Endpoint Protection

Noticed a few forums about this one in March another in June and even one in August. Just had one of our systems infected with this spyware "AV Security Suite". SEP did not detect it at all and there was nothing in the logs to say the system had even detected it. The hosts computer was fully up to date with the latest definitions and latest SEP version. Also know that this same suite managed to bypass a McAfee security suite also.

Are Symantec doing anything to address this bogus security suite? As even in safe mode SEP does not pick it up. We had to use Malware Bytes to remove it and even then it did not fully remove it, until the file name was renamed.

  

Run SEP support on a machine where you have AV security infection, then look at the Load Point section and submit the file to Symantec security resposne

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/2df6666699008f2a8825750600757e23?OpenDocument


https://submit.symantec.com/websubmit/retail.cgi

Hi GeoGeo,

If possible, can you submit the suspicious file responsible for this FakeAV suite to Symantec Security Response?  Dozens of these appear every week and we are always updating definitions against them.  Many defences are added based on customer submissions.

Fake AV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating.  In October 2009, a white paper was made public on the topic. 

The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport or  http://www4.symantec.com/Vrt/wl?tu_id=XuOB125692283892572210

Also: highly recommended is this new blog article: https://www-secure.symantec.com/connect/blogs/rogue-turning-retrovirus  Be aware of what the writers of these programs are up to!

Thanks and best regards,

Mick

Run Symantec Power Eraser on it. It's included in the SEP Support Tool.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008071709480648?Open&docid=2008120810393048&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af

Also, you need to utilize the application and device control to block the installs of these.

Are you using Proactive Threat Protection? If so, what is your sensitivy level set to and what action are you taking on it?

Network Threat Protection, should be enabled and installed.
TruScan Proactive Threat Scan should be changed from their defaults
Bloodhound should be set to maximum

Odds are this issue will be greatly reduced or eliminated altogether if the above are done.

Symantec Has a malwarebytes like tool already built in!  It's called PowerEraser, it's available on clients running RU5 or higher.  It's completely separate to SEP, so that it wont be affected by viruses, and does an aggressive scan to clean and eradicate viruses, where SEP does a scan and tries not to break things...  

Yes.  We've found at our institution that you *must* do more than just A/V if you want to stop malware from getting in.  A/V detects known bad things, other tools prevent any unknown/untrusted code from running.

Also, many of these apps are backed by organized crime, they're constantly updating their code to bypass security software.

PowerEraser looks like a useful last resort but the AV security suite blocks users from accessing the internet or network to download it. So unless they can get someone else to download it and copy it to disk they can't access it. With some of our users being home based we can't just go and see them with a copy of the program.

Trying to get a copy of the AV security suite to submit to Symantec for investigation as we've only seen a couple of instances of it but they were cleared before posting this forum.

are there any updates for removing this? My XP Pro machine ran fine yesterday, is completely bollixed today, the only thing I can do is go to their site.

This is sent from my iPad, not the infected machine.t

Yes, get the SEP Support tool, and run PowerEraser on your machine. 

 

Alternatively, you can download the Symantec Emergency Repair Tool, SERT.  It's a bootable ISO to scan a machine and clean it while it's offline.  To get SERT, you need to have a valid support contract for SEP and access to fileconnect.symantec.com