip it of course) then run a right-click scan on it at which point SEP SBE 12.1 did tell me it was a trojan.  I would expect Outlook Auto-Protect to catch this, and if not, at the very least the general Auto-Protect should have caught it when I downloaded the file from the email to my desktop.  Shouldn't Auto-Protect be working better in this situation?

    Symantec (on the right-click scan) identified the malware as Trojan.Smoaler!gen2



  • 2.  RE: Auto-protect not catching malware, manual scan does

    Broadcom Employee
    Posted Jan 06, 2012 09:09 PM

    Auto Protect will not scan into the archive files, once the archive file be extracted and the file is accessed the Auto protect will catch it.

    Was the zip file password protected?



  • 3.  RE: Auto-protect not catching malware, manual scan does

    Posted Jan 09, 2012 06:05 PM

    No, the zip file was not password protected. edit:  I never unzipped the file, so I can't be sure.  I right-click scanned the zip file itself, but did not want to risk an infection by unzipping it.

    I see that Auto-Protect does not scan inside zip files, but Microsoft Outlook Auto-Protect does.  The machine that originally received this spam/trojan email was running Outlook 2010.  Shouldn't the Outlook Auto-Protect module have flagged this before the user forwarded it on to me?  Or am I not understanding how Outlook Auto-Protect works?

    Thank you.



  • 4.  RE: Auto-protect not catching malware, manual scan does
    Best Answer

    Broadcom Employee
    Posted Jan 09, 2012 11:05 PM

    have you enabled to scan within compressed file (under AV/AS policy)?

    What is the action configured ? If the manual scan detected the AP should also detect provided the file is accessed/modified.



  • 5.  RE: Auto-protect not catching malware, manual scan does

    Posted Jan 10, 2012 12:05 PM

    Outlook Auto-Protect is configured as follows:

    -Scan All Files

    -Scan within Compressed Files (6 levels deep)

    -First Action: Clean, Second Action: Quarantine

    -Display Notification Message on infected computer

     

    I think the key here is your quote "provided the file is accessed/modified".  The user never tried to access the file attachment.  He forwarded the email to me, then I saved the .zip attachment to my drive.  I use Thunderbird, not Outlook, so Outlook Auto-Protect would not have kicked in on my machine.