Endpoint Protection

I have been asked by our Sheriff's Office Forensics department if our version of Symantec Endpoint Protection 12.1.2 can scan an Android mounted image for Malware.  The image is created and then mounted to a Windows 7 PC.  Basically can SEP scan through the files and remove Malware as to not infect the PC that has the mounted image?

Do you or does anyone else know of a test file (Other than EICAR) that I can put on the Android device to do a proof of concept?

Also if there is a Symantec Document with information would be helpful.  I have yet to find one.

I personally do not have a test file

I couldn't find a document but I'll keep looking. Perhaps a Symantec employee will check in and provide something if I'm missing it.

If you check the risks, you will see signatures for android, that I do know.

Hi kulhand,

A question and a couple of points:

Sheriff's Office Forensics department..... an Android mounted image

What kind of an image is this?  I know very little about images created by FTK, EnCase, DD etc.  If those require special proporietary tools to view and work with, SEP (and other software on a typical computer) may not be able to open, access and scan those image files without help from that prorietary tool. 

A good example is a VMWare image: the regular SEP client cannot scan a .vmdk or .vmx file and identify all of the suspicious/malicious files within.  (If that image is launched in VMWare, though, and its hard drive is mapped to the host machine then SEP can work that way.) 

It is possible to scan the mounted drive of an Android device that is connected to a Win7 computer protected by SEP 12.1 RU2.  (Note that what gets mounted is the SD Card for the Android, not the phone's internal memory/OS/etc.)  The file system o fthe SD Card I just tested is FAT, which SEP can read and work with. 

Eicar is definitely the best test file to use: don't go hunting around for an infected .apk file to test with (as that might get loose).  I can 100% confirm that SEP definitions cover all known Android threats, so anyone who unwittingly tries to copy an infected .apk onto their device from their Windows/Mac/Linux desktop machine will be kept safe.  

Mounting the Android's drive an scanning it with SEP is a very poor security measure.  Symantec has two products which are designed to protect Android devices: here is an article which describes them:

Comparing Symantec Mobile Security 7.2 and Norton Mobile Security
Article URL http://www.symantec.com/docs/TECH202054 
 

I very strongly recommend that all Androids are protected by SMS 7.2 or NMS.  Every daty new Android malware is discovered.  There are whole botnets of infected Android devices, numbering in the millions.

MDK: The Largest Mobile Botnet in China
https://www-secure.symantec.com/connect/blogs/mdk-largest-mobile-botnet-china

Android.Exprespam Potentially Infects Thousands of Devices
https://www-secure.symantec.com/connect/blogs/androidexprespam-potentially-infects-thousands-devices
 

Another good site that I recommend is http://www.mobilesecurity.com/

Hope this helps!!  Please do update the thread with additional details about what type of forensic tool and image is in use and how it works.  With that information at hand members of the forum might be able to give absolute confirmation.  

With thanks and best regards,

Mick

It should be able to scan a mounted disk from a disk image, in theory, though it would not automatically scan on mounting the disk; you would have to manually scan it. I'm not 100% sure, though. If it mounts as a readable disk that Windows can browse/explore, it probably can. However, I do not have the means to test this myself, and I can't find any documentation to say it is supposed to work or is supported (most docs I find talk about using mobile security products to protect mobile devices).

Whatever the case, any files copied from the mounted disk to the Windows 7 computer would be intercepted by the Windows 7's SEP Auto-Protect. Android threats would only affect the Android OS, but SEP can detect threats from other operating systems (like Mac, too) to keep them from spreading any further.

I don't know of any other antivirus test files but EICAR. I believe EICAR is used to test Android devices too. I would NOT recommend testing with a live threat, nor should anyone post such a file to the forums.

sandra