Endpoint Protection

This is my first time to every post here in the forums. I apologize if this issue has already been addressed elsewhere. If it has, please direct me to it. I am currently running SEP 11 MR 5 ( just upgraded from MR 4  yesterday). I have approximatly 2500 clients in my console manager. One spyware that i keep seeing we are having constant issues is the so called AV2009. SEP will often recognize that there is an infection however will not do anything. I have it set in my AV & AS policy to first try to clean if if clean is not sucessful then to quarantine an infection then delete the quarantine after three days. I often have to run Malware Bytes on many of my clients because SEP is unable to remove the AV2009. Is there something i have wrong in my set up. Any information would be greatly appreciate. Thanks

http://www.symantec.com/security_response/writeup.jsp?docid=2008-082521-2037-99&tabid=2

here are few more file for AV2009

shlwapi.dll
wininet.dll

av2009.exe
AV2009.exe.exe
shlwapi.dll
wininet.dll
AV2009.lnk
Uninstall AV2009.lnk

Follow this link and submit any file that is not detected to
https://submit.symantec.com/basic

Symantec will have definitions for files that are not being detected and the action will be taken right then on the first detection. 

Dont be mistaken that if AV detects AV2009 then it will always be detected there are 100's of variants of same type of malware with same file and Fake Product name the the viral code in the file differs so when you see such a detection and see that SEP is not detecting it or completely removing then
1.Run full Scan with update definitions
2.Submit files to symantec security response

check this article once : https://www-secure.symantec.com/connect/articles/online-virus-and-behavioural-scan-engines

Hi J.B.,

You write that "SEP will often recognize that there is an infection however will not do anything."  What exact action is being reported in the Risk History?  (Same info can also be found in the computer's Windows Application Event Logs.)

If the detection was made by SEP's "Auto-Protect" and the action taken was "partial" or "left alone" or "reboot needed," chances are that this AV2009 has "tricked" Windows into protecting its processes and SEP's AP cannot end them.  A full system scan (scheduled or manual) on those computers will be more effective than the realtime (Auto-Protect) scan.  Running the full system scan in safe mode will almost always successfully remove any threat detected.

Please let the forum know if this works for you!

Thanks and best regards,

Mick

I will have to get the logs from the next client that reports this. Partially my fault, I never submit any of the logs to Symantec, I would just always run Malware Bytes if SEP did not get rid of it. My users currently do not have the ability to access the client ( Password protected). I have my actions set to automatically clean and if clean is not sucessful then to quartine the infection. I do have a schedualed scan that runs once a month in our enviroment. I will save the logs for the next machine i have that runs into this. Thanks for all of your help and advice everyone

 Once a month is a very looong time specially for a school with kids having less information about what is secured and what is insecured. Weekly looks more promising..

Why does SEP detect a file but is not able to delete or Quarantine it ?
Ans :These threats they hook themselves either to explorer.exe or any running process and sep cannot delete or kill the process at it will have to kill explorer.exe as well..

Sometimes they install themselves as a service and is set to automatic ..so sep is not able to take any action as the service needs to be halted.
For these reason SEP requires a reboot to take the action.

Using any third party tool eg Malware Bytes will always solve the problem temporarity.
But what if the same virus is there on 10 or 100 computer at the same time..
or everydays you find a computer getting infected with a threat that previously you had cleaned using MBAM. Having definitions for them will be benificial for you as well as millions of people who are using SEP and might get infected with same threat.

I appreciate the info. You are right about probably needing to increase my number of schedulaed scans. I am going to open another thread and see if people who might have a similar enviroment as ours might currently be practicing and compare ideas and see what would be best. I know Auto-Protect is great, but think increased full system scans would also benefit us. And i will be sure to submit infection logs in the near further. I have never done that, and if my memory servers me correct, I have to submit it from the client? Thanks again

 Yes from the client just submit the file to 
https://submit.symantec.com/basic ...you will get notified when definitions will be created for the threat and will be released in definition update.