One of our users apparently downloaded the Blackhole exploit kit from a server run by the Russian Business Network. The user saw an alert from SEP on the screen, and our network security people tell us that Symantec blocked the malware successfully.
But we never saw anything about this incident in any log -- neither the Symantec risk logs, nor any of the computer's event logs, and when we tried running a Rapid Release definition update on this computer, we got the message:
No updateable version of Norton Anti-Virus was found...
Which would seem to indicate that the client was corrupted somehow, perhaps by Blackhole. But according to the SEPM Console, the client is running fine; definitions are up-to-date, and the client checked in with the server a few minutes ago.
Does anyone out there have experience with Blackhole? Can you help me figure out what's going on?